RedLine infostealer administrator extradited to the U.S.

A U.S federal investigation into the RedLine infostealer has led to the extradition of an Armenian national to the United States, where he now faces three counts tied to his alleged administration of one of the world’s most widely used infostealing malware variants.

What happened

Armenian national Hambardzum Minasyan made an initial appearance in a federal court in Texas this week after being extradited to the United States. Authorities charged him with conspiracy to commit access device fraud, conspiracy to violate the Computer Fraud and Abuse Act, and conspiracy to commit money laundering for his alleged role with the RedLine infostealer.

According to court documents, Minasyan allegedly conspired with others to develop and administer RedLine, which has been used to conduct intrusions against major corporations. When executed, RedLine steals data from victims’ computers, including access devices such as stored credentials and financial information. The indictment alleges that Minasyan registered two virtual private servers to host RedLine infrastructure, created online repositories to distribute the malware to affiliates, and set up a cryptocurrency account to receive affiliate payments.

The backstory

Minasyan’s case is part of a broader U.S. and international effort to disrupt the RedLine and related Meta infostealers. In 2024, the Justice Department collaborated with Belgium, the Netherlands, Eurojust, and other partners in “Operation Magnus,” targeting both RedLine and Meta, a variant derived from it. That same year, the Department also charged Russian national Maxim Rudometov for his alleged role in developing RedLine, showing the U.S government’s focus on dismantling the malware’s system by going after key operators.

Going deeper

The RedLine infostealer functions as a “malware‑as‑a‑service” platform, allowing affiliates to deploy the malware against victims while the operators maintain infrastructure and process payments. The indictment alleges that Minasyan and co‑conspirators managed command‑and‑control servers, administrative panels, and distribution channels, then collected and laundered proceeds through cryptocurrency exchanges.

Minasyan is charged with three conspiracy counts, if convicted, he faces up to 10 years in prison on the access device fraud count and up to 20 years on each of the other two counts. The investigation was led by the FBI Austin Cyber Task Force, which includes the Naval Criminal Investigative Service, IRS Criminal Investigation, the Department of Defense Office of Inspector General’s Defense Criminal Investigative Service, and the Army Criminal Investigation Division, with prosecution handled by the U.S. Attorney’s Office for the Western District of Texas.

Learn more: What is Malware-as-a-Service?

What was said

A Justice Department news release stated, “Hambardzum Minasyan allegedly conspired with others to enrich himself by developing and administering RedLine, one of the most prevalent infostealing malware variants in the world, which has previously been used to conduct intrusions against major corporations.” The same release added, “When executed, RedLine would steal data, including access devices, from victims’ computers.”

Why it matters

By going after infrastructure‑level administrators, authorities send a message that credential theft can be dismantled, even when individual affiliates remain dispersed and anonymous.

For organizations, this reinforces the urgency of credential‑monitoring programs, and strict controls around personal devices and browser data, since infostealers like RedLine can turn stolen credentials into full‑blown compromises.

The bottom line

The extradition and charging of an alleged RedLine administrator show that U.S. and international law enforcement are actively targeting the infrastructure behind credential theft. Organizations should treat credential‑harvesting malware as a persistent threat and tighten access controls, monitor for suspicious logins, and assume that any exposed password may already be for sale in underground markets.

FAQs

What is an infostealer?

An infostealer is malware that harvests stored credentials and sensitive data from a victim’s device.

How do infostealers like RedLine usually get onto people’s computers?

RedLine and similar infostealers arrive via phishing emails, malicious downloads, or bundled with other software that tricks users into installing them.

Why do criminals use infostealers such as RedLine instead of just stealing one account at a time?

Infostealers allow attackers to harvest thousands of credentials and session cookies in a single infection, which they can then sell or reuse for large‑scale account takeovers and further intrusions.