Cybercrime
,
Fraud Management & Cybercrime
Cops Recover Redline, Meta Infostealer Data; Promise Criminal Users: ‘See You Soon’
The Dutch National Police infiltrated two prominent information-stealing malware services and obtained information pertaining to their criminal users.
See Also: The Healthcare CISO’s Guide to Medical IoT Security
Working with the FBI and other agencies in a task force codenamed Operation Magnus, the Dutch National Police on Monday said they “disrupted operation of the Redline and Meta infostealers,” after gaining “full access” to the servers powering each service, allowing them to seize voluminous amounts of data tied to both operations.
“Involved parties will be notified, and legal actions are underway,” promises an animated, informational video posted by the Dutch National Police to a dedicated operation-magnus.com website. Europol, the EU’s law enforcement intelligence agency, confirmed the operation.
Information obtained by infiltrating the infostealers’ infrastructure included usernames, plus passwords, IP addresses, timestamps and registration details. Also obtained: full source code for both infostealers, details pertaining to server licenses, Rest API servers, control panels and stealers, and access to Telegram bots.
The tongue-in-cheek police video, set to lounge music, also lists numerous nicknames tied to alleged users – including “Heijs,” “Admin12,” “dogvile,” “Jerry_Gogen,” “Sheol” and “Cryptoghost” – and labels them each as being a VIP, “where VIP means ‘very important to the police.'”
The video adds: “We are looking forward to seeing you soon.”
The U.S.-based security researcher who goes by “RussianPanda9xx” said the video is being distributed directly to alleged users of the infostealers and sister services through their dedicated Telegram channels. She’s seen a message from Dutch law enforcement posted to the Telegram channel for the Spectrum bot, which is “one of the main crypt services for Redline and Meta.”
Malware crypting services, or “crypters,” refer to software or services “designed to encrypt, obfuscate and manipulate malware to ensure it can bypass security software and controls,” said threat intelligence firm Intel 471. Many malware users rely on these crypting – aka repacking – services to ensure they can reliably infect targets.
“There will be a few worried people out there as the police message those swept up in the user database,” said Alan Woodward, a professor of computer science at England’s University of Surrey, in a post to the social platform X.
Infostealers such as Redline and Meta are designed to exfiltrate data from an infected system – aka “bot” – and batch it into “logs” containing information of value to other criminals, which get sold on dedicated markets and via automated Telegram channels.
“These tools are designed to gather sensitive information from systems, ranging from login details (usernames & passwords) to keyloggers that record keystrokes,” said Tobias Wieloch, a head of team at Europol’s European Cyber Crime Centre, or EC3, in a post to LinkedIn pertaining to Operation Magnus.
Stolen log data often includes login information stored in browsers, including “passwords, cookies, credit card details, crypto wallet data and more,” said threat intelligence firm Kela.
Some criminals also use Telegram channels “as a data exfiltration server for infostealer malware,” André Tavares, a senior threat researcher at cybersecurity ratings firm Bitsight, said in a recent report.
Cybercriminals also use Telegram for private sales of logs. Multiple groups offer subscribers Telegram-based access to their private “cloud of logs” service, providing a frequently updated repository of logs (see: Info-Stealing Malware Populates ‘Cloud of Logs’ Offerings).
This isn’t the first time that Dutch police have worked to take down an infostealer operation. A joint Dutch-Italian police operation in March 2022 dismantled Raccoon infostealer infrastructure, used at the time to filch personal data from victims’ computers, including log-in credentials, financial information and session cookies tied to dozens of different types of applications (see: Ukrainian Pleads Guilty for Role in Raccoon Stealer Malware).