Ukraine Dismantles Cybercrime Operation Linked to Theft of 28,000 Customer Accounts
The National Police of Ukraine has revealed a significant international cybercrime operation that resulted in the theft of nearly 30,000 customer accounts from a California-based online retailer. Authorities have identified an 18-year-old resident of Odessa as a key player in this extensive account theft scheme, which involved stolen session data, malicious software, and unauthorized online purchases, leading to substantial financial losses.
Investigation and International Cooperation
The investigation was spearheaded by cyber police officers in the Odessa region, in collaboration with the Main Investigation Department of the National Police and under the procedural guidance of the Prosecutor General’s Office. Ukrainian authorities reported that this operation was conducted in partnership with U.S. law enforcement agencies, utilizing international legal assistance mechanisms to address the cross-border nature of the crime.
Image Source: Cyber Police Department, National Police of Ukraine
Account Theft Scheme Targeted Thousands of Online Store Users
The account theft scheme reportedly operated throughout 2024 and 2025, specifically targeting customers of the California-based online retailer. Investigators disclosed that attackers gained unauthorized access to over 28,000 customer accounts. Of these, at least 5,800 compromised accounts were exploited to make fraudulent purchases totaling approximately $721,000. The financial damage, including chargebacks and related losses, is estimated to exceed $250,000, or roughly 11 million Ukrainian hryvnias.
Authorities believe the cybercriminal group heavily relied on infostealer malware to compromise victims’ devices and collect sensitive login credentials.
Infostealer Malware Used to Steal Session Data
Investigators have indicated that attackers deployed malicious software known as “infostealers” to secretly infect users’ devices. This malware was designed to harvest critical information, including:
- Login credentials
- Session cookies
- Authentication data
- Browser-stored information
Once collected, the stolen information was transmitted to infrastructure controlled by the attackers. Law enforcement officials noted that the data was subsequently processed, organized, and sold through specialized underground online platforms and Telegram bots commonly used by cybercriminal communities.
Cybersecurity experts have consistently warned about the increasing use of infostealer malware in credential theft campaigns. Stolen session tokens can sometimes allow attackers to bypass traditional password and authentication mechanisms, making the threat particularly severe.
Odessa Resident Accused of Managing Criminal Infrastructure
During the investigation, authorities identified an 18-year-old suspect from Odessa who allegedly managed parts of the online infrastructure utilized in the cybercrime operation. The suspect is accused of administering systems responsible for:
- Processing stolen session data
- Selling compromised credentials
- Managing access to stolen accounts
- Supporting transactions involving cryptocurrency
Investigators also alleged that cryptocurrency services were employed to facilitate financial settlements among members of the cybercriminal network.
Ukrainian law enforcement conducted two searches at the suspect’s residence, seizing multiple digital devices and other evidence linked to the case.
Police Seize Digital Evidence in Cybercrime Investigation
During the searches, authorities confiscated a variety of items, including:
- Mobile phones
- Computer equipment
- Bank cards
- Electronic storage devices
- Cryptocurrency exchange account information
Investigators discovered access credentials associated with platforms used for selling stolen data, email accounts tied to compromised customer profiles, and server activity logs connected to the cybercrime operation. This evidence further corroborated the suspect’s alleged involvement in the account theft scheme and broader illegal cyber activities.
The investigation is ongoing, with authorities continuing to identify additional individuals connected to the operation.
Growing Threat of Infostealer Attacks
This case underscores the escalating global threat posed by infostealer malware and account takeover operations targeting online platforms and e-commerce services. Cybercriminal groups are increasingly employing credential-stealing malware to harvest browser data and session information from infected devices. Stolen credentials are often sold through underground marketplaces or used directly for financial fraud, identity theft, and unauthorized purchases.
Security researchers have also highlighted that Telegram-based cybercrime services are making stolen credentials and malware distribution more accessible to lower-skilled attackers. The operation uncovered by Ukrainian authorities illustrates how international cybercrime networks exploit compromised accounts, cryptocurrency infrastructure, and underground data markets to conduct financially motivated attacks across borders.
Source: thecyberexpress.com
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
