Man
Professional
- Messages
- 3,059
- Reaction score
- 585
- Points
- 113
The Dutch National Police have seized the network infrastructure for the Redline and Meta infostealer malware in Operation Magnus, warning cybercriminals that their data is now in the hands of law enforcement.
Operation Magnus was announced on a dedicated website, which announced the disruption of Operations Redline and Meta, and also said that legal proceedings were currently underway based on the seized data.
“On October 28, 2024, the Dutch National Police, in close cooperation with the FBI and other partners of the international law enforcement task force Operation Magnus, disrupted the activities of the Redline and Meta infostealers”, reads a short announcement on the Operation Magnus website.
“Interested parties will be notified and legal action is underway”.
Redline and Meta are malware that steal stored information from browsers on an infected device, including login credentials, authentication cookies, browsing history, sensitive documents, SSH keys, and cryptocurrency wallets.
The data is then sold by the attackers or used to launch large-scale network attacks, resulting in data theft, ransomware attacks, and cyber espionage.
Politie reports that they were able to disrupt the operation with the help of international law enforcement partners, including the FBI, NCIS, the US Department of Justice, Eurojust, the NCA, and the Portuguese and Belgian police.
The agencies released the following video announcing a “final update” for Redline and Meta users, warning that they now have login credentials, IP addresses, activity timestamps, registration data, and more.
• Source: http://www.operation-magnus.com/
Video:
This clearly shows that investigators have evidence that can be used to track down the cybercriminals who used the malware, so arrests and prosecutions are likely to be announced in the future.
Furthermore, authorities said they had access to the source code, including license servers, REST-API services, dashboards, data-stealing binaries, and Telegram bots for both malware.
As they stated in the video, Meta and Redline use the same infrastructure, so it is likely that the same creators/operators are behind both projects.
Although there were some initial doubts about the authenticity of the claims, Europol and the NCA confirmed to BleepingComputer that the operation is legitimate.
Malware researcher g0njxa told BleepingComputer that both Redline and Meta were sold via Telegram bots, which have now been removed.
More details on the operation, the infrastructure taken over, and possible arrests will be released tomorrow.
Police warn hackers
Dutch police have a long history of contacting cybercriminals after law enforcement operations to warn them that they are not anonymous and are being monitored.
After the Emotet botnet was taken down, Dutch police created accounts on hacker forums to warn cybercriminals that they are being closely monitored.
After the RaidForums forum was taken over in 2022, Dutch police sent emails, letters, and personal calls demanding “stop” to underage RaidForums members to warn them that their actions were illegal.
BleepingComputer has learned that Dutch police are using the same tactics as part of Operation Magnus, creating forum accounts and sending direct messages warning attackers that they are being closely monitored.
“This is an official notice from law enforcement. Earlier this year, we took control of the infrastructure of the infostealers Redline and Meta, as well as their customer data,” a post on a Russian-language XSS hacking forum reads.
Video:
This operation is being carried out in cooperation with international law enforcement. The parties involved will be notified and legal action is underway. For more details (or arrest warrants), visit: https://www.operation-magnus.com
Threat researcher eSentire Russian Panda also shared a screenshot of direct messages sent by Dutch police to the cybercriminals warning them of the activity.
"Law enforcement has breached the infrastructure of Redline and Meta, including the entire user database," the message sent to the suspected cybercriminal reads.
"Your customer data is part of this data set. We are reviewing this data as part of an ongoing international coordinated investigation".
The Scourge of Cybersecurity
Information-stealing malware has become a major concern for businesses over the past couple of years, with stolen credentials commonly sold on the dark web or distributed for free to gain a reputation in the hacker community.
Information-stealing malware campaigns have become widespread, with attackers targeting victims through zero-day vulnerabilities, fake VPNs, fake GitHub bug fixes, and even StackOverflow answers.
One of the most common information-stealing malware used in attacks is Redline, which was launched in 2020 and has since caused massive theft of victims’ passwords, authentication cookies, cryptocurrency wallets, and other sensitive data.
Meta, aka MetaStealer, is a new Windows malware project announced in 2022 and marketed as an improved version of Redline. From the Operation Magnus announcement, we now know that Meta was likely created by the same developers as Redline.
It should be noted that the breached Operation Meta is different from the MetaStealer malware that targeted macOS devices.
Dmitry Emiliyanets, director of product management at Recorded Future, told X that Redline and MetaStealer had stolen a combined 227 million credentials (unique pairs of email addresses and passwords) in 2024.
Recorded data collection metrics from Future Identity Intelligence paint a terrifying picture of the entire activity, indicating that the Redline malware has stolen nearly a billion credentials since it was first launched.
A joint report from Specops and KrakenLabs also found that the attackers used Redline to steal over 170 million passwords in just six months.
The stolen credentials are then used or sold to other bad actors to hack into corporate networks as part of cyber attacks.
