Operation Magnus: A Major Blow to Cybercrime with the Seizure of RedLine and Meta Stealers

In a significant international law enforcement operation dubbed Operation Magnus, the FBI, in collaboration with various global agencies, has successfully seized the servers and source code for two notorious malware programs: RedLine and Meta stealers. This operation has not only disrupted the operations of a cybercriminal group responsible for the theft of millions of unique credentials but has also led to the charging of one of RedLine’s developers with multiple crimes.

The Scope of Operation Magnus

On October 28, 2023, a coordinated effort involving the U.S. Department of Justice (DoJ), the Dutch National Police, the Belgian Federal Police, the UK National Crime Agency, the Australian Federal Police, the Portuguese Federal Police, and Eurojust culminated in the dismantling of the cybercriminal infrastructure behind these malware programs. Authorities reported that the two malware variants are "pretty much the same," indicating a shared lineage in their design and functionality.

The investigation began when authorities identified potential servers in the Netherlands linked to the malware. This led to the discovery of over 1,200 servers operating in dozens of countries, facilitating the widespread distribution of the stealers.

The Impact of RedLine and Meta Stealers

The RedLine and Meta stealers have been instrumental in the theft of sensitive information from countless victims worldwide. Authorities have collected victim log data from infected computers, revealing millions of unique usernames, passwords, email addresses, bank account details, cryptocurrency addresses, and credit card numbers. The DoJ has indicated that there may still be more stolen data yet to be recovered, underscoring the extensive reach of these malware programs.

The seized assets included not only the source code for RedLine and Meta but also REST-API servers, control panels, and Telegram bots used for distribution. These malware programs are typically sold on cybercrime forums and through Telegram channels, often accompanied by customer support and software updates.

Legal Actions Against Cybercriminals

As part of the operation, the DoJ has charged Maxim Rudometov, a key developer and administrator of RedLine, with several offenses, including access device fraud, conspiracy to commit computer intrusion, and money laundering. If convicted, Rudometov faces severe penalties, including up to 10 years in prison for access device fraud and 20 years for money laundering.

In addition to Rudometov, law enforcement agencies have taken down two domains used for command and control (C2) of the malware and arrested two other individuals in Belgium associated with the criminal activities. The investigation is being led by the FBI Austin Cyber Task Force, which collaborates with various federal agencies, including the Naval Criminal Investigative Service and the IRS Criminal Investigation.

Understanding the Malware: RedLine and Meta

RedLine Stealer operates as a malware-as-a-service (MaaS) platform, primarily targeting web browsers to extract saved data, including credentials and payment card information. It can also perform system inventories to identify vulnerabilities for further exploitation. In contrast, Meta is essentially a clone of RedLine, offering similar functionalities and operating under the same MaaS model.

Both malware programs have gained popularity among cybercriminals of varying skill levels. Advanced threat actors often use them as initial vectors for more complex attacks, such as ransomware deployment, while less experienced criminals utilize them to steal credentials, which are then sold on the Dark Web.

Distribution Tactics of the Stealers

The distribution of RedLine and Meta stealers has been alarmingly widespread. Cybercriminals have employed various tactics to spread these malware programs, including embedding them in Facebook ads that promote popular AI chatbots like ChatGPT and Google Bard. Phishing attacks have also been a common method, with malicious files or links attached to emails serving as delivery mechanisms for the stealers.

Ongoing Investigations and Public Awareness

International law enforcement agencies are committed to continuing their investigations into the criminals leveraging data stolen by RedLine and Meta. For individuals concerned about potential compromises due to these malware programs, cybersecurity firm ESET is offering an online tool to check if their data has been stolen and to provide guidance on the necessary steps to take if it has.

Conclusion

Operation Magnus represents a significant victory in the ongoing battle against cybercrime. By dismantling the infrastructure behind RedLine and Meta stealers, law enforcement agencies have not only disrupted a major source of credential theft but have also sent a clear message to cybercriminals: the international community is united in its efforts to combat cyber threats. As investigations continue, the hope is to recover more stolen data and bring those responsible for these malicious activities to justice.