The identity of a suspected developer and administrator of the Redline malware-as-a-service operation has been revealed: Russian national Maxim Rudometov.
Infrastructure takedown
As promised on Monday when they announced the disruption of the Redline and Meta infostealer operations, law enforcement Operation Magnus has unveiled on Tuesday how the takedown played out.
“Investigations into Redline and Meta started after victims came forward and a security company notified authorities about possible servers in the Netherlands linked to the software. Authorities discovered that over 1,200 servers in dozens of countries were running the malware,” shared Eurojust, the European Union Agency for Criminal Justice Cooperation.
Eurojust coordinated the information exchange between and actions taken by authorities from the Netherlands, the United States, Belgium, Portugal, United Kingdom and Australia, which resulted in three servers taken down in the Netherlands, two seized domains, the disruption of several Redline and Meta communication channels (Telegram), and two people – suspected customers of Rudometov’s – being taken into custody in Belgium.
“The authorities also retrieved a database of clients from Redline and Meta. Investigations will now continue into the criminals using the stolen data,” Eurojust added.
The security company mentioned in the latest announcements is ESET, which also made available a scanner that Windows users can leverage to check whether they’ve been infected with the Redline or Meta stealers and to remove the malware (if present).
It is estimated that the Redline and Meta infostealers stole information from millions of victims around the world.
Pinpointing the person behind the operation
Law enforcement managed to connect various online monikers and email addresses used by Rudometov over the years on hacking forums and link some to a VK (Russian social network) account in that name.
“A judicially-authorized search of [the Apple account registered with one of those email addresses] revealed an associated iCloud account and numerous files that were identified by antivirus engines as malware, including at least one that was analyzed by the Department of Defense Cybercrime Center (‘DC3’) and determined to be Redline,” the unsealed criminal complaint against Rudometov says.
“Notably, among the malicious files saved to Rudometov’s Apple iCloud Drive was a file entitled ‘MysteryPanel.rar’ which correlates to the [Redline infostealer]. In addition to the registration information indicating Rudometov was the owner of the Apple account, the account contained photos that included Rudometov’s official identification documents and apparent personal photos.”
He has also been tied with a number of cryptocurrency accounts that were used to receive and launder payments, and the malware was hosted on servers controlled and accessed by him.
Rudometov has been charged by the US Department of Justice with access device fraud, conspiracy to commit computer intrusion, and money laundering.
The DOJ press release does not mention whether Rudometov is in police custody, which means he’s most likely not.
