Dutch National Police and international partners dismantled the infrastructure behind Redline and MetaStealer — two of the most widely distributed infostealer malware families — in Operation Magnus on October 28, 2024. Three command-and-control servers in the Netherlands were seized alongside two domains, disrupting an estimated 1,200 servers across dozens of countries. The US DOJ charged one of Redline’s developers and administrators, while Belgian authorities arrested two others.
Stories Covered
Operation Magnus: Redline and MetaStealer Infostealer Infrastructure Dismantled
A multinational law enforcement task force codenamed Operation Magnus — involving authorities from the Netherlands, United States, United Kingdom, Belgium, Portugal, and Australia — shut down the backend infrastructure for Redline and MetaStealer, two major infostealer malware families offered as malware-as-a-service. The operation, which shut down three servers in the Netherlands and confiscated two domains, disrupted an estimated 1,200 servers across dozens of countries that were running the malware. The investigation was initiated a year earlier based on a tip from cybersecurity company ESET identifying the C2 servers’ location in the Netherlands. Data seized in the operation included usernames, passwords, IP addresses, timestamps, registration dates, and the source code of both infostealer families. Multiple Telegram accounts associated with the malware operations were also taken offline.
The US Department of Justice charged Maxim Rudomantov, identified as a developer and administrator of the Redline infostealer, with access device fraud, conspiracy to commit computer intrusion, and money laundering. If convicted, he faces a maximum of 30 years in prison. Rudomantov is alleged to have regularly accessed and managed Redline’s infrastructure and was associated with cryptocurrency accounts used to receive and launder payments. Belgian police arrested two additional individuals connected to the operations, with one released and one remaining in custody. The infrastructure topology is notable: 1,200 distributed servers all funneling back to just three central C2 nodes made the operation relatively centralized for its scale — a structural choice that simplified the takedown once the central nodes were identified.
Redline and MetaStealer (the Windows variant, distinct from the separately named MacOS-targeting MetaStealer) were both distributed via Telegram channels and sold to customers as malware-as-a-service subscriptions. Infostealers in this category harvest browser-stored passwords, session cookies, saved credit card data, cryptocurrency wallet files, and system metadata — then exfiltrate everything to the operator’s collection infrastructure. The stolen data is typically sold in bulk on dark web markets or used directly for account takeovers and financial fraud. Dutch law enforcement noted that Telegram had previously been treated as an untouchable, anonymous platform by criminal operators — a perception that the Operation Magnus seizures, combined with recent legal pressure on Telegram itself, are actively working to change. The malware-as-a-service model mirrors legitimate SaaS economics: recurring subscription revenue funds continued development, making these operations self-sustaining as long as customers keep paying. Seizing the source code alongside the infrastructure limits the ability of remaining operators to simply relaunch under a new name without significant rebuilding effort.
Leave a Reply