{
	"id": "59cff54e-a190-45a9-ad18-d55bd74b8782",
	"created_at": "2026-04-06T00:07:07.259467Z",
	"updated_at": "2026-04-10T13:12:55.320775Z",
	"deleted_at": null,
	"sha1_hash": "c74b4d877ba51b8111151ab2d42cfdfc4a59daf6",
	"title": "Redline, Meta infostealer malware operations seized by police",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4353628,
	"plain_text": "Redline, Meta infostealer malware operations seized by police\r\nBy Bill Toulas\r\nPublished: 2024-10-28 · Archived: 2026-04-05 12:56:10 UTC\r\nThe Dutch National Police seized the network infrastructure for the Redline and Meta infostealer malware operations in\r\n\"Operation Magnus,\" warning cybercriminals that their data is now in the hands of law enforcement.\r\nOperation Magnus was announced on a dedicated website that disclosed the disruption of the Redline and Meta operations,\r\nstating that legal actions based on the seized data are currently underway.\r\n\"On the 28th of October 2024 the Dutch National Police, working in close cooperation with the FBI and other partners of\r\nthe international law enforcement task force Operation Magnus, disrupted operation of the Redline and Meta infostealers,\"\r\nreads a short announcement on the Operation Magnus site.\r\nhttps://www.bleepingcomputer.com/news/legal/redline-meta-infostealer-malware-operations-seized-by-police/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/legal/redline-meta-infostealer-malware-operations-seized-by-police/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\n\"Involved parties will be notified, and legal actions are underway.\"\r\nRedline and Meta are both infostealers, a type of malware that steals stored information from browsers on an infected\r\ndevice, including credentials, authentication cookies, browsing history, sensitive documents, SSH keys, and cryptocurrency\r\nwallets.\r\nThis data is then sold by threat actors or used to fuel massive network breaches, leading to data theft, ransomware attacks,\r\nand cyberespionage.\r\nPolitie says they were able to disrupt the operation with the help of international law enforcement partners, including the\r\nFBI, NCIS, the U.S. Department of Justice, Eurojust, the NCA, and the police forces in Portugal and Belgium.\r\nThe agencies published the following video, announcing the \"final update\" for Redline and Meta users, warning that they\r\nnow have their account credentials, IP addresses, activity timestamps, registration details, and more.\r\nThis makes it clear that the investigators hold evidence that can be used to track down cybercriminals who used the\r\nmalware, so arrests and prosecutions are likely to be announced in the future.\r\nMoreover, the authorities claimed they got access to the source code, including license servers, REST-API services, panels,\r\nstealer binaries, and Telegram bots, for both malware.\r\nAs they stated in the video, both Meta and Redline shared the same infrastructure, so it's likely that the same\r\ncreators/operators are behind both projects.\r\nMalware researcher g0njxa told BleepingComputer that both Redline and Meta were sold through bots on Telegram, which\r\nhave now been deleted.\r\n\"These services are supported by a criminal ecosystem comprising a range of tools, infrastructure, financial services,\r\nmarketplaces and forums,\" Deputy Director Paul Foster, head of the NCA’s National Cyber Crime Unit told\r\nBleepingComputer.\r\n“International collaboration such as this is key to identifying and taking out the various elements of this ecosystem and\r\nultimately making it more difficult for cyber criminals to operate.\"\r\n“As part of our continued support to Operation Magnus, the NCA will analyse all relevant data obtained as part of this\r\ndisruption and scope out further opportunities to degrade this threat.”\"\r\nMore information about the operation, seized infrastructure, and potential arrests is scheduled to be released tomorrow.\r\nhttps://www.bleepingcomputer.com/news/legal/redline-meta-infostealer-malware-operations-seized-by-police/\r\nPage 3 of 6\n\nPolice warn hackers\r\nThe Dutch police have a long history of contacting cybercriminals after conducting a law enforcement operation to warn\r\nthem that they are not anonymous and are being watched.\r\nAfter the disruption of the Emotet botnet, the Dutch police created forum accounts on hacker forums to warn cybercriminals\r\nthat they were being closely monitored.\r\nAfter the RaidForums forum was seized in 2022, the Dutch Police sent emails and letters and conducted in-person \"stop\"\r\ncalls to minors who were RaidForums members to warn them that their actions were illegal.\r\nBleepingComputer has learned that the Dutch Police are utilizing the same tactics as part of Operation Magnus, creating\r\nforum accounts and sending direct messages that warn threat actors that they are being closely watched.\r\n\"This is an official notice from law enforcement. Earlier this year we have taken control of Redline and Meta infostealer\r\ninfrastructure and their customer data.\" reads a post on the Russian-speaking XSS hacking forum.\r\nThis operation is being conducted in collaboration with international law enforcement agencies. Involved parties will be\r\nnotified, and legal actions are underway. For details (or arrest warrants) visit: https://www.operation-magnus.com.\"\r\nOperation Magnus post on the XSS hacking forum\r\nSource: BleepingComputer\r\neSentire threat intelligence researcher Russian Panda also shared a screenshot of direct messages sent by the Dutch Police to\r\ncybercriminals, warning them of the action.\r\n\"Law enforcement has compromised the Redline and Meta infrastructure including the entire user database,\" reads the\r\nmessage sent to a suspected cybercriminal.\r\n\"Your client data is part of this dataset. We are reviewing this data as part of an ongoing internationally coordinated\r\ninvestigation.\"\r\nA scourge of cybersecurity\r\nOver the past couple of years, information-stealing malware has become a massive problem for the enterprise as the stolen\r\ncredentials are commonly sold on the dark web or released for free to gain a reputation in the hacking community.\r\nMalicious campaigns involving information-stealing malware have become abundant, with threat actors targeting victims\r\nthrough zero-day vulnerabilities, fake VPNs, fake fixes to GitHub issues, and even answers on StackOverflow.\r\nOne of the most common infostealers used in attacks is Redline, which launched in 2020 and has since caused widespread\r\ntheft of victim's passwords, authentication cookies, cryptocurrency wallets, and other sensitive data.\r\nhttps://www.bleepingcomputer.com/news/legal/redline-meta-infostealer-malware-operations-seized-by-police/\r\nPage 4 of 6\n\nMeta, aka MetaStealer, is a newer Windows infostealer malware project announced in 2022, marketed as an improved\r\nversion of Redline. From Operation Magnus' announcement, we now learn that Meta was likely created by the same\r\ndevelopers as Redline.\r\nIt should be noted that the disrupted Meta operation is different than the MetaStealer malware targeting macOS devices.\r\nDmitry Emilyanets, Director of Product Management at Recorded Future, shared on X that Redline and MetaStealer stole a\r\ncombined total of 227 million credentials (unique email and password pair) in 2024.\r\nRecorded Future Identity Intelligence collection metrics paints a dire picture of the entire activity, indicating that the Redline\r\nmalware has stolen almost a billion credentials since it first launched.\r\nA joint report by Specops and KrakenLabs also shared that threat actors have used Redline to steal over 170 million\r\npasswords in just six months.\r\nThese stolen credentials are then used or sold to other threat actors to breach corporate networks as part of cyberattacks.\r\nStolen credentials have been used to power some of the most significant breaches in recent history, including the wide-scale\r\nSnowflake data theft attacks and the Change Healthcare ransomware attack, which caused massive disruption to the U.S.\r\nhealthcare system.\r\nThis is a developing story.\r\nhttps://www.bleepingcomputer.com/news/legal/redline-meta-infostealer-malware-operations-seized-by-police/\r\nPage 5 of 6\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/legal/redline-meta-infostealer-malware-operations-seized-by-police/\r\nhttps://www.bleepingcomputer.com/news/legal/redline-meta-infostealer-malware-operations-seized-by-police/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/legal/redline-meta-infostealer-malware-operations-seized-by-police/"
	],
	"report_names": [
		"redline-meta-infostealer-malware-operations-seized-by-police"
	],
	"threat_actors": [],
	"ts_created_at": 1775434027,
	"ts_updated_at": 1775826775,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c74b4d877ba51b8111151ab2d42cfdfc4a59daf6.pdf",
		"text": "https://archive.orkl.eu/c74b4d877ba51b8111151ab2d42cfdfc4a59daf6.txt",
		"img": "https://archive.orkl.eu/c74b4d877ba51b8111151ab2d42cfdfc4a59daf6.jpg"
	}
}