The Ukrainian cyberpolice announced on May 12 that it had identified an 18-year-old from Odesa as the administrator of an infostealer operation that compromised 28,000 customer accounts at a California online retailer between 2024 and 2025. Ukrainian authorities acted on a formal U.S. law enforcement request; American agencies had surfaced the suspect and engaged their counterparts in Kyiv.
The attacker’s infrastructure processed stolen session tokens and sold access through Telegram bots and specialized online platforms. Of the 28,000 accounts hit, cybercriminals used 5,800 to make unauthorized purchases totaling $721,000. The retailer absorbed $250,000 in direct losses, including chargebacks.
Session tokens are the mechanism. Stolen cookies let attackers log into accounts without entering a password, and they can bypass multi-factor authentication in the process. The suspect’s role was central: he administered the servers that processed, packaged, and resold that session data, coordinating with accomplices through cryptocurrency transactions.
Infostealer operations increasingly run as a layered supply chain: one actor infects devices, another processes the logs, a third resells access. This case fits that model, with the 18-year-old occupying the infrastructure layer. That’s the tier law enforcement most wants to dismantle, because cutting off the processing node disrupts buyers who’d otherwise find another vendor overnight.
Two residential searches turned up phones, computers, bank cards, and storage media. Evidence includes server logs, cryptocurrency exchange account access, and credentials to the resale platforms. There’s no arrest in the announcement; investigators appear to be building the formal charge file. Worth checking your session management and token expiration policies before the next penetration test.
Rebecca Lauren