The FBI in collaboration with various international law-enforcement agencies has seized the servers and source code for the RedLine and Meta stealers as part of Operation Magnus, and US authorities have charged one of RedLine’s developers with various crimes. The stealers are responsible for the theft of millions of unique credentials from international victims, authorities said.
The intelligence bureau and the US Department of Justice (DoJ) are among several international agencies — including Dutch National Police, Belgian Federal Police, Belgian Federal Prosecutor’s Office, UK National Crime Agency, Australian Federal Police, Portuguese Federal Police, and Eurojust — that on Oct. 28 disrupted the operation of the cybercriminal group behind the stealers, which authorities claim are “pretty much the same” malware in a video posted on the operation’s website.
Investigations into RedLine and Meta started after authorities learned about the potential of servers in the Netherlands being linked to the malware, according to a press statement by the European Union Agency for Criminal Justice Cooperation. Investigators went on to discover that more than 1,200 servers in dozens of countries were running the stealers.
Authorities eventually collected victim log data stolen from computers infected with RedLine and Meta, identifying millions of unique usernames and passwords, as well as email addresses, bank accounts, cryptocurrency addresses, and credit card numbers that have been stolen by various malware operators. Moreover, the DoJ believes that there is still more stolen data to be recovered, it said in a press statement on Operation Magnus.
Law enforcement also seized source code for RedLine and Meta as well as REST-API servers, panels, stealers, and Telegram bots that were being used to distribute the stealers to cybercriminals. Both malwares are typically are sold via cybercrime forums and through Telegram channels that offer customer support and software updates.
RedLine Developer Charged by the DoJ
As part of the US operation, the DoJ has charged Maxim Rudometov, one of the developers and administrators of RedLine, with access device fraud, conspiracy to commit computer intrusion, and money laundering. If convicted, Rudometov faces a maximum penalty of 10 years in prison for access device fraud, five years in prison for conspiracy to commit computer intrusion, and 20 years in prison for money laundering.
The DoJ also unsealed a warrant issued in the Western District of Texas that authorized law enforcement to seize two domains used by RedLine and Meta for command and control (C2). Dutch police also took down three servers associated with the stealers in the Netherlands, and two more people associated with the criminal activity were taken into custody in Belgium.
Assistant US Attorney G. Karthik Srinivasan is prosecuting the case in the US, while the investigation in Texas is being conducted by the FBI Austin Cyber Task Force, which includes the Naval Criminal Investigative Service, IRS Criminal Investigation, Defense Criminal Investigative Service, and Army Criminal Investigation Division, among other agencies.
Widespread Stealer Distribution
RedLine Stealer is a malware-as-a-service (MaaS) platform sold via Telegram and online hacker forums that targets browsers to collect various data saved by the user, including credentials and payment card details. It can also take a system inventory to assess the attack surface for further attacks.
To that end, RedLine also can perform other malicious functions, such as uploading and downloading files, and executing commands. Meta meanwhile is basically a clone of RedLine that performs similar functions and also operates through an MaaS model.
Because of their widespread availability, both stealers have been used by threat actors with various levels of sophistication. Advanced actors have distributed the stealers as an initial vector upon which to perform further nefarious activity, such as delivering ransomware, while unsophisticated actors have used one or the other of the stealers to get into the cybercriminal game to steal credentials. Those credentials are often sold to other cybercriminals on the Dark Web to continue the cycle of cybercrime.
One popular way cybercriminals have distributed the stealers is to hide them behind Facebook ads, including ones promoting AI chatbots like ChatGPT and Google Bard. Other attack vectors have used phishing to embed the stealers in malicious files or links attached to emails.
International authorities plan to continue their investigations into the criminals using data stolen by the infostealers. For people concerned they may have been criminalized by RedLine and/or Meta, ESET is offering an online tool to allow people to check to see if their data was stolen and what steps they should take if it has.