RedLine stole passwords from everyone — from housewives to corporations. Now the U.S. State Department is offering $10 million for the head of its creator.
While the U.S. State Department is in an uproar, the criminal is quietly spending his days in Krasnodar.
The U.S. Department of State has announced a reward of up to $10 million for any information that could help identify or locate the creators and distributors of the malicious software RedLine. This is one of the most well-known programs for stealing personal data, actively used in attacks on private individuals, corporations, and critical infrastructure worldwide.
According to the Rewards for Justice program — a U.S. State Department initiative created to combat international crime and terrorism — particular interest is shown not only in the developers of RedLine but also in their partners who manage the infrastructure for monetizing the stolen data. Information about their activities is accepted through an anonymous Tor channel, allowing informants to remain confidential.
RedLine itself is a typical info-stealer: malware that stealthily infiltrates the operating system and collects sensitive information. Specifically, it monitors and steals logins and passwords, credit card data, cryptocurrency wallet contents, system information, installed applications, cookies, and browser autofill data. The harvested "logs" (as they are known in the underground community) are then sold on dark web forums or used directly for account hijacking and financial fraud.
The Rewards for Justice bulletin highlights that RedLine has been used by a wide range of actors — from lone wolves to organized groups. Victims include large international corporations, government agencies, and critical infrastructure operators worldwide.
Despite the scale, active prosecution of suspects began relatively recently. In October 2024, an international operation called Magnus was launched — a joint effort by law enforcement agencies from several countries aimed at dismantling the infrastructure supporting the distribution of info-stealers, including RedLine and other similar malware.
During the operation, more than 1,200 servers were taken down, several affiliated participants were arrested, and key components were seized: licensing servers, source code, and Telegram bots used for customer support. This action dealt a significant blow to RedLine’s operation as a service, temporarily disrupting the logistics of its distribution and sale.
However, the main developer, known by the initial "M.", remains at large. According to U.S. authorities, he was born in Ukraine in 1999 but left the country after the start of the war in 2022 and moved to Krasnodar, Russia. According to the latest information, since last fall he has still been living in that city.
If he is captured and extradited, and his guilt proven in court, he could face up to 35 years in prison. In his case, it’s not just about developing the tool but also about actively managing the entire distribution chain and profiting from every sold copy or compromised device.
The $10 million bounty is not just a symbolic gesture. It’s one of the largest rewards ever offered for cybercrime activity under the program. It reflects not only the severity of the crimes but also the level of threat that RedLine poses to global information security.
Authorities emphasize that info-stealers have long outgrown their niche role and have become a widespread weapon of digital extortion, corporate espionage, and attacks on individual users. They are easy to use, relatively inexpensive, and often sold as “bundles” — with instructions, a control panel, and even technical support via messengers.
Experts believe that the prolonged freedom of the RedLine creator is explained by the fact that he not only changed his country of residence but also integrated himself into the local digital landscape, gaining a degree of protection from extradition. Nonetheless, the transnational nature of the crimes gives hope that international cooperation mechanisms will eventually work.
All of this is part of a broader trend: states are increasingly responding to the threat of cybercrime as seriously as they do to terrorism. Whereas previously the author of a spyware utility might have felt safe abroad, today every step is being tracked, and every scrap of information could lead to an arrest.
