Law enforcement agencies in six countries this week announced disrupting the infrastructure associated with the RedLine and Meta infostealers.
The two infostealers, the European Union’s agency for criminal justice Eurojust says, represented one of the largest malware platforms, targeting millions of users worldwide to steal personal data from their devices.
The stolen information – including credentials, cryptocurrency wallets, cookies, and automatically saved form data such as addresses, email addresses, and phone numbers – was sold to other cybercriminals who used it to steal money and crypto assets and perform other hacking activities.
Active since at least 2020 and written in .NET, RedLine has been available under the stealer-as-a-service business model, being offered by over 20 Russian-speaking cybercrime groups and sold on underground forums and Telegram channels.
Last year, after being notified that RedLine was using GitHub repositories as dead-drop resolvers for its control panels, the code-hosting platform suspended the repositories, disrupting the infostealer’s operations.
Meta, first seen in the wild in early 2022, is an improved version of RedLine that rose to fame shortly after Raccoon Stealer’s activity diminished following the law enforcement actions against its Ukrainian operator.
RedLine and Meta were distributed by affiliates through phishing emails, malvertising, fake software downloads, and malicious application sideloading.
Today, the Dutch police announced that, as part of an international law enforcement effort called Operation Magnus, it hacked into the infostealers’ servers and disrupted their infrastructure, preventing further exfiltration of victim data.
Under the coordination of Europol and Eurojust, law enforcement agencies in the Netherlands, US, UK, Belgium, Portugal, and Australia, with additional support from ESET, shut down three servers used by the malware, seized two domains, arrested two people, and shut down multiple communication channels.
According to Europol, the investigators have gathered information on over 1,200 servers used by the malware, retrieved a database of clients from the two infostealers, and, following the takedown, sent a message and a video to the alleged perpetrators.
“The video sends a strong message to the criminals, showing that the international coalition of authorities was able to obtain crucial data on their network and will shut down their criminal activities,” Europol said.
Today, the US announced charges against Maxim Rudometov for allegedly developing RedLine and administering its infrastructure. Rudometov’s cryptocurrency accounts allegedly received and laundered payments for the malware.
Additionally, ESET released a free tool to help potential RedLine and Meta victims to check whether their data has been stolen, complemented with instructions on how to secure their systems.
Related: US Transportation and Logistics Firms Targeted With Infostealers, Backdoors
Related: macOS Info-Stealer Malware ‘MetaStealer’ Targeting Businesses
Related: Snowflake Attacks: Mandiant Links Data Breaches to Infostealer Infections
Related: Russia Targeting Ukrainian Military Recruits With Android, Windows Malware, Google Says
