RedLine Infostealer Developer Faces 50 Years After US Extradition

Hambardzum Minasyan, an Armenian national accused of building infrastructure for the RedLine infostealer malware, has been extradited to the United States to face charges that carry up to 50 years in prison. The extradition follows October 2024's international operation that disrupted RedLine's command-and-control infrastructure across multiple countries.

The Charges

Minasyan faces three counts according to the Department of Justice announcement:

• Conspiracy to commit access device fraud — up to 10 years
• Conspiracy to violate the Computer Fraud and Abuse Act — up to 20 years
• Conspiracy to commit money laundering — up to 20 years

Prosecutors allege Minasyan registered two virtual private servers to host parts of RedLine's infrastructure and two internet domains used for distribution. He allegedly created file repositories to distribute the malware to affiliates and set up cryptocurrency accounts in November 2021 to receive payments from the operation.

What RedLine Does

RedLine has been one of the most prolific infostealers since its emergence in 2020. The malware targets:

• Browser-stored passwords and cookies
• Cryptocurrency wallet credentials
• VPN and FTP client configurations
• System information for fingerprinting victims
• Discord tokens and gaming platform credentials

Sold as malware-as-a-service (MaaS), RedLine enabled even technically unsophisticated criminals to deploy credential-stealing campaigns. The subscription model meant operators could focus on distribution while the developers handled maintenance, updates, and customer support.

The scale of RedLine's impact is staggering. Security researchers estimate the malware compromised millions of devices, with stolen credentials fueling everything from account takeovers to ransomware initial access. Many of the credentials that appear in dark web marketplaces and stealer logs originated from RedLine infections.

The Broader Takedown

Minasyan's extradition builds on Operation Magnus, the October 2024 international effort coordinated by the DOJ with authorities from the Netherlands, Belgium, and Eurojust. That operation targeted RedLine alongside META Stealer, a related infostealer sharing code and infrastructure.

During the 2024 action, law enforcement seized servers, domain names, and Telegram channels used to sell access and provide customer support. Charges were also unsealed against Maxim Rudometov, identified as a developer and administrator who helped build RedLine's core capabilities.

The conspiracy allegedly "maintained digital infrastructure, including C2 servers and administrative panels to enable the deployment of the malware by affiliates, and collected payments from RedLine affiliates."

Why Infostealer Cases Matter

Infostealers sit at the foundation of the modern cybercrime economy. The Aleksei Volkov sentencing we covered yesterday highlighted how ransomware brokers depend on initial access—access that often comes from infostealer logs.

When RedLine steals an enterprise VPN credential, that credential doesn't just enable account takeover. It becomes inventory for initial access brokers who sell footholds to ransomware operators. A $150 RedLine subscription can ultimately enable a multi-million dollar ransomware attack.

This is why law enforcement increasingly targets the enablers, not just the end-users. Taking down a single ransomware gang addresses symptoms. Disrupting the infostealer infrastructure that feeds the entire ecosystem addresses root causes.

The Enforcement Pattern

Minasyan's extradition follows a familiar playbook. Identify infrastructure operators in countries with extradition treaties, build cases through international cooperation, and bring defendants to US courts where penalties are severe enough to matter.

The strategy has limits. Developers operating from Russia, China, or other non-cooperative jurisdictions remain largely untouchable. But for those who miscalculate—operating from Armenia, registering infrastructure through traceable channels, using cryptocurrency that isn't as anonymous as they believed—the exposure is real.

Minasyan allegedly began receiving cryptocurrency payments in November 2021. Blockchain analysis combined with traditional investigative techniques created a trail that led to his extradition five years later. The lesson for aspiring malware developers: the trail you leave today may catch up to you years from now.

What Comes Next

The criminal case against Minasyan will proceed through the US court system. Based on similar cases, expect plea negotiations—defendants facing decades rarely go to trial when cooperation might reduce sentences significantly.

For the broader infostealer ecosystem, the disruption continues. RedLine affiliates who lost access to infrastructure in 2024 have largely migrated to competitors like Lumma, Vidar, and the various new infostealers emerging constantly. The malware-as-a-service model proves resilient; take down one operation and others absorb the demand.

But each prosecution raises the risk calculus for developers considering entering the space. The DOJ's message is clear: build malware infrastructure, and we'll find you eventually. Whether that message reaches the next generation of would-be malware authors remains to be seen.