Russian authorities, led by the Ministry of Internal Affairs (MВД) with support from Rosgvardia forces, have arrested three individuals in the Moscow region. The suspects are described as young IT specialists and are accused of being the creators and distributors of the Meduza Stealer infostealer malware.
The investigation was reportedly triggered after the group violated the primary unspoken rule of Russian-based cybercrime: do not attack domestic targets. In May 2025, the group allegedly used their own malware to breach a government institution in the Astrakhan region, siphoning protected official data to their servers. This local attack is believed to have prompted the swift law enforcement operation.
A criminal case has been opened under Part 2 of Article 273 of the Russian Criminal Code, which covers the creation, use, and distribution of malicious software. Authorities seized computer equipment, mobile devices, and bank cards during the raids.
Meduza Stealer emerged in June 2023 and was operated as a Malware-as-a-Service (MaaS). It was marketed on cybercrime forums and Telegram as a superior alternative to established stealers like Redline, Raccoon, and Vidar. Subscription prices were approximately $199 per month or $1,199 for lifetime access.
The malware was specifically coded to avoid execution if it detected a system located in Russia or other Commonwealth of Independent States (CIS) countries. The developers’ decision to override this feature for the Astrakhan attack led directly to their arrests. It is important to note that the Meduza Stealer (infostealer) is not related to the notorious Medusa ransomware group.
The allegedly compromised data, which the stealer was designed to harvest from victims, includes:
- Browser Data: Login credentials, cookies, browsing history, and autofill data from over 100 browsers (including Chrome, Firefox, and Edge).
- Cryptocurrency: Wallet files, seeds, and registry data from over 100 cryptocurrency wallets, including browser extensions like MetaMask and desktop apps like Exodus.
- Password Managers: Data from popular managers such as 1Password, LastPass, Bitwarden, and KeePassXC.
- 2FA Clients: Data from two-factor authentication extensions like Authenticator and Authy.
- Application Data: Credentials from messaging apps (Telegram, Discord), gaming platforms (Steam), and VPN clients (OpenVPN).
- System Profiling: Hardware details, IP address, timezone, and screenshots for victim profiling.
