Technology

How a series of opsec failures led US authorities to the alleged developer of the Redline password-stealing malware


U.S. prosecutors have charged Russian national Maxim Rudometov over his alleged involvement in developing and distributing the notorious Redline password-stealing malware.

The charges were announced as part of “Operation Magnus,” first unveiled by the Dutch National Police on Monday. This years-in-the-making operation saw international law enforcement agencies dismantle the infrastructure of Redline and Meta, two prolific malware strains that have been used to steal sensitive information from millions of people.

A complaint unsealed on Tuesday revealed how a series of operational security — or “opsec” — errors led to the authorities identifying Rudometov. According to the indictment, Rudometov used a Yandex email account known to law enforcement to register accounts on Russian-language hacking forums, where he used a handful of monikers that were re-used across other platforms including Skype and iCloud. 

U.S. authorities say they were able to retrieve files from Rudometov’s iCloud account, including “numerous files that were identified by antivirus engines as malware, including at least one that was… determined to be Redline.”

The same Yandex email address was also used by Rudometov to create a publicly viewable profile on the Russian social networking service VK, according to the complaint. Law enforcement found that Rudometov “bore a close resemblance” to an individual depicted in an advertisement found in an earlier blog post about Redline. The advertisement promoted the individual’s skills in “writing botnets and stealers”. 

Rudemetov allegedly also used one of his hacking monikers — “ghacking” — on VK’s dating website, according to the complaint.

a screenshot of a dating profile used by the alleged developer of the Redline information stealing malware.
a screenshot of a dating profile used by the alleged developer of the Redline information stealing malware. Source: TechCrunch (screenshot)Image Credits:Department of Justice

After receiving a tip from an unnamed security firm in August 2021, U.S. authorities obtained a search warrant to analyze the data found in one of the servers used by Redline, which provided additional information — including IP addresses and a Binance address registered to the same Yandex account — linking Rudometov to the development and deployment of the notorious infostealer. 

“Rudometov regularly accessed and managed the infrastructure of Redline infostealer, was associated with various cryptocurrency accounts used to receive and launder payments, and was in possession of Redline malware,” the DOJ said on Tuesday. The complaint revealed that Redline had been used to infect millions of computers around the world since February 2020, including “several hundred” machines used by the U.S. Department of Defense. 

It’s not yet known if Rudometov has been arrested. If convicted, he faces up to 35 years in prison.

Europol and the Dutch police also revealed further information about Operation Magnus on Tuesday, revealing that three servers were taken offline in the Netherlands and two domains used for command and control operations by Redline and Meta were seized.

Authorities also took down multiple Telegram accounts associated with the malware, which has “caused the sale of the stealers… to be halted”, and two additional individuals — including a customer of the malware — were arrested in Belgium.



Source link