Eurojust, FBI, and other agencies join forces to take down two major data-stealing malware rings

Operation Magnus Takes Down RedLine and Meta Infostealer Malware Rings

In context: An infostealer is a dangerous form of malware designed to exfiltrate user data and exploit it for additional malicious campaigns. Eurojust and several other enforcement agencies recently took down two prominent data-stealing trojans in this family. Investigators said this is only the beginning of a far-reaching operation.

A global enforcement action known as “Operation Magnus” took down RedLine and Meta, two lines of infostealer malware that scammed millions of victims worldwide. An international coalition of agencies from the Netherlands, US, Belgium, Portugal, United Kingdom, and Australia called “Eurojust” took down the two malware rings. Authorities made several arrests and seized servers, which they will use to catch and prosecute others involved in the racket.

Eurojust notes that RedLine and Meta operators stole massive amounts of user information, including credentials, physical and email addresses, phone numbers, cryptocurrency wallets, and cookies. The cyber-gangs sold the data to other criminals, adopting a malware-as-a-service (MaaS) business model and offering their “goods” through notorious criminal marketplaces.

Eurojust initiated Operation Magnus after an unnamed security company notified authorities about illegal servers located in the Netherlands. Investigators subsequently discovered over 1,200 servers in dozens of countries hosting the malware and were able to “quickly” exchange information about the threat thanks to the Eurojust interagency partnership.

Operation Magnus struck the cyber-criminals down on October 28 with a worldwide sting that took down three servers in the Netherlands. International law enforcement agencies, which include European and US organizations such as the FBI and the IRS, seized domain names and arrested two people in Belgium. The operation is ongoing.

The US Justice Department charged Maxim Rudometov as one of the developers and administrators of the RedLine infostealer. The DoJ said that Rudometov regularly accessed and managed the malware infrastructure. He had multiple cryptocurrency accounts and was directly involved with laundering payments from RedLine “customers.” He now faces a maximum penalty of 35 years, though the FBI will still need to prove the case in court.

Additionally, authorities now have access to RedLine and Meta servers and have acquired the source code of both malware families. The investigators obtained a detailed list of customers doing business with the two MaaS services, and they are now “looking forward” to getting in touch with all of them.