The US joins international action against RedLine and META Infostealers

October 29 – AUSTIN – The Department of Justice, together with the Netherlands, Belgium, Eurojust and other partners, announced an international disruption action against the current version of RedLine Infostealer, one of the most prevalent infostealers in the world that has targeted millions of victim computers, and the closely related META Infostealer.

The Department of Justice, FBI, Naval Criminal Investigative Service, IRS Criminal Investigation, Defense Criminal Investigative Service, and Army Criminal Investigation Division have joined international partners in the Joint Cybercrime Action Taskforce (“JCAT”) Operation Magnus ( supported by Europol) to seize domains, servers and Telegram accounts used by the RedLine and META administrators to disrupt the infostealers’ activities, according to a press release.

International authorities have created a website at www.operation-magnus.com with additional resources for the public and potential victims.

According to the release, infostealers are a common form of malware used to steal sensitive information from victim computers, including usernames and passwords, financial information, system information, cookies and cryptocurrency accounts. The stolen information, also called ‘logs’, is sold on cybercrime forums and used for further fraudulent activities and other hacks. RedLine has been used to carry out burglaries against major companies. RedLine and META infostealers can also allow cybercriminals to bypass multi-factor authentication (MFA) through the theft of authentication cookies and other system information.

RedLine and META are sold through a decentralized Malware as a Service (“MaaS”) model where affiliates purchase a license to use the malware and then launch their own campaigns to infect the intended victims. The malware is spread to victims through malvertising, email phishing, fraudulent software downloads, and sideloading of malicious software. Various schemes have been used, including COVID-19 and Windows updates-related ploys to trick victims into downloading the malware. The malware is offered for sale on cybercrime forums and through Telegram channels that offer customer support and software updates. RedLine and META have infected millions of computers around the world, and by some estimates RedLine is one of the largest malware variants in the world.

Through several investigative steps, law enforcement collected victim log data stolen from computers infected with RedLine and META. While an exact number has not yet been definitively determined, agents have identified millions of unique login credentials (usernames and passwords), email addresses, bank accounts, cryptocurrency addresses, credit card numbers, etc. The United States does not believe it is in possession of all the stolen data and continues to investigate.

The department unsealed a warrant in the Western District of Texas that authorized law enforcement agencies to seize two domains used by RedLine and META for command and control.

In conjunction with the disruption efforts, the Department of Justice unsealed charges against Maxim Rudometov, one of the developers and administrators of RedLine Infostealer. According to the complaint, Rudometov regularly accessed and controlled RedLine Infostealer’s infrastructure, was associated with several cryptocurrency accounts used to receive and launder payments, and was in possession of RedLine malware. For his actions, he has been charged with access device fraud, in violation of 18 USC § 1029, conspiracy to commit computer intrusion, in violation of 18 USC §§ 1030 and 371, and money laundering, in violation of 18 USC § 1956.

If convicted, Rudometov faces a maximum sentence of 10 years in prison for access device fraud, five years in prison for conspiracy to commit computer burglary and 20 years in prison for money laundering. The complaint is merely an accusation, and the defendant is presumed innocent until proven guilty beyond a reasonable doubt in a court of law.

The FBI Austin Cyber ​​Task Force is investigating the case. Task Force participants include the Naval Criminal Investigative Service, IRS Criminal Investigation, Defense Criminal Investigative Service and Army Criminal Investigation Division.

Assistant U.S. Attorney G. Karthik Srinivasan is prosecuting the case. Eurojust’s Cybercrime Liaison Magistrate and the Ministry of Justice’s International Affairs Office also provided significant assistance.

The disruption effort announced today coincided with Operation Magnus, a JCAT law enforcement operation to investigate RedLine and META Infostealers. Participating agencies included the Dutch National Police, the Belgian Federal Police, the Belgian Federal Public Prosecution Service, the British National Crime Agency, the Australian Federal Police, the Portuguese Federal Police and Eurojust.