RedLine and META Infostealers Targeted in Operation Magnus

On the 28th of October 2024 the Dutch National Police, working in close cooperation with the FBI and other partners of the international law enforcement task force Operation Magnus, disrupted operation of the RedLine and META infostealers. The operation was originally published on the Operation Magnus website, with a video “trolling” those who use the Infostealers. Subsequently official statements have been released by Eurojust and the US Department of Justice (DOJ) confirming the details of the server shutdowns, seizure of domains, arrests and charges of individuals.

“The infostealers, RedLine and META, taken down today targeted millions of victims worldwide, making it one of the largest malware platforms globally,” said Eurojust.

“An international coalition of authorities from the Netherlands, the United States, Belgium, Portugal, the United Kingdom and Australia shut down the servers in the Netherlands, seized two domains, unsealed charges in the United States and took two people into custody in Belgium.”

In the U.S., the takedown included the seizure of two domains and charges against one of the operators, Maxim Rudometov. Unsealed court documents show a series of security errors that led the investigators to Rudometov, with a search of the Apple iCloud Drive account associated with his email addresses exposing numerous files identified as malware, including a RAR archive that corresponded to RedLine.

The search also revealed an IP address that was “logged by Apple as having been used to interact with the iCloud account attributed to Rudometov.” The IP address is said to have been used approximately 701 times to access or interact with the iCloud account in July 2021 alone.

“Through various investigative steps, law enforcement has collected victim log data stolen from computers infected with RedLine and META,” the DOJ said in announcing the charges.

If arrested, charged, and convicted, Rudometov faces a possible 30 years behind bars for conspiracy to commit computer intrusion and access device fraud.

How did RedLine and META infostealers target their victims?

RedLine and META infostealers are designed to steal personal and sensitive data from their victim’s devices. This data includes usernames and passwords, as well as “automatically saved form data” such as contact information, cryptocurrency wallets and cookies. Once this information has been retrieved, the likes of RedLine and META look to sell the data on dark web marketplaces to other cybercriminals. This data is then used by the purchaser to perform activities such as ransomware attacks, fraud, and identity theft.

Vlad, a Threat Intelligence Analyst at Searchlight Cyber commented on this latest law enforcement action against international cybercrime: “Infostealer malware is an incredibly popular tool for cybercriminals, which works by infecting machines and harvesting sensitive information and credentials. We routinely observe this data being sold in bulk on dark web forums and marketplaces, as well as the sale and development of infostealer strains among the cybercriminal community.

“RedLine and META were popular strains but unfortunately there are many more out there, so from a practical perspective this won’t stop cybercriminals getting their hands on infostealers. However, in the case of this operation, the symbolic significance of taking out these malware strains and some of the individuals behind them may have a longer-lasting impact.

“The Dutch National Police and the other law enforcement agencies involved in this operation have made a point of publicizing this takedown. The creation a dedicated video that taunts those involved with the infostealers and the use of a countdown timer with the release of further information brings to mind Operation Cronos earlier in the year, where international law enforcement very publicly released information they had gather on the ransomware operator known as LockBit. In this case, we have even observed an account that appears to be run by Operation Magnus joining the notorious dark web hacking forum XSS to share the video.

“These types of law enforcement operations are using new techniques to discredit the cybercriminals, alongside more “traditional” law enforcement methods of seizing their infrastructure. Operation Magnus, like Operation Cronos before it, sends a strong message to cybercriminals: you are not operating beyond the reach of law enforcement.”