The National Police of Ukraine has disclosed an international cybercrime operation tied to the theft of nearly 30,000 customer accounts belonging to a California-based online retailer, authorities said this week. According to Ukraine’s Cyber Police Department, investigators identified an 18-year-old resident of Odessa who allegedly played a key role in a large-scale account theft scheme involving stolen session data, malicious software, and unauthorized online purchases that caused millions of hryvnias in losses.
The investigation was conducted by cyber police officers in the Odessa region and the Main Investigation Department of the National Police under the procedural guidance of the Prosecutor General’s Office. Ukrainian authorities said the operation was carried out in cooperation with US law enforcement agencies through international legal assistance mechanisms.
Account Theft Scheme Targeted Thousands of Online Store Users
Investigators said the account theft scheme operated throughout 2024 and 2025 and targeted customers of an online store based in California.
According to law enforcement officials, attackers gained unauthorized access to more than 28,000 customer accounts. At least 5,800 compromised accounts were later used to make fraudulent purchases worth approximately $721,000.
Authorities estimated the resulting financial damage, including chargebacks and related losses, exceeded $250,000, or roughly 11 million Ukrainian hryvnias.
Officials believe the cybercriminal group relied heavily on infostealer malware to compromise victims’ devices and collect sensitive login credentials.
Infostealer Malware Used to Steal Session Data
Investigators said attackers deployed malicious software commonly known as “infostealers” to secretly infect users’ devices.
The malware was designed to harvest:
- Login credentials
- Session cookies
- Authentication data
- Browser-stored information
Once collected, the stolen information was transmitted to infrastructure controlled by the attackers.
Law enforcement officials said the data was later processed, organized, and sold through specialized underground online platforms and Telegram bots frequently used by cybercriminal communities.
Cybersecurity experts have repeatedly warned about the growing use of infostealer malware in credential theft campaigns because stolen session tokens can sometimes allow attackers to bypass passwords and authentication mechanisms.
The investigation suggests the stolen session data became a central component of the broader account theft scheme uncovered by Ukrainian authorities.
Odessa Resident Accused of Managing Criminal Infrastructure
During the investigation, police identified an 18-year-old suspect from Odessa who allegedly managed parts of the online infrastructure used in the cybercrime operation.
According to authorities, the suspect administered systems connected to:
- Processing stolen session data
- Selling compromised credentials
- Managing access to stolen accounts
- Supporting transactions involving cryptocurrency
Investigators also alleged that cryptocurrency services were used to conduct financial settlements between members of the cybercriminal network.
Ukrainian law enforcement officers conducted two searches at the suspect’s residence, where they seized multiple digital devices and other evidence connected to the case.
Police Seize Digital Evidence in Cybercrime Investigation
During the searches, authorities confiscated:
- Mobile phones
- Computer equipment
- Bank cards
- Electronic storage devices
- Cryptocurrency exchange account information
Investigators said they also discovered access credentials linked to platforms used for selling stolen data, email accounts associated with compromised customer profiles, and server activity logs connected to the cybercrime operation.
Officials stated the seized evidence further confirmed the suspect’s alleged involvement in the account theft scheme and broader illegal cyber activities.
The investigation remains ongoing as authorities continue working to identify additional individuals connected to the operation.
Growing Threat of Infostealer Attacks
The latest case highlights the increasing global threat posed by infostealer malware and account takeover operations targeting online platforms and e-commerce services.
Cybercriminal groups are increasingly using credential-stealing malware to harvest browser data and session information from infected devices. Stolen credentials are then sold through underground marketplaces or used directly for financial fraud, identity theft, and unauthorized purchases.
Security researchers have also warned that Telegram-based cybercrime services are making stolen credentials and malware distribution more accessible to lower-skilled attackers.
The operation uncovered by Ukrainian authorities reflects how international cybercrime networks continue exploiting compromised accounts, cryptocurrency infrastructure, and underground data markets to carry out financially motivated attacks across borders.
