Back

Ukraine Disrupts Cybercrime Ring Behind 28,000 Stolen Accounts

Severity: High (Score: 66.5)

Sources: Gp.Ua, Therecord.Media, Thecyberexpress

Published: 2026-05-21 · Updated: 2026-05-21

Keywords: ukraine, online, police, cybercrime, scheme, accounts, cyber

Summary

Ukrainian authorities have dismantled a cybercrime operation linked to the theft of nearly 30,000 accounts from a California-based online retailer. The investigation, prompted by U.S. law enforcement, revealed that an 18-year-old from Odessa was a key suspect. The attackers utilized infostealer malware to harvest login credentials and session data, leading to fraudulent purchases exceeding $721,000. The operation, which spanned 2024 and 2025, resulted in over $250,000 in damages to U.S. platforms. Law enforcement seized computer equipment and mobile devices during searches in Odessa. The investigation continues as authorities analyze the seized materials and identify other potential suspects. Key Points: • Ukrainian police identified an 18-year-old suspect linked to a major account theft scheme. • The cybercriminal group used infostealer malware to compromise over 28,000 accounts. • Fraudulent purchases made with stolen credentials resulted in losses exceeding $721,000.

Detailed Analysis

**Impact** Approximately 28,000 customer accounts of a California-based online retailer were compromised, with at least 5,800 accounts used for fraudulent purchases totaling around $721,000. Financial losses, including chargebacks, exceeded $250,000 (11 million Ukrainian hryvnias). The affected sector is e-commerce, primarily impacting U.S.-based consumers and businesses. The breach involved unauthorized access to sensitive customer data, including login credentials and payment information. **Technical Details** Attackers used infostealer malware to harvest login credentials, session cookies, and browser-stored authentication data from victims’ devices. Stolen session data enabled bypassing of authentication mechanisms. The cybercriminal infrastructure included servers for processing stolen data and platforms for selling credentials via underground marketplaces and Telegram bots. Cryptocurrency services facilitated financial transactions within the group. No specific CVEs or detailed IOCs were provided. **Recommended Response** Organizations should monitor for signs of infostealer malware infections and unauthorized use of session tokens. Implement multi-factor authentication and session token invalidation to mitigate session hijacking risks. Enhance detection of suspicious account activity and monitor underground forums and Telegram channels for compromised credentials. Law enforcement and defenders should analyze seized infrastructure for additional IOCs to update detection capabilities.

Source articles (3)

  • Ukraine Busts Massive Cybercrime Scheme Behind 28,000 Stolen Accounts — Thecyberexpress · 2026-05-21
    The National Police of Ukraine has disclosed an international cybercrime operation tied to the theft of nearly 30,000 customer accounts belonging to a California-based online retailer, authorities sai…
  • Ukraine probes teen suspect in cyber theft scheme targeting California online shoppers — Therecord.Media · 2026-05-20
    The investigation began after U.S. authorities informed their Ukrainian counterparts that hackers operating from Ukraine could be involved in attacks targeting users of American e-commerce platforms,…
  • Hackers who caused more than $250,000 in damage to US online platforms were exposed in Odesa — Gp.Ua · 2026-05-20
    Prosecutors of the Office of the Attorney General, together with the Main Investigative Department of the National Police and the Cyber Police of Odesa, uncovered participants of an international hack…

Timeline

  • 2024-01-01 — Cybercrime operation began: The account theft scheme reportedly started in early 2024, targeting U.S. online shoppers.
  • 2025-12-31 — Cybercrime operation ended: The operation concluded in late 2025, with significant financial impacts reported.
  • 2026-05-12 — Searches conducted in Odessa: Law enforcement executed searches at the residences of suspected hackers, seizing equipment.
  • 2026-05-20 — U.S. authorities alerted Ukraine: U.S. law enforcement informed Ukraine about the ongoing cyberattacks targeting American platforms.
  • 2026-05-21 — Operation disclosed to the public: Ukrainian authorities publicly announced the disruption of the cybercrime scheme affecting U.S. retailers.

Related entities

  • Data Breach (Attack Type)
  • Malware (Attack Type)
  • Ukraine (Country)
  • United States (Country)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • T1003 - OS Credential Dumping (Mitre Attack)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed