Dutch Police Disrupt Major Info Stealers RedLine and MetaStealer in Operation Magnus

0

The Dutch National Police, along with international partners, have announced the disruption of the infrastructure powering two information stealers tracked as RedLine and MetaStealer.

The takedown, which took place on October 28, 2024, is the result of an international law enforcement task force codenamed Operation Magnus that involved authorities from the U.S., the U.K., Belgium, Portugal, and Australia.

Eurojust, in a statement published today, said the operation led to the shut down of three servers in the Netherlands and the confiscation of two domains. In total, over 1,200 servers in dozens of countries are estimated to have been used to run the malware.

As part of the efforts, one administrator has been charged by the U.S. authorities and two people have been arrested by the Belgian police, the Politie said, adding one of them has since been released, while the other remains in custody.

Investigation into the technical infrastructure of the information stealers began a year ago based on a tip from cybersecurity company ESET that the servers are located in the Netherlands.

Among the data seized included usernames, passwords, IP addresses, timestamps, registration dates, and the source code of both the stealer malware. In tandem, several Telegram accounts associated with the stealer malware have been taken offline. Further investigation into their customers is ongoing.

“The infostealers RedLine and MetaStealer were offered to customers via these groups,” Dutch law enforcement officials said. “Until recently, Telegram was a service where criminals felt untouchable and anonymous. This action has shown that this is no longer the case.”

It’s worth noting that the MetaStealer target as part of Operation Magnus is different from the MetaStealer malware that’s known to target macOS devices.

Information stealers such as RedLine and MetaStealer are crucial cogs in the cybercrime wheel, allowing threat actors to siphon credentials and other sensitive information that could then be sold off to other threat actors for follow-on attacks like ransomware.

Stealers are typically distributed under a malware-as-a-service (MaaS) model, meaning the core developers rent access to the tool to other cybercriminals either on a subscription basis or for a lifetime license.

(This is a developing story. Please check back for more updates.)

LEAVE A REPLY

Please enter your comment!
Please enter your name here