“To carry out the criminal scheme, the attackers used 'infostealer' malware that secretly infected users’ devices, collected login credentials, and transmitted them to servers controlled by the attackers,” the Ukrainian cyberpolice says.
The Ukrainian cyberpolice and U.S. law enforcement
The Ukrainian cyberpolice, working in conjunction with U.S. law enforcement, say they have identified an 18-year-old man from Odesa suspected of operating an information‑stealing malware campaign that targeted users of an online store in California. Authorities say the activity took place between 2024 and 2025 and that the suspect administered the online infrastructure used to process, sell, and utilize stolen session data.
The scope: 28,000 accounts, 5,800 used for fraud, $721,000 in purchases
Police attribute the compromise of roughly 28,000 customer accounts to the infostealer operation. Of those accounts, about 5,800 were used to make unauthorized purchases totaling approximately $721,000. The malicious operation, according to the announcement, produced roughly $250,000 in direct losses, a figure that the police say includes chargebacks.
Infostealer malware and session tokens
The police describe the toolset used as “infostealer” malware, a category that harvests sensitive material from infected devices. The Ukrainian cyberpolice list typical data types taken by such malware—passwords, browser cookies, session tokens, crypto wallet information, and payment details—and say the stolen data was processed and sold through specialized online resources and Telegram bots.
The police also explain the significance of the phrase “session data” in their announcement: the session data refers to session tokens that can be used to log in to the victim’s account without needing credentials and, in some cases, bypass multi-factor authentication (MFA) checks as well. That capability, the statement implies, was central to how stolen accounts were taken over and abused.
Evidence seized at two residences and the role of cryptocurrency
- Police conducted two searches at the suspect’s residences and report seizing mobile phones, computer equipment, bank cards, electronic storage media, and other digital evidence that they say confirm involvement in the operation.
- Authorities list seized evidence including access to resources used to sell stolen data and to manage compromised accounts, server activity logs, and accounts on cryptocurrency exchanges.
- The police further say the suspect engaged in cryptocurrency transactions with accomplices, indicating the operation used crypto rails for some financial activity tied to the stolen data.
What this means for online retailers, affected customers, and law enforcement
- Online retailers: the incident underscores that attackers are monetizing session tokens and compromised account access, producing tangible revenue and chargebacks; retailers and platform operators will need to account for token theft and unauthorized session reuse when investigating fraud tied to customer accounts.
- Affected customers: more than two dozen thousand accounts were implicated, and thousands were used for purchases—customers and cardholders are already seeing the financial impact reflected in chargebacks and unauthorized transactions.
- Law enforcement: Ukrainian cyberpolice have identified a suspect, executed searches, and seized devices and records. The announcement does not mention an arrest, which the police say suggests investigators may still be building the case before pursuing formal charges.
The record assembled by investigators—server logs, exchange accounts, seized devices and payment instruments—provides concrete traces that, according to the Ukrainian cyberpolice, link the 18‑year‑old from Odesa to a centrally administered infostealer operation. Whether those traces will be converted into charges and prosecution remains unstated in the announcement; for now, investigators describe a sizeable criminal scheme stopped at the infrastructure level but whose legal endpoint is still to be determined.




