Introduction
Operation Magnus represents a significant international law enforcement collaboration aimed at dismantling a major global malware network. This operation [1] [2] [4] [6] [7] [8] [9] [10], led by the Dutch National Police with support from the FBI, the UK’s National Crime Agency [4] [9], and other agencies [2] [3], successfully targeted the distribution of the RedLine and Meta infostealers.
Description
Operation Magnus [1] [2] [3] [4] [5] [6] [7] [8] [10], a significant collaborative effort led by the Dutch National Police and supported by the FBI, the UK’s National Crime Agency [4] [9], and law enforcement agencies from Belgium [7], Portugal [8] [9], Australia [6] [7] [8] [9], and various US agencies including the Defense Department’s Defense Criminal Investigative Unit [9], the Navy’s Naval Criminal Investigative Service [9], and the IRS Criminal Investigation Division [9], successfully disrupted a major global malware network responsible for distributing the RedLine and Meta infostealers on October 28, 2024. This initiative involved the seizure of three servers in the Netherlands, the shutdown of two domains associated with the malware [1], and the disabling of several Telegram accounts used by the administrators [3], rendering them non-functional for stealing new data [1]. Authorities gained full access to the complete source code for both malware strains, including their license servers [9], REST API servers [2] [10], control panels [2], and Telegram bots [2] [3] [4] [5] [9] [10]. The investigation [1] [3] [4] [6] [8], initiated a year earlier based on a tip from cybersecurity firm ESET [8], uncovered over 1,200 servers estimated to have supported the malware across multiple countries, revealing a trove of compromised data, including usernames [1] [2] [8], passwords [1] [2] [3] [4] [5] [6] [8] [10], cookies [2] [6], financial information, cryptocurrency wallet details [3] [6], IP addresses [2] [4] [5] [6] [8] [10], timestamps [2] [4] [8] [10], and registration dates [4] [8] [10].
Evidence from the operation includes a video showcasing screenshots of various panels and source code [10], as well as law enforcement reviewing the licensing server panels and user information [10]. Dutch authorities communicated a message to the actors behind the infostealers [1], indicating that an international coalition of authorities had obtained crucial data on their network [1], leading to further actions by Belgian authorities to dismantle several communication channels related to RedLine and Meta. Additionally, a dedicated website for the operation has been established to warn the criminals, indicating that more actions [6], including additional server takedowns and arrests [6], are anticipated [6].
US authorities charged Maxim Rudometov [8], an alleged developer and administrator of RedLine [3] [8], with access device fraud [1] [3] [8], conspiracy to commit computer intrusion [1] [3] [8], and money laundering [1] [3] [8], facing a potential maximum penalty of 35 years in prison [8]. RedLine [1] [2] [3] [4] [5] [6] [7] [8] [9] [10], active since 2020 [4] [5], is one of the most prolific infostealers [4], linked to significant breaches including a 2022 hack at Uber and the theft of nearly half of the 170 million passwords identified by KrakenLabs. Variants of RedLine have also been found in fake game cheats targeting gamers [5]. Meta [1] [2] [4] [5] [6] [7] [9] [10], a newer infostealer [4], has been noted for its similarities to RedLine, with cybersecurity experts indicating that it is a derivative of the original malware. This operation has collectively compromised data from millions of victims globally [7], facilitating the theft of credentials and sensitive information for resale to other criminals [8], typically distributed under a decentralized malware-as-a-service model [8]. Distribution methods for these malware variants include malvertising, email phishing [3], and fraudulent software downloads [3], often leveraging schemes related to COVID-19 or Windows updates to deceive victims [3].
Operation Magnus appears to be employing a strategy similar to that of Operation Cronos [10], which disrupted the LockBit ransomware-as-a-service operation [10], by providing a countdown for further announcements [10]. Further details about the takedown are expected to be released soon [4]. While there are currently no reports of arrests, legal actions are in progress [5] [10], and involved parties are being notified [10]. Eurojust has also announced that ESET has provided an online scanner for users to check their systems for RedLine and Meta infections, with more information available on the Operation Cronos website [1].
Conclusion
Operation Magnus has significantly impacted the global distribution of the RedLine and Meta infostealers, disrupting their operations and preventing further data theft. The seizure of servers and source code [7], along with the dismantling of communication channels, marks a substantial blow to cybercriminal networks. The operation underscores the importance of international cooperation in combating cybercrime and highlights the ongoing efforts to mitigate the risks posed by malware. Future actions, including potential arrests and further server takedowns, are anticipated as authorities continue to pursue those responsible. The provision of tools like ESET’s online scanner offers a proactive measure for individuals and organizations to protect themselves against these threats.
References
[1] https://www.infosecurity-magazine.com/news/law-enforcement-redline-meta/
[2] https://www.bankinfosecurity.com/dutch-police-fbi-infiltrate-info-stealer-infrastructure-a-26643
[3] https://www.irs.gov/compliance/criminal-investigation/us-joins-international-action-against-redline-and-meta-infostealers
[4] https://techcrunch.com/2024/10/28/police-operation-claims-takedown-of-prolific-redline-and-meta-password-stealers/
[5] https://www.yahoo.com/tech/dutch-police-say-theyve-taken-down-redline-and-meta-credential-stealer-malware-161531556.html
[6] https://www.heise.de/en/news/Operation-Magnus-Global-criminal-investigators-smash-major-malware-platform-9997897.html
[7] https://www.darkreading.com/threat-intelligence/fbi-partners-disrupt-redline-meta-stealer-operations
[8] https://thehackernews.com/2024/10/dutch-police-disrupt-major-info.html
[9] https://cyberscoop.com/redline-meta-operation-magnus-infostealers/
[10] https://www.helpnetsecurity.com/2024/10/28/police-hacks-disrupts-redline-meta-infostealer-operations/
