Infostealer Operation Compromises 28,000 Accounts of California Online Store, $250K Losses
What Happened – Ukrainian cyber‑police, together with U.S. authorities, identified an 18‑year‑old from Odesa running an infostealer campaign that infected users of a California‑based e‑commerce site between 2024‑2025. The malware harvested browser sessions, credentials and payment data, leading to the compromise of 28 000 accounts and $250 k in direct financial loss.
Why It Matters for TPRM –
- Credential‑and‑session‑token theft can bypass MFA, exposing downstream services that rely on the compromised accounts.
- Third‑party e‑commerce platforms and payment processors become vectors for large‑scale fraud when their customers are targeted.
- The use of Telegram bots and crypto payments illustrates a rapid, hard‑to‑track monetisation pipeline that can affect any vendor handling consumer data.
Who Is Affected – Retail/e‑commerce merchants, payment gateways, SaaS providers that host customer‑facing storefronts, and any downstream services that accept the stolen session tokens.
Recommended Actions –
- Review contracts with any e‑commerce or payment‑processing vendors for breach‑notification clauses and data‑handling standards.
- Verify that vendors enforce strong session‑management controls, token revocation, and MFA that resists token‑replay attacks.
- Conduct credential‑theft simulations and monitor for anomalous login‑session activity on your own platforms.
Technical Notes – The threat actor deployed a classic infostealer (malware) that captured browser cookies, session tokens, passwords and crypto‑wallet keys. Stolen data were sold via Telegram bots and processed through cryptocurrency exchanges. No specific CVE was cited; the attack leveraged social‑engineering‑free malware distribution. Source: BleepingComputer