The Dutch National Police, along with partner law enforcement agencies, has disrupted the operation of the Redline and Meta infostealers and has collected information that may unmask users who paid to leverage the infamous malware.
Screenshot of the Redline License Server panel (Source: Operation Magnus)
About Redline and Meta
Redline and Meta (aka MetaStealer) are infostealers, capable of exfiltrating a variety of sensitive information:
- Info about the victims’ machine/OS (Windows and macOS)
- Credentials, credit card data and browser history from web browsers
- Credentials for cryptocurrency wallets
- Credentials for instant messaging and VPN applications, FTP clients, and more
Redline was first spotted in 2020 and has since become one of the most popular inforstealers out there. Meta landed in dark web markets in 2022, and has the added distinction of being a threat targeting macOS users (and businesses).
Both are distributed under a malware-as-a-service model, meaning that the criminals who develop the malware sell access to it and to infrastructure for deploying and using it to less skilled cyber criminals.
Operation Magnus
On a dedicated page naming the international law enforcement organizations that took part of Operation Magnus, the Dutch Police says – in video marketing style – that they’ve:
- Gained full access to all Redline and Meta servers (“Did you know, actually, that they’re pretty much the same?”)
- Gained access to the Redline and Meta source code, including the license servers, REST API servers, panels, stealers, and Telegram bots
- Collected username, passwords, IP addresses, timestamps and registration date for the users of the two infostealers, including the VIP users
As proof, the video shows screenshots of various panels, source code, as well as law enforcement flipping through the licensing server panels, and usernames belonging to the users of the two tools.
Operation Magnus is obviously trying to replicate the slow “dripping” of positive announcements the NCA-led Operation Cronos delivered when disrupting the LockBit ransomware-as-a-service operation: the Operation Magnus page also shows a countdown promising more news in roughly 21 hours.
There is currently no mention of arrests related to the disruption or of customers that may have been identified, but – the video says – “involved parties will be notified, and legal actions are underway.”