In a major cybercrime breakthrough, a Dutch-led international operation dismantled one of the largest global malware platforms. Authorities continue investigations into the cybercriminals who were behind notorious infostealers: one man in the US has been charged and two individuals in Belgium have been arrested. ESET released an online scanner to check for this malware.
On October 28th, 2024, the Dutch National Police, the FBI, and other partners of the international law enforcement task force, Operation Magnus, disrupted the operation of the Redline and Meta infostealers. The criminal rings behind the malware are responsible for stealing information from millions of victims globally.
Authorities released more details explaining the malicious operation and how the software was specifically designed to steal sensitive data from unsuspecting users’ computers.
Three face charges, follow-up actions ‘cannot be ruled out’
To date, the US authorities have charged one administrator, and the Belgian police have arrested two people. Follow-up actions and arrests cannot be ruled out.
The Justice Department unsealed charges against Maxim Rudometov, who is believed to be one of the developers and administrators of RedLine Infostealer.
“If convicted, Rudometov faces a maximum penalty of 10 years in prison for access device fraud, five years in prison for conspiracy to commit computer intrusion, and 20 years in prison for money laundering,” the press release reads.
The US agents have identified millions of unique credentials (usernames and passwords), email addresses, bank accounts, cryptocurrency addresses, credit card numbers, etc. The US does not believe it possesses all the stolen data and continues to investigate.
During Operation Magnus, authorities seized domains and servers used by the cybercriminals. Multiple Telegram accounts, which acted as distribution channels, have also been shut down.
Malicious servers found by ESET
The Dutch police said they received a tip from a security company, ESET Netherlands, about servers in the country that were related to malware. The year-long investigation revealed the technical infrastructure of the infostealers, communication channels, and a complete user database.
“RedLine and Meta are among the most well-known infostealers worldwide with millions of victims and have been active for years. The investigation identified thousands of customers related to this service who have independently created victims. The stolen data is traded or directly misused in committing other cybercrime, such as hacking or theft of data or cryptocurrency,” the Dutch police said.
Infostealers are designed to exfiltrate login credentials, financial information, email, and system information.
“Until recently, Telegram was a service where criminals felt untouchable and anonymous. This action has shown that this is no longer the case,” the Dutch Police’s statement reads.
The Dutch police said it used a lawful hacking authority to take the infrastructure of both infostealers offline. Therefore, the malware no longer functions and is not capable of stealing any new data.
Redline and Meta infostealers operated as so-called malware-as-a-service. According to Specops research, Redline malware alone racked up 170 million stolen credentials over the period of six months.
Eurojust (European Union Agency for Criminal Justice Cooperation) estimates that RedLine and Meta were among the largest malware platforms globally. Over 1,200 servers in dozens of countries were running the malware.
“After retrieving the personal data, the infostealers sold the information to other criminals through criminal marketplaces. The criminals who purchased the personal data used it to steal money, cryptocurrency, and carry out follow-on hacking activities,” Eurojust said. “After the authorities obtained the data and took down the servers, a message was sent to the alleged perpetrators, including a video.”
Investigations will now continue into the criminals using the stolen data.
Tools available for affected users
Users can check if they’re infected with any of the two infostealers using the detection tool developed by ESET, provided on the website www.operation-magnus.com.
The police also shared some general tips to detect malicious activity, such as looking out for unexpected account activity, transactions, password problems, suspicious emails, data breach notifications, or unexpected software, such as programs or browser extensions running on the system.
Police teased criminals with the ‘final update’
Cybernews already reported that the police released ‘the final update” for the malware in the form of a short video resembling criminals’ own ads. The malware was advertised for sale on cybercrime forums and through Telegram channels that offer customer support and software updates.
“We gained full access to all Redline and Meta servers. Did you know they are actually pretty much the same? This version of Redline and Meta includes unique insights into your data. Username, passwords, IP addresses, timestamps, registration date, and much more,” the clip announced.
The clip revealed that police gained access to the source code, servers, administrator panels listing many users, Telegram bots, etc. The police said that involved parties would be notified, and legal actions would be underway.
“VIP-status for all Redline and Meta users where VIP means very important to the police. Thank you for installing this update. We are looking forward to seeing you soon,” the clip said while displaying handcuffs.
Your email address will not be published. Required fields are markedmarked