The RedLine and Meta infostealer malwares that have victimised millions of people worldwide have been taken down in a Dutch-led global law enforcement action uniting agencies from Australia, Europe, the UK and the US.
Operation Magnus, which was supported by the National Crime Agency (NCA), saw three servers seized in the Netherlands, two malicious web domains shut down and two arrests made in Belgium.
Additionally, the US authorities have unsealed charges against alleged RedLine developer and admin, Maxim Rudometov, accusing him of device access fraud, conspiracy to commit computer intrusion and money laundering.
The two related malwares were used to steal personal data, including usernames and passwords, financial information including cryptocurrency data, and system data including cookies from infected devices. This was subsequently sold on to other malicious actors via dark web markets, where it was used for theft and to carry out follow-on cyber attacks.
NCA National Cyber Crime Unit head, deputy director Paul Foster, said: “Redline and other ‘as-a-service’ models provide an all-inclusive and easily accessible way for less technically skilled cyber criminals to cause serious harm to victims around the world.
“These services are supported by a criminal ecosystem comprising a range of tools, infrastructure, financial services, marketplaces and forums,” he said.
“International collaboration such as this is key to identifying and taking out the various elements of this ecosystem and ultimately making it more difficult for cyber criminals to operate.”
The Joint Cybercrime Action Taskforce (JCAT) and Eurojust-supported action is the result of a lengthy investigation that began when a number of victims came forward, and researchers at Eset notified the Dutch authorities that the malwares’ command-and-control (C2) server infrastructure appeared to be located in the Netherlands.
Operation Magnus has also resulted in the discovery and seizure of a database of RedLine and Meta “clients” that is to be used against them. Computer Weekly understands the NCA is in possession of relevant data and is scoping out opportunities to bring more cyber criminals to justice.
Those concerned they may have fallen victim to either the RedLine or Meta infostealers can visit the Operation Magnus microsite, where they can access a detection and scanning tool developed by Eset.
Searchlight Cyber threat intel analyst Vlad Mironescu, said: “Infostealer malware is an incredibly popular tool for cyber criminals, which works by infecting machines and harvesting sensitive information and credentials. We routinely observe this data being sold in bulk on dark web forums and marketplaces, as well as the sale and development of infostealer strains among the cyber criminal community.
“RedLine and Meta were popular strains but unfortunately there are many more out there, so from a practical perspective this won’t stop cyber criminals getting their hands on infostealers. However, in the case of this operation, the symbolic significance of taking out these malware strains and some of the individuals behind them may have a longer-lasting impact.”
Trolls
The microsite also includes a short video taunting those involved with the infostealer and trailing the release of more information, reminiscent of tactics taken by those involved in the Operation Cronos action against the LockBit ransomware crew earlier in 2024.
Mironescu observed that the use of such methods against cyber criminals was becoming increasingly common as a means of isolating them from their peers and destroying their reputations.
“In this case, we have even observed an account that appears to be run by Operation Magnus joining the notorious dark web hacking forum XSS to share the video,” he said. “These types of law enforcement operations are using new techniques to discredit the cyber criminals, alongside more ‘traditional’ law enforcement methods of seizing their infrastructure.
“Operation Magnus, like Operation Cronos before it, sends a strong message to cyber criminals: you are not operating beyond the reach of law enforcement,” said Mironescu.