A coalition of international law enforcement agencies say they have disrupted the operations of two prolific infostealers that stole the sensitive data of millions of people.
The Dutch National Police, who led the so-called “Operation Magnus” takedown, reports it gained “full access” to the servers used by the Redline and Meta infostealers.
Infostealers are a type of malware specifically designed to extract sensitive information, such as passwords, credit card data, search histories, and the contents of cryptocurrency wallets, from an infected system.
Redline is considered one of the most prolific strains of infostealer malware. Criminals have been using Redline, which has been active since 2020, to steal the sensitive data of hundreds of millions of people, according to a recent report. The malware has been attributed to a 2022 hack at Uber, the theft of login details from Worldcoin Orb operators, and the breach of a senior official at Israel’s National Cybersecurity Directorate.
Meta is a relatively new infostealer, though Operation Magnus notes: “We gained full access to all Redline and Meta servers. Did you know they were actually pretty much the same?”
In a video posted to the website on Monday, the agencies say they were able to access the usernames, passwords, IP addresses, timestamps and registration dates, along with the source code for both infostealers, and the Telegram bots used by the operators of the malware.
The agencies also teased a list of usernames belonging to “VIP” — or “very important to the police” — users of the Redline and Meta infostealers. It’s not yet clear if any arrests have been made as part of the operation, but the website claims that “legal actions are underway.”
Operation Magnus, which was supported by the U.S. Federal Bureau of Investigation and the U.K.’s National Crime Agency, was announced on a newly created website outing the Redline and Meta operations. Simone van Wordragen, a spokesperson for the Dutch National Police, told TechCrunch that it will release more information about the takedown on Tuesday.
A similar takedown approach was taken during the recent operation targeting LockBit, which saw police take control of the ransomware gang’s dark web leak site to post details of the operation.
Carly Page is a Senior Reporter at TechCrunch, where she covers the cybersecurity beat. She has spent more than a decade in the technology industry, writing for titles including Forbes, TechRadar and WIRED.
You can contact Carly securely on Signal at +441536 853956 or via email at carly.page@techcrunch.com.
Subscribe for the industry’s biggest tech news