International law enforcement disrupted operations of two of the most widely used infostealer malware around the globe – RedLine and Meta – in an action dubbed “Operation Magnus.”
According to a notice on the official website where the first details of the takedown appeared, the action was a coordinated effort led by the Dutch Police authorities and supported by the FBI and other international law enforcement partners including the United Kingdom, Australia, Belgium, and Portugal.
“Operation Magnus, disrupted operation of the Redline and Meta infostealers. Involved parties will be notified, and legal actions are underway,” the notice said.
Along with the notice, the law enforcement agencies included a 50-second video, which stated that they “gained full access to RedLine and Meta [stealers] servers.”
Investigation Began a Year Back on a Tip-Off
The Dutch Police began investigating into the two infostealers operations based on a tip-off from the cybersecurity firm ESET’s Netherlands arm. The tip pointer to the presence of servers present in the Netherlands linked to the malware.
“The investigation started over a year ago under the leadership of the Public Prosecution Service Parket Limburg,” the Dutch police said. Through this investigation, Team Cybercrime [cybercrime unit of Dutch police] gained insights into the technical infrastructure of the infostealers, the communication channels used and the entire user base.” [sic]
What’s Been Taken Down in Operation Magnus
Eurojust, which coordinated the operation between international law enforcement agencies said, “Investigations into RedLine and Meta started after victims came forward and a security company notified authorities about possible servers in the Netherlands linked to the software. Authorities discovered that over 1200 servers in dozens of countries were running the malware.”
Of these, three servers were taken down in the Netherlands and two domains were seized, Eurojust said. Apart from this charges were unsealed in the United States and two people were arrested in Belgium.
The law enforcement agencies also took down multiple Telegram accounts where the RedLine and Meta infostealers were offered to customers via Telegram bots. “Until recently, Telegram was a service where criminals felt untouchable and anonymous. This action has shown that this is no longer the case,” The Dutch police said. “Taking these groups offline has caused the sale of the stealers RedLine and META to come to a standstill.”
The police were also able to infiltrate both the infostealers’ infrastructure, which is now offline. “The malware no longer functions and it is no longer possible to steal new data from (infected) victims. Law enforcement was able to hack into the main frame infrastructure including the licensed servers, REST-API servers, stealers and Telegram bots.
After the takedown, authorities communicated directly with the alleged perpetrators, and sent them messages including a video. “The video sends a strong message to the criminals, showing that the international coalition of authorities was able to obtain crucial data on their network and will shut down their criminal activities,” Eurojust said.
Law enforcement in Belgian took down several Redline and Meta communication channels after sending the message and video intimation.
The video is likely the same that is posted on “Operation Magnus” website. The video states that the two infostealers are pretty much the same and that the version now dismantled gave unique insights in the customers who used this malware-as-a-service offering through the dark web. This includes username, passwords, IP, addresses, timestamps, registration date, etc. of all those who have registered and taken services from this MaaS service provider.
Eurojust confirmed the retrieval of RedLine and Meta infostealers client data. “Investigations will now continue into the criminals using the stolen data,” it said.
Apart from this, a scroll of usernames, which the authorities called as “VIP clients” was also shown but it is not clear if they have been arrested or were indicted. As per the timer set on the official website, more details will be revealed in a day’s time. A joint statement is expected.
The manner of setting up a website and revealing details in this case is similar to “Operation Endgame,” again a major international law enforcement operation, which disrupted a large-scale botnet infrastructure, targeting notorious malware droppers like IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee and TrickBot.
Read: Operation Endgame – Largest Ever Operation Against Multiple Botnets Used to Deliver Ransomware
*UPDATED (Oct 29, 5:30 AM ET): The article was updated with takedown details of Operation Magnus shared by Eurojust.
*UPDATED (Oct 29, 6:15 AM ET): The article was updated to include details released by the Dutch Police authorities.
*This is a developing story and will be updated as more information is available.
