How a series of opsec failures led US authorities to the alleged developer of the Redline password-stealing malware

U.S. prosecutors have charged Maxim Rudometov, a Russian national, for his alleged role in the development and distribution of Redline, a prominent password-stealing malware. This announcement forms part of “Operation Magnus,” an extensive international law enforcement initiative aimed at dismantling the infrastructure supporting Redline and another malware strain called Meta, both notorious for extracting sensitive information from millions globally.

The charges emerged from a complaint unsealed by authorities, which outlined how Rudometov’s operational security lapses led to his identification. The indictment highlighted that he utilized a Yandex email account—known to law enforcement—to register on Russian-language hacking forums and employed multiple pseudonyms across various platforms, including Skype and iCloud.

Authorities were able to access files from Rudometov’s iCloud account that contained various malware identified by antivirus software, including at least one instance of Redline. This Yandex email was also linked to a publicly visible profile on the Russian social network VK; law enforcement noted that Rudometov closely resembled an individual featured in a blog post advertisement that promoted skills in creating botnets and stealers.

Additionally, the complaint stated that Rudometov was known on VK’s dating platform under the pseudonym “ghacking.” In August 2021, following a tip from an unnamed security firm, U.S. authorities obtained a search warrant to investigate data on one of Redline’s servers, yielding further evidence, including IP addresses and a Binance account tied to the same Yandex email.

The Department of Justice reported that Rudometov actively managed Redline’s infrastructure and was associated with various cryptocurrency accounts utilized for payment laundering. The malware has reportedly infected millions of computers globally since February 2020, including several hundred belonging to the U.S. Department of Defense.

While it remains unclear whether Rudometov has been apprehended, conviction could lead to a prison sentence of up to 35 years. Further developments in Operation Magnus were disclosed by Europol and the Dutch police, revealing that three servers in the Netherlands were decommissioned, along with the seizure of two domains integral to Redline’s command and control operations.

Authorities also disrupted several Telegram accounts linked to the malware’s operations, effectively halting the sales of these malicious tools. Additionally, two other individuals, including a customer of the malware, were arrested in Belgium as part of the broader operation.