The Dutch National Police, along with international partners, have announced the disruption of the infrastructure powering two information stealers tracked as RedLine and MetaStealer.
The takedown, which took place on October 28, 2024, is the result of an international law enforcement task force codenamed Operation Magnus that involved authorities from the U.S., the U.K., Belgium, Portugal, and Australia.
Eurojust, in a statement published today, said the operation led to the shut down of three servers in the Netherlands and the confiscation of two domains (fivto[.]online and spasshik[.]xyz). In total, over 1,200 servers in dozens of countries are estimated to have been used to run the malware.
As part of the efforts, one administrator has been charged by the U.S. authorities and two people have been arrested by the Belgian police, the Politie said, adding one of them has since been released, while the other remains in custody.
The U.S. Department of Justice (DoJ) has charged Maxim Rudometov, one of the RedLine Stealer's developers and administrators, with access device fraud, conspiracy to commit computer intrusion, and money laundering. If convicted, the Russian national faces a maximum penalty of 35 years in prison.
"Rudometov regularly accessed and managed the infrastructure of RedLine Infostealer, was associated with various cryptocurrency accounts used to receive and launder payments and was in possession of RedLine malware," the DoJ said.
Unsealed court documents show a series of operational security blunders that led the investigators to Rudometov, with an authorized search of the Apple iCloud Drive account associated with his Yandex email address uncovering numerous files identified as malware, including a RAR archive that corresponded to RedLine.
Further analysis of the RedLine licensing server revealed an IP address that was also "logged by Apple as having been used to interact with the iCloud account attributed to Rudometov." The IP address is said to have been used approximately 701 times to access or interact with the iCloud account in July 2021 alone.
Investigation into the technical infrastructure of the information stealers began a year ago based on a tip from cybersecurity company ESET that the servers are located in the Netherlands.
Among the data seized included usernames, passwords, IP addresses, timestamps, registration dates, and the source code of both the stealer malware. In tandem, several Telegram accounts associated with the stealer malware have been taken offline. Further investigation into their customers is ongoing.
"The infostealers RedLine and MetaStealer were offered to customers via these groups," Dutch law enforcement officials said. "Until recently, Telegram was a service where criminals felt untouchable and anonymous. This action has shown that this is no longer the case."
It's worth noting that the MetaStealer family dismantled as part of Operation Magnus is different from the MetaStealer malware that's known to target macOS devices.
Information stealers such as RedLine and MetaStealer are crucial cogs in the cybercrime wheel, allowing threat actors to siphon credentials and other sensitive information that could then be sold off to other threat actors for follow-on attacks like ransomware.
Stealers are typically distributed under a malware-as-a-service (MaaS) model, meaning the core developers rent access to the tools to other cybercriminals either on a subscription basis or for a lifetime license.