Seventeen months after international law enforcement dismantled one of the world’s most damaging infostealing malware networks, a second defendant has arrived in a U.S. federal courtroom — this time extradited from Armenia — as the prosecution of the RedLine infostealer operation continues to work through the criminal network that built and sustained it.

Hambardzum Minasyan, an Armenian national, appeared in an Austin federal court after being extradited to the United States to face charges related to his alleged role in the RedLine infostealer scheme. The Justice Department’s Office of International Affairs secured Minasyan’s arrest and extradition on March 23, 2026, with significant assistance from Eurojust’s ICHIP attorney adviser based at The Hague.

Minasyan faces three counts: conspiracy to commit access device fraud, conspiracy to violate the Computer Fraud and Abuse Act, and conspiracy to commit money laundering. If convicted, he faces up to 10 years in prison on the access device fraud charge and up to 20 years each on the remaining two counts.

An infostealer is malware designed to silently harvest credentials, browser cookies, saved passwords, financial data, and cryptocurrency wallet information from an infected device, then transmit that data to attackers — often in seconds, without any visible sign of compromise.

The indictment alleges that Minasyan and his co-conspirators maintained digital infrastructure, including command-and-control servers and administrative panels, to deploy the malware and collected payments from affiliates using RedLine against victims.

Minasyan specifically registered two virtual private servers and two internet domains to support the RedLine scheme, created repositories on an online file-sharing site to distribute RedLine to affiliates, and registered a cryptocurrency account in November 2021 to receive payments.

RedLine operated on a Malware-as-a-Service model. It is a criminal franchise structure where the core developers build and maintain the malware platform, then license it to affiliates who run their own infection campaigns in exchange for a fee. Affiliates distributed RedLine to victims using malvertising, phishing emails, fraudulent software downloads, and malicious software sideloading, with various ruses — including COVID-19 and Windows update lures — used to trick victims into downloading the malware.

RedLine and its derivative Meta infostealer could also enable cybercriminals to bypass multifactor authentication through the theft of authentication cookies and session tokens. Multifactor authentication is a security layer requiring users to verify their identity through a second method beyond a password; stealing session cookies allows attackers to impersonate an already-authenticated user and render that protection useless.

The Lapsus$ threat group used RedLine to obtain passwords and cookies from an employee account at a major technology company and subsequently used that access to obtain and leak limited source code. RedLine also infected hundreds of systems belonging to U.S. Department of Defense personnel, and authorities have described its victim count in the millions globally.

Minasyan’s extradition represents the second defendant charged in connection with Operation Magnus, the joint international takedown announced in October 2024.

Read: Law Enforcement Puts a Damning Dent in RedLine and Meta Infostealer Operations

Operation Magnus — a Joint Cybercrime Action Taskforce operation supported by Europol — resulted in Dutch authorities seizing three servers running the malware, Belgian authorities seizing communication channels and Telegram accounts used by the operators, and the recovery of a database of thousands of RedLine and Meta clients. That client database gave investigators a roadmap for follow-on prosecutions that continues to generate results.

The first defendant charged, Russian national Maxim Rudometov, was identified as a developer and administrator of RedLine and unsealed in the Western District of Texas in October 2024. Rudometov, believed to reside in Krasnodar, Russia, is not expected to face extradition given his location.

Read: U.S. Charges Man Behind RedLine Infostealer that Infected U.S. DoD Personnel Systems

Minasyan’s extradition from Armenia, by contrast, demonstrates the value of maintaining extradition treaty relationships and Eurojust cooperation frameworks that can reach defendants outside of jurisdictions beyond U.S. reach.

The investigation is a joint effort by the FBI Austin Cyber Task Force, which includes the Naval Criminal Investigative Service, IRS Criminal Investigation, the Department of Defense Office of Inspector General’s Defense Criminal Investigative Service, and the Army Criminal Investigation Division.

The case demonstrates a sustained prosecution strategy, where rather than treating Operation Magnus as a one-time disruption event, the DOJ has continued converting the intelligence gained from seized infrastructure and client databases into individual criminal referrals across multiple jurisdictions.