The Ukrainian cyberpolice, working with U.S. law enforcement, has identified an 18-year-old from Odesa suspected of running an infostealer operation targeting users of a California-based online store. According to reports, the threat actor utilized information-stealing malware between 2024 and 2025 to infect user devices and exfiltrate browser sessions and account credentials. ### Infostealer Malware: A Growing Threat **Infostealers** are a prevalent form of malware designed to harvest sensitive data, including passwords, browser cookies, session tokens, crypto wallets, and payment information. This stolen data is then used for account theft, fraud, and resale on underground markets. The attacks attributed to the suspect impacted approximately 28,000 customer accounts, with cybercriminals using 5,800 of these accounts to conduct unauthorized purchases totaling around $721,000. The malicious activities caused $250,000 in direct losses, including chargebacks. "To carry out the criminal scheme, the attackers used 'infostealer' malware that secretly infected users’ devices, collected login credentials, and transmitted them to servers controlled by the attackers,” the police stated. "The information was then processed and sold through specialized online resources and **Telegram** bots." Authorities also noted the suspect's involvement in cryptocurrency transactions with accomplices.  ### Session Tokens and MFA Bypass The "session data" mentioned by the police refers to session tokens. These tokens allow attackers to log into victim accounts without needing traditional credentials, potentially bypassing multi-factor authentication (MFA) in some cases. The 18-year-old suspect allegedly managed the online infrastructure used for processing, selling, and utilizing the stolen session data, indicating a key role in the operation. ### Evidence Seized During searches at the suspect's residences, police seized mobile phones, computer equipment, bank cards, electronic storage media, and other digital evidence linking him to the illegal operation. This evidence includes access to resources used for selling stolen data and managing compromised accounts, along with server activity logs and accounts on cryptocurrency exchanges.  At this stage, authorities have identified the suspect, conducted searches, and seized devices and other evidence allegedly linking him to the operation. As of the announcement, no arrest has been made, suggesting the investigation is ongoing.