Raccoon Stealer
What is Raccoon Stealer?
Raccoon StealerA long-running malware-as-a-service info-stealer first seen in 2019; its operator was arrested in 2022 and the project was restarted as Raccoon v2, then progressively eclipsed by Lumma and RedLine.
Raccoon Stealer is a malware-as-a-service info-stealer first observed in 2019, originally written in C/C++ and rented to affiliates on Russian-speaking forums for a flat monthly fee. It collected browser passwords, cookies, autofill, crypto-wallet files, FTP and email credentials, screenshots, and host details, and was among the top-three commodity stealers globally through 2020–2021. In March 2022 the operation paused after the FBI and Dutch national police arrested its alleged developer Mark Sokolovsky and seized infrastructure. A v2 (Raccoon v2 / RecordBreaker) re-launched in mid-2022 with a faster C++ rewrite, but by 2024 the project had largely been displaced by Lumma, RedLine, and StealC. Distribution leaned heavily on cracked software, malvertising, exploit kits, and Discord links. Raccoon's takedown is often cited as a case study in how arresting a single Russian-speaking operator can suppress but not eliminate a malware family.
● Examples
- 01
A 2021 Raccoon affiliate purchases a one-month license and distributes it via cracked Adobe installers, harvesting a few thousand browser logs per day.
- 02
FBI and Dutch police arrest Raccoon's alleged developer in March 2022; the project resumes as Raccoon v2 a few months later, then declines as competitors take share.
● Frequently asked questions
What is Raccoon Stealer?
A long-running malware-as-a-service info-stealer first seen in 2019; its operator was arrested in 2022 and the project was restarted as Raccoon v2, then progressively eclipsed by Lumma and RedLine. It belongs to the Malware category of cybersecurity.
What does Raccoon Stealer mean?
A long-running malware-as-a-service info-stealer first seen in 2019; its operator was arrested in 2022 and the project was restarted as Raccoon v2, then progressively eclipsed by Lumma and RedLine.
How does Raccoon Stealer work?
Raccoon Stealer is a malware-as-a-service info-stealer first observed in 2019, originally written in C/C++ and rented to affiliates on Russian-speaking forums for a flat monthly fee. It collected browser passwords, cookies, autofill, crypto-wallet files, FTP and email credentials, screenshots, and host details, and was among the top-three commodity stealers globally through 2020–2021. In March 2022 the operation paused after the FBI and Dutch national police arrested its alleged developer Mark Sokolovsky and seized infrastructure. A v2 (Raccoon v2 / RecordBreaker) re-launched in mid-2022 with a faster C++ rewrite, but by 2024 the project had largely been displaced by Lumma, RedLine, and StealC. Distribution leaned heavily on cracked software, malvertising, exploit kits, and Discord links. Raccoon's takedown is often cited as a case study in how arresting a single Russian-speaking operator can suppress but not eliminate a malware family.
How do you defend against Raccoon Stealer?
Defences for Raccoon Stealer typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Raccoon Stealer?
Common alternative names include: Raccoon, RecordBreaker.
● Related terms
- malware№ 591
Info Stealer
Malware that harvests credentials, cookies, tokens, crypto wallets, and other sensitive data from an infected device and exfiltrates it to the attacker.
- malware№ 254
Credential Stealer
Malware focused specifically on extracting passwords, hashes, and authentication tokens from an infected system or its memory.
- malware№ 708
Lumma Stealer
A subscription-priced Russian-speaking malware-as-a-service info-stealer that emerged in 2022 and became one of the top-three stealers worldwide by 2024, distributed primarily via ClickFix lures and crack sites.
- malware№ 1014
RedLine Stealer
A subscription Windows info-stealer that dominated 2020–2023 cybercrime markets, harvesting browser secrets, crypto wallets, and FTP/VPN credentials; its infrastructure was disrupted by Operation Magnus in October 2024.
- malware№ 1329
Vidar Stealer
A long-running C++ Windows info-stealer derived from the older Arkei family, active since 2018 and still distributed in 2024–2025 via cracks, malvertising, and ClickFix lures.
- malware№ 1006
Ransomware-as-a-Service (RaaS)
A criminal business model in which ransomware operators rent their malware and infrastructure to affiliates who carry out attacks and share the proceeds.