How a series of opsec failures led US authorities to the alleged developer of Redline password-stealing malware

US prosecutors have indicted Russian national Maksym Rudometov for his alleged involvement in the development and distribution of the notorious Redline password-stealing malware.

The charges were announced as part of Operation Magnus. first released by the Dutch national police on Monday. The operation, years in the making, saw international law enforcement dismantle the infrastructure of Redline and Meta, two prolific strains of malware used to steal sensitive information from millions of people.

The complaint, unsealed Tuesday, revealed how a series of operational security mistakes — or “opsec” — led authorities to identify Rudometov. According to the indictment, Rudometov used a Yandex email account known to law enforcement to register accounts on Russian-language hacker forums, where he used several aliases that were reused on other platforms, including Skype and iCloud.

US authorities say they were able to retrieve files from Rudometov’s iCloud account, including “numerous files that antivirus systems identified as malware, including at least one that was… identified as Redline.”

According to the complaint, the same Yandex email address was also used by Rudometov to create a public profile on the Russian social network VK. Law enforcement found Rudometov to be “very similar” to the person pictured in an ad found in an earlier blog post about Redline. The ad promoted the individual’s skills in “writing botnets and theft.”

Rudemetov also allegedly used one of his hacker names — “ghacking” — on the VK dating site, according to the complaint.

a screenshot of a dating profile used by the alleged developer of the Redline malware to steal information. Source: TechCrunch (screenshot)Image credits:administration of justice

After receiving a tip from an unnamed security firm in August 2021, US authorities obtained a search warrant to analyze data found on one of Redline’s servers, which provided additional information, including IP addresses and a Binance address registered to the same Yandex. account — connects Rudometov with the development and deployment of the well-known infostiller.

“Rudometov routinely accessed and operated Redline’s wiretapping infrastructure, was linked to various cryptocurrency accounts used to receive and launder payments, and possessed Redline’s malware,” the Justice Department said Tuesday. The complaint revealed that Redline was used to infect millions of computers worldwide since February 2020, including “several hundred” machines used by the US Department of Defense.

It is not yet known whether Rudometov has been arrested. If convicted, he faces up to 35 years in prison.

Europol and Dutch police also released more information about Operation Magnus on Tuesday, revealing that three servers were taken offline in the Netherlands and two domains used by Redline and Meta for team operations.

Authorities also removed several Telegram accounts linked to the malware, “causing the thieves to stop selling,” and two more people — including the malware’s customer — were arrested in Belgium.