The United States announced charges today against Maxim Rudometov, a Russian national, for being the suspected developer and administrator of the RedLine malware operation, one of the most prolific infostealers over the past few years.
These infostealers, marketed to cybercriminals and sold via subscriptions, enable attackers to steal credentials and financial data and bypass multi-factor authentication.
Rudometov was named in an update to ‘Operation Magnus,’ an international law enforcement operation that announced yesterday it had disrupted the RedLine and META malware-as-a-service (MaaS) platforms.
The operation was spearheaded by the Dutch police working with international partners, including the FBI, U.S. Department of Justice, and Eurojust, achieving unprecedented disruption to two highly impactful MaaS operations that have stolen millions of account credentials.
The U.S. DOJ announced today charges against Maxim Rudometov based on evidence of his direct involvement with the creation of RedLine and the management of its operations.
“Rudometov regularly accessed and managed the infrastructure of RedLine Infostealer, was associated with various cryptocurrency accounts used to receive and launder payments, and was in possession of RedLine malware,” reads the announcement from the DOJ.
Rudometov faces the following charges for his involvement and leading role in the RedLine infostealer operation.
- Access Device Fraud under 18 U.S.C. § 1029, with a maximum penalty of 10 years in prison.
- Conspiracy to Commit Computer Intrusion under 18 U.S.C. §§ 1030 and 371, with a maximum penalty of 5 years in prison.
- Money Laundering under 18 U.S.C. § 1956, with a maximum penalty of 20 years in prison.
If convicted on all counts, he could face up to 35 years in prison. However, it is unclear if the threat actor has been arrested at this point.
The U.S. DOJ noted that the investigation is still underway and does not believe it possesses all the evidence in the form of data stolen by the malware.
Additional information was also released by Eurojust and the Dutch police today, revealing that the authorities took down three servers in the Netherlands and seized two domains used for command and control operations by RedLine and META.
Two people were also arrested in Belgium, with one already being released and the other said to be a customer of the malware operations.
The authorities were led to the core part of the infrastructure after receiving tips from ESET, mapping an extensive network of over 1,200 servers located in multiple countries, which communicated with the central servers in the Netherlands.
Telegram accounts used by RedLine and META to promote the malware to interested buyers have also been seized, so the sales channels have been disrupted too.
Unfortunately, if Rudometov is still at large there is nothing stopping the threat actor from rebuilding the malware infrastructure and relaunching operations.
ESET launches online scanner
Cybersecurity firm ESET, which participated in the crackdown operation as a technical advisor, released an online scanner to help potential victims determine if they are infected by info-stealer malware.
Downloading the scanner opens step-by-step instructions on how to use it, while it’s also possible to set it to perform periodic scans for continuous protection.
ESET suggests that those who get positive scan results, meaning they’re infected, should change their online account passwords and monitor their financial account activity closely.