Cybersecurity experts at ESET have recently uncovered the intricate workings of the RedLine Stealer operation and its counterpart, Meta, following a successful operation led by Dutch authorities that dismantled the cyber criminal network. Operation Magnus, a collaborative effort involving the Dutch National Police, the FBI, the UK’s National Crime Agency, and EU support, resulted in the dismantling of the infamous infostealers’ infrastructure.
ESET played a crucial role in the investigation, alerting Dutch authorities about the malware infrastructure hosted in their jurisdiction. They also participated in an initial operation targeting the gang’s use of GitHub repositories as a control mechanism. Through a thorough analysis of the malware source code and backend infrastructure, ESET confirmed that both RedLine and Meta shared the same creator and identified over 1,000 unique IP addresses used to control the operation.
According to ESET researcher Alexandre Côté Cyr, the investigation revealed that RedLine had over 1,000 subscribers to its Malware as a Service (MaaS). The malware versions from 2023 utilized the Windows Communication Framework, while the latest version from 2024 adopted a REST API for communication between components.
The IP addresses associated with RedLine were distributed globally, with significant concentrations in Germany, the Netherlands, and Russia. ESET’s investigation also uncovered multiple backend servers located predominantly in Russia, Czechia, the Netherlands, and the UK.
RedLine and Meta aimed to harvest a wide range of data from victims, including cryptocurrency wallets, credit card details, saved credentials, and information from platforms like desktop VPNs, Discord, Telegram, and Steam. Affiliates of the operators could purchase access to the product through online forums or Telegram channels, opting for either a monthly subscription or a lifetime license. The product, described as a turnkey infostealer solution, allowed affiliates to integrate RedLine into larger campaigns easily.
Before its takedown, RedLine was one of the most widespread infostealers, with a sizable number of affiliates. However, ESET believes that the MaaS enterprise was likely orchestrated by a small group of individuals. The creator of the malware, Maxim Rudometov, has been identified and charged in the US.
This global operation underscores the collaborative efforts of law enforcement agencies and cybersecurity experts in disrupting cybercriminal activities and holding perpetrators accountable for their actions.
