Mar 27, 2026 · 6 min read
The Man Behind Millions of Stolen Passwords Just Got Extradited to the US
Hambardzum Minasyan allegedly helped build and run RedLine, one of the most prolific credential stealing malware operations in history. He now faces up to 30 years in a US federal prison.
Who Got Arrested
Hambardzum Minasyan, an Armenian national, was arrested on March 23, 2026 and appeared in federal court in Austin, Texas on March 25. US prosecutors allege that Minasyan was a key administrator of RedLine, an infostealer malware operation that has stolen credentials from millions of computers worldwide since its launch in 2020.
Minasyan faces three federal charges: conspiracy to commit access device fraud (up to 10 years), conspiracy to violate the Computer Fraud and Abuse Act (up to 20 years), and conspiracy to commit money laundering (up to 20 years). If convicted on all counts, his maximum sentence would be 50 years, though guidelines would likely result in a lower figure.
What RedLine Does
RedLine is not just another piece of malware. It is one of the most widely used infostealers ever created, responsible for harvesting login credentials, browser saved passwords, cryptocurrency wallet data, session cookies, and financial information from infected machines. The malware operates on a subscription model: affiliates pay to use RedLine's infrastructure, then deploy it through phishing emails, malicious downloads, and compromised software.
Once installed on a victim's computer, RedLine silently extracts every saved credential from every browser, every autofill entry, every stored credit card number, and every cryptocurrency wallet file. The stolen data gets sent back to command and control servers, where it is packaged and sold on criminal marketplaces or used directly for account takeovers.
The scale is staggering. Security researchers estimate that RedLine and its sister malware META have been responsible for stealing credentials from tens of millions of devices. In 2025 alone, RedLine was linked to the initial access in hundreds of ransomware incidents, corporate breaches, and cryptocurrency thefts.
What Minasyan Allegedly Did
According to the indictment, Minasyan's role was infrastructure. He allegedly registered two virtual private servers that hosted parts of RedLine's command and control network and two internet domains used to support the malware's operations. He also created repositories on file sharing platforms to distribute the malware to affiliates, and he registered a cryptocurrency account in November 2021 to receive payments from those affiliates.
The conspirators maintained digital infrastructure including C2 servers and administrative panels that enabled affiliates to deploy the malware, track infections, and download stolen data. The operation was run like a business, with customer support, regular updates, and a pricing structure that made it accessible to criminals with minimal technical skills.
Operation Magnus: The Takedown
Minasyan's arrest is the second major action against RedLine's leadership. In October 2024, the US Department of Justice coordinated an international operation, codenamed Operation Magnus, with law enforcement agencies in the Netherlands, Belgium, and Eurojust. That operation took down RedLine's infrastructure and led to charges against Maxim Rudometov, another developer and administrator of the malware.
Despite the infrastructure takedown, RedLine did not disappear entirely. Copies of the malware continued to circulate, and some affiliates shifted to alternative infostealers. But the loss of centralized infrastructure and the arrest of key operators has significantly disrupted the operation. Minasyan's extradition sends a clear message: building the infrastructure is as prosecutable as writing the code or deploying the malware.
Why This Matters Beyond RedLine
Infostealers are the upstream supply chain for most modern cybercrime. The credentials stolen by RedLine do not just enable individual account takeovers. They feed into business email compromise attacks, ransomware deployments, corporate espionage, and identity theft at industrial scale. When security researchers say that 75% of breaches now involve compromised credentials, infostealers like RedLine are where many of those credentials originate.
The infostealer market has not slowed down. DarkCloud sells malware subscriptions for $30 a month. New variants appear weekly. But prosecutions like this one raise the cost of operating these services. When administrators face decades in prison, the calculus changes, even for operators who believe they are beyond the reach of US law enforcement.
How to Protect Yourself
If your credentials were among the millions stolen by RedLine, you may not know it. Here are steps to reduce your exposure:
- Stop saving passwords in your browser. RedLine's primary target is browser saved credentials. Use a dedicated password manager instead.
- Enable two factor authentication everywhere. Even stolen passwords are less useful when accounts require a second factor.
- Check haveibeenpwned.com. This free service tells you if your email has appeared in known data breaches, including infostealer dumps.
- Watch for session hijacking. Infostealers also steal session cookies, which let attackers bypass MFA entirely. Log out of sensitive accounts when not in use, and monitor login activity.
The Bottom Line
Hambardzum Minasyan is the second RedLine operator to face US federal charges, and likely not the last. The infostealer economy is vast, profitable, and deeply integrated into the broader cybercrime supply chain. Taking down one operation does not solve the problem, but it does prove that building and running malware infrastructure carries real legal risk, even from halfway around the world. For the millions of people whose credentials RedLine stole, it is a small step toward accountability.