The Dutch National Police, along with international partners, have announced the disruption of the infrastructure powering two information stealers tracked as RedLine and MetaStealer.
The takedown, which took place on October 28, 2024, is the result of an international law enforcement task force codenamed Operation Magnus that involved authorities from the U.S., the U.K., Belgium, Portugal, and Australia.
Eurojust, in a statement published today, said the operation led to the shut down of three servers in the Netherlands and the confiscation of two domains. In total, over 1,200 servers in dozens of countries are estimated to have been used to run the malware.
As part of the efforts, one administrator has been charged by the U.S. authorities and two people have been arrested by the Belgian police, the Politie said, adding one of them has since been released, while the other remains in custody.
The U.S. Department of Justice (DoJ) has charged Maxim Rudometov, one of the RedLine Stealer’s developers and administrators, with access device fraud, conspiracy to commit computer intrusion, and money laundering. If convicted, he faces a maximum penalty of 35 years in prison.
“Rudometov regularly accessed and managed the infrastructure of RedLine Infostealer, was associated with various cryptocurrency accounts used to receive and launder payments and was in possession of RedLine malware,” the DoJ said.
Investigation into the technical infrastructure of the information stealers began a year ago based on a tip from cybersecurity company ESET that the servers are located in the Netherlands.
Among the data seized included usernames, passwords, IP addresses, timestamps, registration dates, and the source code of both the stealer malware. In tandem, several Telegram accounts associated with the stealer malware have been taken offline. Further investigation into their customers is ongoing.
“The infostealers RedLine and MetaStealer were offered to customers via these groups,” Dutch law enforcement officials said. “Until recently, Telegram was a service where criminals felt untouchable and anonymous. This action has shown that this is no longer the case.”
It’s worth noting that the MetaStealer target as part of Operation Magnus is different from the MetaStealer malware that’s known to target macOS devices.
Information stealers such as RedLine and MetaStealer are crucial cogs in the cybercrime wheel, allowing threat actors to siphon credentials and other sensitive information that could then be sold off to other threat actors for follow-on attacks like ransomware.
Stealers are typically distributed under a malware-as-a-service (MaaS) model, meaning the core developers rent access to the tools to other cybercriminals either on a subscription basis or for a lifetime license.