The Ukrainian cyberpolice, working in conjunction with U.S. law enforcement, has identified an 18-year-old man from Odesa suspected of running an infostealer malware operation targeting users of an online store in California. According to the Ukrainian police, the threat actor used information-stealing malware between 2024 and 2025 to infect users’ devices and steal browser sessions and account credentials. The attacks linked to the young hacker impacted 28,000 customer accounts, of which the cybercriminals used 5,800 to make unauthorized purchases totaling about $721,000. The malicious operation caused $250,000 in direct losses, including chargebacks. “To carry out the criminal scheme, the attackers used 'infostealer' malware that secretly infected users’ devices, collected login credentials, and transmitted them to servers controlled by the attackers,” the police says. “The information was then processed and sold through specialized online resources and Telegram bots.” The police say the suspect engaged in cryptocurrency transactions with his accomplices. The “session data” mentioned in the police announcement refers to session tokens that can be used to log in to the victim’s account without needing credentials and, in some cases, bypass multi-factor authentication (MFA) checks as well. The 18-year-old suspect administered the online infrastructure used to process, sell, and utilize the stolen session data, the police stated, indicating that he held a central role in the operation.