Security

Cyber-crime

Belgian cops cuff 2 suspected cybercrooks in Redline, Meta infostealer sting

US also charges an alleged Redline dev, no mention of an arrest


International law enforcement officials have arrested two individuals and charged another in connection with the use and distribution of the Redline and Meta infostealer malware strains.

Various police forces led by the Dutch Politie announced yesterday that the Redline and Meta malicious software strains were disrupted, servers seized, and domains shuttered in their latest efforts to tackle major global cybercrime.

Today, officials said two people were cuffed in Belgium following a series of house raids. Details of the individuals have been largely kept a secret, although we know one of those arrests was of a suspected infostealer customer who remains in police custody. No other details were released about the other detainee, other than that they were released.

The US also charged Maxim Rudometov, a man of unspecified age and origin, whom it said was under suspicion of being a developer and administrator of Redline – a strain the Justice Department dubbed "one of the top malware variants in the world." There was no mention of an arrest being made.

"According to the complaint, Rudometov regularly accessed and managed the infrastructure of Redline infostealer, was associated with various cryptocurrency accounts used to receive and launder payments, and was in possession of RedLine malware," said the DoJ.

Rudometov was charged with access device fraud, conspiracy to commit computer intrusion, and money laundering.

"If convicted, Rudometov faces a maximum penalty of 10 years in prison for access device fraud, five years in prison for conspiracy to commit computer intrusion, and 20 years in prison for money laundering."

The Politie said the disruption – codenamed Operation Magnus – is over a year in the making. Its investigation uncovered thousands of Redline and Meta customers which in turn victimized millions of people.

Eurojust said that after the three servers and two domains were seized in the Netherlands, all users of Redline and Meta were contacted directly by the police and were encouraged to share useful information with prosecutors.

It also mentioned that across all territories involved in the joint disruption operation, more than 1,200 servers were discovered hosting the malware. Investigators believe the malware is now neutralized with key servers taken down, along with the primary communication channels used by the infostealers' customers.

Organizations with robust detection measures already in place may not benefit greatly from this, but it's worth mentioning that Slovak security shop ESET released a free online scanner to determine whether or not either Redline or Meta is running on your machine. It only works on Windows, however.

Today's update follows the initial announcement of the malware takedown on Monday. Few details were released other than a video which appeared to taunt the customers of both infostealers, suggesting law enforcement would be pursuing them.

A series of online aliases were flashed across the screen, hinting that the authorities had accessed the full customer list, as was confirmed today. The Politie also said it gained access to both stealers' source code.

The big question surrounding the announcement was whether any arrests had been made. Critics have raised questions over how viable such operations are and pointed out they are often tied to a lack of arrests. Cuffing the suspects is notoriously difficult to achieve as the places where suspects are based often have no extradition agreements with the lands where Interpol operates.

In a positive showing for the good guys, the Politie said today: "Follow-up actions and arrests cannot be ruled out."

Operation Magnus is the latest in a line of cybercrime-fighting success stories coming from law enforcement this year. Authorities have disrupted the likes of LockBit, Ghost, malware droppers, and botnets as part of their sharpened focus on bringing material consequences to cybercriminals. ®

Send us news
1 Comment

Are your Prometheus servers and exporters secure? Probably not

Plus: Netscaler brute force barrage; BeyondTrust API key stolen; and more

UK ICO not happy with Google's plans to allow device fingerprinting

Also, Ascension notifies 5.6M victims, Krispy Kreme bandits come forward, LockBit 4.0 released, and more

Iran-linked crew used custom 'cyberweapon' in US critical infrastructure attacks

IOCONTROL targets IoT and OT devices from a ton of makers, apparently

Deloitte says cyberattack on Rhode Island benefits portal carries 'major security threat'

Personal and financial data probably stolen

Lights out for 18 more DDoS booters in pre-Christmas Operation PowerOFF push

Holiday cheer comes in the form of three arrests and 27 shuttered domains

Fully patched Cleo products under renewed 'zero-day-ish' mass attack

Thousands of servers targeted while customers wait for patches

How Androxgh0st rose from Mozi's ashes to become 'most prevalent malware'

Botnet's operators 'driven by similar interests as that of the Chinese state'

Suspected LockBit dev, facing US extradition, 'did it for the money'

Dual Russian-Israeli national arrested in August

What do ransomware and Jesus have in common? A birth month and an unwillingness to die

35 years since AIDS first borked a PC and we're still no closer to a solution

'That's not a bug, it's a feature' takes on a darker tone when malware's involved

Mummy, where do zero days come from?

Ransomware scum blow holes in Cleo software patches, Cl0p (sort of) claims responsibility

But can you really take crims at their word?

Infosec experts divided on AI's potential to assist red teams

Yes, LLMs can do the heavy lifting. But good luck getting one to give evidence