A 26-year-old Ukrainian national has been charged in the U.S. for his alleged role in the Raccoon Stealer malware-as-a-service (MaaS) operation.

Mark Sokolovsky, who was arrested by Dutch law enforcement after leaving Ukraine on March 4, 2022, in what’s said to be a Porsche Cayenne, is currently being held in the Netherlands and awaits extradition to the U.S.

“Individuals who deployed Raccoon Infostealer to steal data from victims leased access to the malware for approximately $200 per month, paid for by cryptocurrency,” the U.S. Department of Justice (DoJ) said. “These individuals used various ruses, such as email phishing, to install the malware onto the computers of unsuspecting victims.”

Sokolovsky is said to have gone by various online monikers like Photix, raccoonstealer, and black21jack77777 on online cybercrime forums to advertise the service for sale.

Raccoon Stealer, mainly distributed under the guise of cracked software, is known to be one of the most prolific information stealers, put to use by multiple cybercriminal actors for the extensive features and the customizability offered by the malware.

Active since April 2019, the threat actors behind the operation abruptly halted work on the project earlier this March, citing the loss of a core member due to a “special operation.”

While this was interpreted as the death of a developer in the Russo-Ukrainian war, court documents show that it was indeed Sokolovsky’s arrest and the subsequent dismantling of the malware’s infrastructure by Italian and Dutch authorities that led to the temporary shutdown.

That said, a second version of Raccoon Stealer written in C/C++ has since begun circulating on underground forums as of June 2022, with its authors touting the tool’s ease of use.

“It is so fast and simple that with its help it will not be difficult for a child to learn how to process logs,” the cybercrime gang posted in a message shared on its Telegram channel in May.

According to the U.S. Federal Bureau of Investigation (FBI), the malware is estimated to have facilitated the theft of 50 million unique credentials and forms of identification (e.g., email addresses, bank accounts, cryptocurrency addresses, and credit card numbers) from millions of victims globally.