Dutch Police Disrupt Major Info Stealers RedLine and MetaStealer in Operation Magnus

On October 28, 2024, the Dutch National Police, in coordination with international partners, announced significant progress in combating cybercrime through the disruption of infrastructure supporting two notorious information stealers, RedLine and MetaStealer. This operation, codenamed Operation Magnus, involved collaboration from law enforcement agencies in the U.S., U.K., Belgium, Portugal, and Australia, highlighting a concerted global effort against cyber threats.

The operation successfully resulted in the shutdown of three servers in the Netherlands and the confiscation of two malicious domains, specifically fivto[.]online and spasshik[.]xyz. Investigators estimate that over 1,200 servers across numerous countries were utilized to operate these malware programs. Key outcomes included the arrest of individuals involved in the operation, with the Belgian police detaining two individuals—one of whom remains in custody while the other was released.

A pivotal development emerged with the charges filed by the U.S. Department of Justice (DoJ) against Maxim Rudometov, identified as a developer and administrator of the RedLine Stealer. Charged with crimes including access device fraud, conspiracy to commit computer intrusion, and money laundering, Rudometov faces a potential maximum sentence of 35 years in prison. Investigators uncovered operational security lapses that ultimately led to his identification, including evidence retrieved from his Apple iCloud Drive account, which contained files associated with malware.

Further analysis revealed that Rudometov’s iCloud account was frequently accessed by an IP address tied to the RedLine licensing server, reinforcing the connection between the infrastructure he managed and the malware itself. This link demonstrated the ongoing efforts to trace and dismantle the operational frameworks underpinning these criminal enterprises.

The investigation commenced approximately one year prior, initiated from a tip-off by cybersecurity firm ESET, which indicated that the malicious servers were located within the Netherlands. The data seized during the operation included sensitive information such as usernames, passwords, IP addresses, timestamps, and the source code for both RedLine and MetaStealer malware. Additionally, several Telegram accounts linked to the distribution of the malware were taken offline, suggesting an escalating effort to confront the perceived anonymity offered by this messaging platform.

Dutch authorities emphasized the complexity of RedLine and MetaStealer as critical enablers of cybercrime, often utilized by threat actors to extract and sell sensitive data for further malicious use, including ransomware attacks. The thieves typically operate under a malware-as-a-service (MaaS) model, where developers rent out access to these tools, which has attracted a diverse range of cybercriminals.

Furthermore, law enforcement pointed out that this operation signifies a shift in the landscape where criminals exploit platforms like Telegram for their operations, indicating the diminishing feeling of safety and anonymity they once relied upon. The specificity in distinguishing the MetaStealer dismantled in this operation from other known strains targeting macOS environments also highlights the complexity and evolution of cyber threats.

Overall, Operation Magnus marks an essential step in international collaboration aimed at disrupting cybercriminal networks, sending a clear message to those involved in such illicit activities that law enforcement agencies are capable of coordinated and effective action against them. Investigations are ongoing, targeting the clientele associated with these information stealers, showcasing a proactive approach in mitigating cyber threats on a global scale.