Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

US DOJ charges Russian man behind RedLine info stealer

The Russian national suspected of developing the RedLine info-stealer malware has been charged by the US.

user icon Daniel Croft
Wed, 30 Oct 2024
US DOJ charges Russian man behind RedLine info stealer
expand image

Maxim Rudometov was named this week as the suspected developer and leader of the RedLine malware operation. It was a result of “Operation Magnus”, an international law enforcement operation led by the Dutch Police, with the assistance of the US Department of Justice (DOJ), the FBI and Eurojust, as well as Australian and UK agencies.

Info stealers, like RedLine, are subscription services sold to cyber criminals that allow users to bypass multifactor authentication and exfiltrate credentials and data.

“The stolen information – referred to as ‘logs’ – is sold on cyber crime forums and used for further fraudulent activity and other hacks,” said the DOJ.

============
============

“RedLine has been used to conduct intrusions against major corporations. RedLine and Meta info stealers can also enable cyber criminals to bypass multifactor authentication (MFA) through the theft of authentication cookies and other system information.”

Now, following his naming in Operation Magnus, the DOJ has revealed charges against Rudometov, claiming he managed RedLine.

“According to the complaint, Rudometov regularly accessed and managed the infrastructure of RedLine Infostealer, was associated with various cryptocurrency accounts used to receive and launder payments and was in possession of RedLine malware,” said the DOJ.

“For his actions, he has been charged with access device fraud, in violation of 18 U.S.C. § 1029, conspiracy to commit computer intrusion, in violation of 18 U.S.C. §§ 1030 and 371, and money laundering, in violation of 18 U.S.C. § 1956.”

If convicted, Rudometov faces a maximum of 35 years in prison, with 10 for access device fraud, five for conspiracy to commit computer intrusion and 20 for money laundering. However the DOJ said that at this stage, this is “merely an allegation”.

Alongside the seizure of the RedLine infrastructure, Operation Magnus also seized the Meta info stealer. According to the DOJ, collected victim log data from infected devices shows that “millions of unique credentials (usernames and passwords), email addresses, bank accounts, cryptocurrency addresses, credit card numbers, etc” were stolen through the use of the two info stealers.

Earlier this month, 28-year-old Ukrainian national Mark Sokolovsky pleaded guilty to one count of conspiracy to commit computer intrusion in a US Federal Court after he was arrested in 2022 for his role in the Racoon Infostealer malware.

Following Sokolovsky’s March 2022 arrest, the FBI was able to take down the infrastructure supporting the info stealer, disrupting the existing version of the malware at the time.

Months later, however, researchers with cyber security firm Sekoia’s threat intelligence team found evidence of a new version of Raccoon Stealer in circulation. Other operators of the malware promised to make a comeback on a Russian-language hacking forum in March 2022.

By May 2022, Raccoon Stealer v2 was being sold on both Telegram and hacking forums, and by 10 June 2022, its administration panel was showing up in searches on the Shodan search engine.

“Samples of Raccoon Stealer v2 were therefore observed in the wild since May 16, 2022,” Sekoia’s researchers said in a blog post on 28 June 2022.

“As for the previous version, threat actors mainly distribute the information stealer using fake installers, or cracked versions of popular software.”

Sokolovsky has also agreed to pay restitution of at least US$910,844.61 and a forfeiture money judgment of US$23,975.

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.