Stolen credentials have been used to carry out some of the most serious breaches in recent history, including the massive Snowflake data theft attacks and the Change Healthcare ransomware attack, which caused widespread disruption to the U.S. healthcare system.
Source
Operation Magnus was announced on a dedicated website, which announced the disruption of Operations Redline and Meta, and also said that legal proceedings were currently underway based on the seized data.
“On October 28, 2024, the Dutch National Police, in close cooperation with the FBI and other partners of the international law enforcement task force Operation Magnus, disrupted the activities of the Redline and Meta infostealers”, reads a short announcement on the Operation Magnus website.
“Interested parties will be notified and legal action is underway”.
Redline and Meta are malware that steal stored information from browsers on an infected device, including login credentials, authentication cookies, browsing history, sensitive documents, SSH keys, and cryptocurrency wallets.
The data is then sold by the attackers or used to launch large-scale network attacks, resulting in data theft, ransomware attacks, and cyber espionage.
Politie reports that they were able to disrupt the operation with the help of international law enforcement partners, including the FBI, NCIS, the US Department of Justice, Eurojust, the NCA, and the Portuguese and Belgian police.
The agencies released the following video announcing a “final update” for Redline and Meta users, warning that they now have login credentials, IP addresses, activity timestamps, registration data, and more.
• Source: http://www.operation-magnus.com/
Video:
This clearly shows that investigators have evidence that can be used to track down the cybercriminals who used the malware, so arrests and prosecutions are likely to be announced in the future.
Furthermore, authorities said they had access to the source code, including license servers, REST-API services, dashboards, data-stealing binaries, and Telegram bots for both malware.
As they stated in the video, Meta and Redline use the same infrastructure, so it is likely that the same creators/operators are behind both projects.
Although there were some initial doubts about the authenticity of the claims, Europol and the NCA confirmed to BleepingComputer that the operation is legitimate.
Malware researcher g0njxa told BleepingComputer that both Redline and Meta were sold via Telegram bots, which have now been removed.
More details on the operation, the infrastructure taken over, and possible arrests will be released tomorrow.
Police warn hackers
Dutch police have a long history of contacting cybercriminals after law enforcement operations to warn them that they are not anonymous and are being monitored.
After the Emotet botnet was taken down, Dutch police created accounts on hacker forums to warn cybercriminals that they are being closely monitored.
After the RaidForums forum was taken over in 2022, Dutch police sent emails, letters, and personal calls demanding “stop” to underage RaidForums members to warn them that their actions were illegal.
BleepingComputer has learned that Dutch police are using the same tactics as part of Operation Magnus, creating forum accounts and sending direct messages warning attackers that they are being closely monitored.
“This is an official notice from law enforcement. Earlier this year, we took control of the infrastructure of the infostealers Redline and Meta, as well as their customer data,” a post on a Russian-language XSS hacking forum reads.
Video:
This operation is being carried out in cooperation with international law enforcement. The parties involved will be notified and legal action is underway. For more details (or arrest warrants), visit: https://www.operation-magnus.com
Threat researcher eSentire Russian Panda also shared a screenshot of direct messages sent by Dutch police to the cybercriminals warning them of the activity.
"Law enforcement has breached the infrastructure of Redline and Meta, including the entire user database," the message sent to the suspected cybercriminal reads.
"Your customer data is part of this data set. We are reviewing this data as part of an ongoing international coordinated investigation".
The Scourge of Cybersecurity
Information-stealing malware has become a major concern for businesses over the past couple of years, with stolen credentials commonly sold on the dark web or distributed for free to gain a reputation in the hacker community.
Information-stealing malware campaigns have become widespread, with attackers targeting victims through zero-day vulnerabilities, fake VPNs, fake GitHub bug fixes, and even StackOverflow answers.
One of the most common information-stealing malware used in attacks is Redline, which was launched in 2020 and has since caused massive theft of victims’ passwords, authentication cookies, cryptocurrency wallets, and other sensitive data.
Meta, aka MetaStealer, is a new Windows malware project announced in 2022 and marketed as an improved version of Redline. From the Operation Magnus announcement, we now know that Meta was likely created by the same developers as Redline.
It should be noted that the breached Operation Meta is different from the MetaStealer malware that targeted macOS devices.
Dmitry Emiliyanets, director of product management at Recorded Future, told X that Redline and MetaStealer had stolen a combined 227 million credentials (unique pairs of email addresses and passwords) in 2024.
Recorded data collection metrics from Future Identity Intelligence paint a terrifying picture of the entire activity, indicating that the Redline malware has stolen nearly a billion credentials since it was first launched.
A joint report from Specops and KrakenLabs also found that the attackers used Redline to steal over 170 million passwords in just six months.
The stolen credentials are then used or sold to other bad actors to hack into corporate networks as part of cyber attacks.
Stolen credentials have been used to carry out some of the most serious breaches in recent history, including the massive Snowflake data theft attacks and the Change Healthcare ransomware attack, which caused widespread disruption to the U.S. healthcare system.
Source
Last edited:
