Operation Magnus: Analyzing the cybercrime community reaction

International cooperation has become crucial to disrupt the operations of malicious cybercrime actors. A prime example of this is ‘Operation Magnus’ which has showcased the effectiveness of global collaboration in tackling sophisticated threats.

By dismantling their infrastructure and exposing key players, Operation Magnus not only delivered a significant blow to cybercriminals but also sent shockwaves throughout underground forums and dark web communities. This article explores the operation’s extensive reach, the reactions within the cybercriminal world, and the implications for future cybercrime enforcement.

What is Operation Magnus?

Eurojust coordinated a global operation called Operation Magnus in order to dismantle the information stealers RedLine and META. Led by authorities from the Netherlands, the US, Belgium, Portugal, the UK, and Australia, the operation shut down three servers in the Netherlands, seized two domains, and unsealed US charges, with two arrests made in Belgium.

The operation uncovered over 1,200 malware-infected servers across numerous countries. Belgian authorities subsequently dismantled related communication channels, while ESET launched a tool for potential victims to check if their data was compromised and get guidance on protecting themselves.

Furthermore, the US announced charges against Maxim Rudometov, a developer and administrator for RedLine, accusing him of fraud, conspiracy, and money laundering.

Law enforcement operation announced on underground forums

On October 28, 2024, several underground forums woke up with a new thread announcing that Operation Magnus was being carried out by international law enforcement authorities. The announcement was presumably made by the authorities under the username “OP_Magnus,” which had been created specifically for this purpose.

Figure 1. Screenshot of “OP_Magnus” account in the Russian-speaking underground forum XSS, registered on October 21, 2024, a few days before Operation Magnus announcement. The account was quickly banned after the announcement was published.

Another account was created on the Lolz Guru underground forum; however, the account and the publication were modified with a different user image, account username and link, possibly to mock law enforcement authorities.

Figure 2. Comparison of the original thread published on Lolz Guru and the updated version, which was edited by forum administrators to ridicule law enforcement. In the updated message, the Operation Magnus website link was altered to natribu[.]org, a popular website designed to tell people to “f*ck off”.

As a response, many forum users also published the same copy-pasted message automatically translated from the original Russian to evade responsibility and avoid potential prosecution:

In case of investigation of any federal structure or similar, I have nothing to do with this forum or the people in it, I do not know how I got here, may have been added by a third party, I do not support any actions of members of this forum. Everything I’ve posted here is pure satire and will be treated as such in court. I have committed no crimes and am an innocent bystander.

This message could have been posted either as a joke or as a serious, albeit desperate, attempt to avoid criminal investigation.

Redline VIP users exposed

One of the most relevant aspects of Operation Magnus is that law enforcement published a video on the official website https://www.operation-magnus.com/ listing the names of VIP users of the Redline information-stealer – with VIP meaning “Very Important to the Police” according to the video.

This list sparked widespread concern among users on underground forums. Some confirmed the legitimacy of the nicknames included in the video, which hinted at potential legal consequences for not only the developers and sellers of RedLine but also the clients who used it to conduct data theft campaigns. The fear of exposure resonated deeply with those in the cybercriminal world, leading to discussions about tighter operational security.

Figure 3. Post by the user bratva on XSS summarizing Operation Magnus implications and lamenting the Redline clients with VIP status list contains nicknames as logins in the dashboard. As the nicknames could be used to correlate Redline VIP clients with further online activities such as participation in underground forums, bratva urged stealer dashboard developers to implement random username generation for enhanced anonymity.
Figure 4. Post by ”Boksha” confirming their own appearance on the list of Redline logins and the validity of the list shared on the Operation Magnus video.

Criticism and OPSEC concerns

The operation’s success also sparked intense criticism within the cybercriminal community. Many users openly condemned the RedLine developer for inadequate OPSEC practices, which they blamed for the operation’s success and their subsequent exposure.

Figure 5. bratva’s post commenting on the lack of resilience of the Malware-as-a-Service (MaaS) model and criticizing Redline’s developer inadequate OPSEC.

These criticisms spurred further discussions on how to enhance personal and collective security. Forum users debated strategies to evade detection and avoid the fate of their peers, exploring new methods for obfuscating their online identities and activities.

On the top-tier Russian-speaking underground forum Exploit, a user named “Artikel326” opened a thread to share news about the RedLine developer’s arrest.

Figure 6. “Artikel326’s” thread discussing the Operation Magnus video, describing it as “scary” and recommending that RedLine clients reset or dispose of their devices to avoid potential prosecution.

Chatter on Telegram

The shockwaves from Operation Magnus extended to Telegram, a popular platform for cybercriminal communication. Channels dedicated to credential log trading and stealer development echoed with conversations ranging from urgent warnings to dismissive remarks.

Figure 7. A Telegram channel called “Golden Eagle Cloud,” which is dedicated to the sale and publication of credential logs, shared news about Operation Magnus. While questioning the credibility of media reports, the channel advised its readers to exercise caution and delete all servers linked to information stealer control panels.
Figure 8. The “club1337” Telegram channel shared OPSEC tips after posting information from the RedLine developer’s criminal complaint, which mentioned that Maxim Rudometov used the same IP address for both personal and criminal activities.
Figure 9. In the “Stealer Developers” chat, some members expressed concerns about the potential for future arrests of RedLine VIP users.

What can we learn from the cybercrime community’s reaction?

By dismantling RedLine and META and exposing VIP users, the operation sent a clear message: not only developers but also clients benefiting from these tools are within reach of the law. This operation highlights the vulnerabilities in the malware-as-a-service (MaaS) model, signaling an increased pressure on cybercriminal enterprises.

Operation Magnus sparked notable reactions within cybercriminal communities. Posts on underground forums and chatter in Telegram channels reveal widespread concern among users, who rushed to reassess their operational security (OPSEC) and minimize risks. Discussions ranged from jokes to urgent device resets to recommendations for new OPSEC practices, highlighting the ripple effect that such operations have in unsettling illicit networks.

Adding to these concerns, recent news about Telegram’s potential collaboration with law enforcement to provide information on users involved in illegal activities has further amplified worries. Criminals may increasingly turn to more decentralized or lesser-known platforms, evolve their communication methods, and reconfigure the way they operate these networks. The combined impact of these enforcement actions and the possible cooperation of major communication services could foster a more cautious, fragmented cybercriminal landscape in the near future.

Want more threat intel?

Get started with Threat Compass to receive the latest actionable threat intelligence from our world-class in-house analyst team. Request a live demo here.

About the Author

Lidia López Sanz Strategic Research Team Lead

Lidia is the head of Strategic Research in Outpost24's KrakenLabs department. Her role involves researching and profiling threat actors, monitoring their campaigns, IOCs, and TTPs. She also creates threat intelligence reports and keeps a close eye on fraudulent activity in the cybercriminal underground.