A global law enforcement operation has disrupted infrastructure for the Redline and Meta infostealers, malware tools widely used by cybercriminal groups to steal sensitive personal data.
Operation Magnus took place on October 28, with law enforcement shutting down three servers used to run the malware in the Netherlands and the seizure of two domains.
This means the malware no longer functions and cannot currently be used to steal new data from infected victims.
Authorities have also retrieved a database of thousands clients of Redline and Meta and will continue investigations into these criminal actors.
One alleged administrator of the infostealers has been indicted in the US and two suspected customers have been taken into custody in Belgium. One of these suspected customers has since been released.
The US Attorney's Office, Western District of Texas has confirmed the identity of the alleged administrator, Maxim Rudometov. Rudometov is accused of regularly accessing and managing the infrastructure of Redline Infostealer, being associated with various cryptocurrency accounts used to receive and launder payments and being in possession of Redline malware.
He has been charged with access device fraud, conspiracy to commit computer intrusion and money laundering, crimes which carry maximum prison sentences of 10 years, five years and 20 years, respectively.
In addition, several Telegram accounts used to distribute the infostealers have been taken down.
The operation was prompted by a tip by cybersecurity company ESET about servers in the Netherlands relating to the malware. This initiated an investigation over a year ago, which provided insights into the technical infrastructure of the infostealers, the communication channels used and the entire user base.
During the investigation, authorities discovered that over 1200 servers in dozens of countries were running the malware.
Following the takedown, Dutch national police issued a message to the actors behind the infostealers via a dedicated Operation Cronos website. This included a video showing that the international coalition of authorities was able to obtain crucial data on their network and will shut down their criminal activities.
After the message was sent, Belgian authorities took down several Redline and Meta communication channels.
The website, www.operation-magnus.com, appears to be offline at the time of writing.
Operation Magnus involved law enforcement agencies from the Netherlands, the US, Belgium, Portugal, the UK and Australia, coordinated by the European Union Agency for Criminal Justice Cooperation (Eurojust).
Redline and Meta Responsible for Millions of Victims
Redline and Meta are infostealers, designed to steal personal data from victim devices, including usernames and passwords and automatically saved form data, such as addresses, email addresses, phone numbers, cryptocurrency wallets and cookies.
After retrieving this information, the infostealer operators sell the data on to other cybercriminals via criminal marketplaces. Those who purchase this data then use it for follow-on activities, including identity theft, financial fraud and ransomware attacks.
Dutch police noted that Redline and Meta are among the most well-known infostealers worldwide, which have been operating for years and amassed millions of victims.
Eurojust said that a private security company has launched an online tool to allow people to check if their data was stolen, with further details available on the Operation Cronos website.
In June 2024, a law enforcement operation led by the UK’s National Crime Agency (NCA) took down infrastructure used to host the Cobalt Strike tool.
This article was updated at 16.20 GMT