Russian Police Arrest Creators of Meduza Stealer Malware

Russian law enforcement has arrested members of a cybercrime group responsible for creating and operating the Meduza stealer, a malware-as-a-service operation that targeted credentials and cryptocurrency wallets for nearly two years.

The Department for Countering Cybercrime of the Russian Ministry of Internal Affairs, working with Astrakhan region law enforcement, detained the suspects this week in Moscow and the surrounding Moscow region. Russian National Guard forces provided tactical support during the operation.

From MaaS Operation to Government Breach

According to investigators, the group launched the Meduza stealer approximately two years ago and distributed it through hacker forums and a Telegram channel using the malware-as-a-service (MaaS) model. This business approach allowed other criminals to rent or purchase the stealer for their own attacks.

The Meduza info-stealer was built to extract credentials, cryptocurrency wallet data, and other sensitive information from infected systems. While marketed as having advanced data collection capabilities when it first appeared in summer 2023, the malware never gained widespread adoption in the cybercrime market.

The investigation took a serious turn when authorities discovered that in May 2025, group members used their own malware to breach a government institution in the Astrakhan region. The attackers gained unauthorized access and copied legally protected official information onto equipment they controlled—essentially using their criminal product to attack the state directly.

Beyond Meduza: Additional Malware Development

Investigators also uncovered that the group had developed and distributed a second type of malware designed to disable computer security tools and build botnets. Authorities have not disclosed the name of this additional malware, likely to avoid tipping off other users or operators.

During searches of the suspects' locations, law enforcement seized computer equipment, communication devices, bank cards, and other evidence.

Previous Attacks and Exit Scam Suspicions

The Meduza stealer has a documented attack history. In September 2024, BI.ZONE researchers published a report detailing how the Stone Wolf group had deployed Meduza in attacks against Russian organizations. Notably, Stone Wolf had disabled a built-in module that restricted Meduza's use within Commonwealth of Independent States (CIS) territories—a geofencing limitation the original developers had included, presumably to avoid domestic law enforcement attention.

That precaution ultimately failed. In spring 2025, the malware operators' Telegram channel suddenly disappeared, leading some MaaS clients to suspect an exit scam a common practice where cybercrime operators vanish with their clients' money. Based on the current arrests, the channel's deletion appears to have been an unsuccessful attempt to cover tracks as law enforcement closed in.

Legal Consequences

The Investigative Department of the Russian Ministry of Internal Affairs for the Astrakhan Region has opened a criminal case under Part 2 of Article 273 of the Russian Criminal Code. Three individuals have been placed under various restrictive measures while the investigation continues.

If convicted, the defendants face up to five years in prison. Investigators are working to identify additional accomplices and document the full scope of the group's criminal activities.

Why This Matters

These arrests highlight several trends in cybercrime enforcement. First, Russian authorities have shown increased willingness to pursue domestic cybercrime operations, particularly when they target Russian government institutions or businesses. Second, the MaaS model—while profitable—creates extensive evidence trails through customer interactions, forum posts, and financial transactions that can lead investigators directly to operators.

For the broader cybercrime ecosystem, the Meduza case serves as a reminder that geofencing restrictions offer little real protection when the malware itself becomes a tool for attacking domestic targets. The group's decision to use their own stealer against a government institution in May 2025 likely accelerated the investigation that led to this week's arrests.

The investigation remains open, and additional arrests may follow as authorities trace the network of accomplices and customers who used Meduza in their own criminal operations.