Infostealer operation attributed to 18-year-old threat actor linked to 28,000 compromised accounts
Summary
Hide ▲
Show ▼
An 18-year-old individual from Odesa, Ukraine, has been identified by national cyberpolice and U.S. law enforcement as the operator of an infostealer malware campaign conducted between 2024 and 2025. The threat actor targeted users of a California-based online store, infecting devices to harvest browser sessions, credentials, and payment data. Stolen session tokens allowed bypass of multi-factor authentication in some cases, enabling account takeover. The operation resulted in the compromise of 28,000 customer accounts, with 5,800 exploited for unauthorized purchases totaling approximately $721,000. Direct financial losses, including chargebacks, amounted to $250,000.
Timeline
-
21.05.2026 00:36 1 articles · 1h ago
Infostealer campaign linked to 18-year-old operator results in 28,000 account compromises and $721,000 in fraud
Between 2024 and 2025, an infostealer malware operation attributed to an 18-year-old individual from Odesa targeted users of a California-based online store. The actor harvested browser sessions, credentials, and payment data, enabling takeover of 28,000 accounts and unauthorized purchases totaling $721,000. Stolen session tokens were processed and monetized via online markets and Telegram bots, with cryptocurrency transactions tracked between the suspect and accomplices. Authorities executed searches, seizing digital evidence, but no arrest has been reported at this stage.
Show sources
- Ukraine identifies infostealer operator tied to 28,000 stolen accounts — www.bleepingcomputer.com — 21.05.2026 00:36
Information Snippets
-
A single 18-year-old suspect from Odesa, Ukraine, is alleged to have administered the infostealer infrastructure used to collect, process, sell, and monetize stolen credentials and session tokens.
First reported: 21.05.2026 00:361 source, 1 articleShow sources
- Ukraine identifies infostealer operator tied to 28,000 stolen accounts — www.bleepingcomputer.com — 21.05.2026 00:36
-
The actor operated between 2024 and 2025, targeting users of a California-based online store via information-stealing malware.
First reported: 21.05.2026 00:361 source, 1 articleShow sources
- Ukraine identifies infostealer operator tied to 28,000 stolen accounts — www.bleepingcomputer.com — 21.05.2026 00:36
-
Infostealer malware harvested browser sessions, login credentials, cryptocurrency wallet data, payment card details, and other sensitive information from infected devices.
First reported: 21.05.2026 00:361 source, 1 articleShow sources
- Ukraine identifies infostealer operator tied to 28,000 stolen accounts — www.bleepingcomputer.com — 21.05.2026 00:36
-
Stolen session tokens enabled bypass of multi-factor authentication in some cases, facilitating unauthorized account access.
First reported: 21.05.2026 00:361 source, 1 articleShow sources
- Ukraine identifies infostealer operator tied to 28,000 stolen accounts — www.bleepingcomputer.com — 21.05.2026 00:36
-
Compromised accounts totaled 28,000, with 5,800 accounts used to make unauthorized purchases totaling approximately $721,000.
First reported: 21.05.2026 00:361 source, 1 articleShow sources
- Ukraine identifies infostealer operator tied to 28,000 stolen accounts — www.bleepingcomputer.com — 21.05.2026 00:36
-
Total direct financial losses, including chargebacks, reached $250,000.
First reported: 21.05.2026 00:361 source, 1 articleShow sources
- Ukraine identifies infostealer operator tied to 28,000 stolen accounts — www.bleepingcomputer.com — 21.05.2026 00:36
-
Evidence seized includes mobile phones, computers, bank cards, storage media, access logs to data-selling resources, and cryptocurrency exchange accounts linked to the suspect.
First reported: 21.05.2026 00:361 source, 1 articleShow sources
- Ukraine identifies infostealer operator tied to 28,000 stolen accounts — www.bleepingcomputer.com — 21.05.2026 00:36