An Armenian national appeared in U.S. federal court on Tuesday after prosecutors accused him of being a leading developer of RedLine, one of the most widely used infostealer malware variants in the world. 

Hambardzum Minasyan is facing up to 30 years in prison after the Justice Department secured his arrest and extradition on Monday.

Minasyan appeared in an Austin federal court on Tuesday and was indicted on charges of conspiracy to commit access device fraud, conspiracy to violate the Computer Fraud and Abuse Act and conspiracy to commit money laundering. If convicted, he faces up to 10 years in prison for access device fraud and up to 20 years in prison for the other two counts.

In court documents, prosecutors said Minasyan worked with other men to maintain the digital infrastructure that backed the RedLine malware, including administrative panels and servers that enabled affiliates to deploy the malware on victim devices. 

Minasyan and others collected payments from affiliates who used the malware, offering customer service to hackers and coordinating with them on the theft of financial information. Prosecutors said he also laundered his earnings from the scheme through cryptocurrency exchanges. 

Minasyan registered servers hosting part of RedLine’s infrastructure and ran internet domains in support of the malware. He additionally created repositories that enabled him and others to give RedLine to other hackers. 

The extradition of Minasyan follows an October 2024 takedown of RedLine infrastructure launched by the Justice Department and law enforcement agencies in the Netherlands, Belgium and other countries. 

That action coincided with charges issued against Maxim Rudometov, another developer and administrator of RedLine. U.S. prosecutors said Rudometov is a Russian national believed to reside in the city of Krasnodar. 

The malware has been sold on several underground hacking forums since March 2020. With RedLine, hackers had the ability to extract login credentials from web browsers, FTP clients, email apps, instant messaging clients and VPNs before selling them on underground markets.

Cybersecurity experts previously said hackers deployed the malware in thousands of attacks against systems in more than 150 countries and territories.

RedLine allowed attackers to gain access to system information like usernames, hardware, browsers installed, and anti-virus software before exfiltrating passwords, credit card numbers, crypto wallets and VPN logins to a remote command and control server.

In November, U.S. authorities sanctioned a prominent Russian bulletproof hosting company that provided hosting services to RedLine’s developers. 

Researchers previously found that the vast majority of stolen credentials currently sold on two dark web underground markets were collected using the RedLine malware.