Meduza Infostealer Developers Arrested in Russian Authorities’ Crackdown
Published
- Key arrests: Russian authorities have detained a group of young IT specialists accused of developing and distributing the Meduza infostealer.
- Triggering incident: The investigation was reportedly initiated after the group used its malware to breach a government institution in Astrakhan in May 2025.
- Malware-as-a-Service: Meduza was sold as a subscription service, designed to steal credentials, browser data, and crypto wallets from infected Windows systems.
Russia’s Ministry of Internal Affairs (MÐ’A) has arrested the developers behind the Meduza Infostealer. The arrests, carried out in Moscow with support from Rosgvardia forces, targeted a group of young IT specialists responsible for creating and distributing the powerful credential-stealing malware.Â
Meduza Infostealer Attacks
The operation was allegedly triggered when the developers used Meduza in May 2025 to infiltrate a government institution in Astrakhan and steal protected official data, leading investigators directly to them, according to official statements from MÐ’A spokesperson Irina Volk, cited by HudsonRock.
This action is part of a broader Russian cybercrime crackdown aimed at dismantling domestic cyber threats. A criminal case has been initiated under Article 273 of the Russian Criminal Code for the creation and distribution of malicious software.
Notably, the malware was coded to avoid execution in CIS countries like Russia, a common tactic to evade local law enforcement that ultimately failed.
Meduza Capabilities
First appearing on underground forums in mid-2023, Meduza was marketed as a sophisticated Malware-as-a-Service (MaaS) tool. It was sold with subscription tiers ranging from $199 per month to $1,199 for lifetime access.Â
The malware was designed to siphon a wide range of sensitive data from compromised Windows devices, including login credentials from over 100 different web browsers, cryptocurrency wallet data from more than 100 wallet applications and extensions, and information from password managers and 2FA tools like 1Password, LastPass, Bitwarden, Dashlane, KeePassXC, Authenticator, and Authy.Â
It stole from messaging apps (Telegram, Discord), gaming platforms (Steam), VPNs (OpenVPN), email clients (Outlook), and miner-related data. It also collected system details to profile victims.
Implications of the Takedown
The arrest of the Meduza developers marks a notable success for law enforcement in combating the proliferation of commercial malware. While this takedown disrupts a specific malware operation, the accessibility of such tools and the potential for the code to be forked or resold means the threat of infostealers remains.
In September 2024, Meduza, StealC, Vidar, and WhiteSnake have been updated to bypass Chrome's security mechanisms. Meanwhile, in December 2024, the Horns&Hooves campaign leveraged fake emails to deliver NetSupport & BurnsRAT and deploy the Rhadamanthys and Meduza infostealers.Â
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular