Russian law enforcement detained three individuals on October 30, 2025, suspected of developing and selling the Meduza Stealer malware, following an investigation prompted by a breach of a Russian government organization. These arrests in Moscow and surrounding areas signal a potential shift in Russia’s approach to domestic cybercriminal activity, moving towards more active management.
The suspects, identified as “young IT specialists,” allegedly operated Meduza as a Malware-as-a-Service (MaaS) since mid-2023. This C++-based information stealer gained notoriety for its capabilities, which included extracting login credentials from over 100 browsers and 27 password managers, cryptocurrency data from over 100 wallets, and information from Telegram IM and Steam clients. Meduza 2.2 was reportedly sold on underground forums and Telegram channels for $199 per month, with a lifetime membership priced at $1,199. The malware also featured the ChaCha20 algorithm for payload encryption and anti-VM capabilities, enabling it to evade security analysis. For more on similar sophisticated threats, you can read about New Airstalk Malware Linked to Suspected Nation-State Supply Chain Attacks.
A critical turning point in the investigation occurred when the group allegedly breached a Russian government organization in the Astrakhan region earlier in 2025, stealing classified data. This action directly contradicted Meduza Stealer’s design, which incorporated a geo-filter intended to avoid targeting entities within Russia, Kazakhstan, and Belarus—a common operational security practice among local cybercriminals to minimize state attention.
Police raids, conducted with the support of Rosgvardia forces, resulted in the seizure of computer equipment, phones, and bank cards. Video footage of the operation was released by Russia’s Interior Ministry via MVDMedia.ru. Investigators further uncovered evidence that the group had developed a second, unidentified piece of malware designed to disable security defenses and establish botnets. Irina Volk, spokesperson for Russia’s Interior Ministry, confirmed the arrests and stated, “Three defendants have chosen various preventive measures. All accomplices and episodes of illegal activity are established.” The suspects face a potential prison sentence of up to five years if convicted.
These arrests align with recent analyses suggesting a change in Moscow’s stance regarding domestic cybercrime. A report from Recorded Future’s Insikt Group indicated that Russia’s strategy toward the local hacking scene is evolving from passive tolerance to active management as observed by researchers. The incident reflects Russia’s assertion of state authority, particularly targeting domestic hackers whose activities become too visible or politically inconvenient.