On 28 October, the FBI (in cooperation with law enforcement agencies in Europe, the UK, and Australia) conducted Operation Magnus, seizing servers and acquiring the source code of the infamous infostealer RedLine, an example of MaaS (Malware-as-a-Service) active since 2020, which has compromised millions of users worldwide by stealing sensitive data such as credit card details, browser history, passwords, auto-compile data, and emails.

What is RedLine?

RedLine is a malware classified as an infostealer, designed to steal sensitive information from infected machines. This malware can steal login credentials saved in browsers, credit card data, web history, auto-fill information and even details of cryptocurrency wallets. The ease with which RedLine spreads and the way it can be adapted by cyber criminals make it one of the most prevalent threats in the cybersecurity landscape.

What is MaaS (Malware-as-a-Service)?

MaaS(Malware-as-a-Service) is a criminal business model in which malware developers offer their malware for a fee, similar to a subscription service. In practice, cyber criminals without advanced technical knowledge can ‘rent’ or purchase tools such as RedLine for targeted attacks, paying the developers a fee or a percentage of the illicit earnings. The success of this distribution model has made cybercrime operations more accessible to a wide range of malicious users.

The investigation

In August 2021, a security firm voluntarily reported data from one of RedLine’s licence servers to the US government. With a search warrant, investigators discovered evidence linking Russian cybercriminal Maxim Rudometov to the creation and distribution of RedLine. According to an FBI arrest warrant, Rudometov accessed the licence server using several aliases. On 16 May 2021, a user with the name ‘Heijs’ and an IP address ending in .180 requested a RedLine build from the licence server. Shortly afterwards, the same IP logged into an iCloud account belonging to Rudometov. The investigation then revealed additional IP addresses associated with Rudometov’s online accounts, used under names such as “Admin12” and “testpanel.”

On the trail of Rudometov

On 2 May 2021, a person with an IP address ending in .14 signed a malicious file via the server. About an hour earlier, the same IP had logged into Rudometov’s iCloud account. This IP address, assigned to an Internet service provider in Krasnodar, linked Rudometov’s activities from hacker forums to a GitHub repository containing exploits for Windows devices. The FBI published some pictures of Rudometov, including some from his VK profile, indicating that he lived in Luhansk, Ukraine. However, digital evidence collected by the research group OSINord locates him in Krasnodar, Russia, complicating the possibility of direct legal action.