Belgian cops cuff 2 suspected cybercrooks in Redline, Meta infostealer sting

International law enforcement officials have arrested two individuals and charged another in connection with the use and distribution of the Redline and Meta infostealer malware strains.

Various police forces led by the Dutch Politie announced yesterday that the Redline and Meta malicious software strains were disrupted, servers seized, and domains shuttered in their latest efforts to tackle major global cybercrime.

Today, officials said two people were cuffed in Belgium following a series of house raids. Details of the individuals have been largely kept a secret, although we know one of those arrests was of a suspected infostealer customer who remains in police custody. No other details were released about the other detainee, other than that they were released.

The US also charged Maxim Rudometov, a man of unspecified age and origin, whom it said was under suspicion of being a developer and administrator of Redline – a strain the Justice Department dubbed “one of the top malware variants in the world.” There was no mention of an arrest being made.

“According to the complaint, Rudometov regularly accessed and managed the infrastructure of Redline infostealer, was associated with various cryptocurrency accounts used to receive and launder payments, and was in possession of RedLine malware,” said the DoJ.

Rudometov was charged with access device fraud, conspiracy to commit computer intrusion, and money laundering.

“If convicted, Rudometov faces a maximum penalty of 10 years in prison for access device fraud, five years in prison for conspiracy to commit computer intrusion, and 20 years in prison for money laundering.”

The Politie said the disruption – codenamed Operation Magnus – is over a year in the making. Its investigation uncovered thousands of Redline and Meta customers which in turn victimized millions of people.

Eurojust said that after the three servers and two domains were seized in the Netherlands, all users of Redline and Meta were contacted directly by the police and were encouraged to share useful information with prosecutors.

It also mentioned that across all territories involved in the joint disruption operation, more than 1,200 servers were discovered hosting the malware. Investigators believe the malware is now neutralized with key servers taken down, along with the primary communication channels used by the infostealers’ customers.

Organizations with robust detection measures already in place may not benefit greatly from this, but it’s worth mentioning that Slovak security shop ESET released a free online scanner to determine whether or not either Redline or Meta is running on your machine. It only works on Windows, however.

Today’s update follows the initial announcement of the malware takedown on Monday. Few details were released other than a video which appeared to taunt the customers of both infostealers, suggesting law enforcement would be pursuing them.

A series of online aliases were flashed across the screen, hinting that the authorities had accessed the full customer list, as was confirmed today. The Politie also said it gained access to both stealers’ source code.

The big question surrounding the announcement was whether any arrests had been made. Critics have raised questions over how viable such operations are and pointed out they are often tied to a lack of arrests. Cuffing the suspects is notoriously difficult to achieve as the places where suspects are based often have no extradition agreements with the lands where Interpol operates.

In a positive showing for the good guys, the Politie said today: “Follow-up actions and arrests cannot be ruled out.”

Operation Magnus is the latest in a line of cybercrime-fighting success stories coming from law enforcement this year. Authorities have disrupted the likes of LockBit, Ghost, malware droppers, and botnets as part of their sharpened focus on bringing material consequences to cybercriminals. ®

READ MORE HERE