In the redacted complaint, Maxim Rudometov is identified as one of the developers of RedLine: justice.gov/usao-wdtx/medi…

Using Predicta Graph and #OSINT techniques, I’ve retraced each step taken by the @FBI. For full details, check out the complete graph!

predictagraph.com/graph/snapshot…

On March 4, 2020, a blogger named Foxovsky published a post on RedLine and its creators .

In his post, he mentioned two usernames connected to the stealer: Dendimirror and Alinchokweb.archive.org/web/2020031104…

@FBI Foxovsky's first blog post about the Dendimirror stealer dates back to 2018: web.archive.org/web/2018081912…

He leaked the decompiled source code of the stealer on github: github.com/mem3nt0/Dendim…

The Dendimirror alias is clearly tied to a stealer, making it worth investigating to identify who’s behind it.

Searching this alias in data leaks led me to a Yandex email address: makc1901@yandex.ru

Using PredictaSearch.com’s APIs, I found two linked accounts:

- A LinkedIn profile under the name Максим Рудометов: linkedin.com/in/%D0%BC%D0%B…

- A GitHub account with the username GHackiHG: github.com/GHackiHG

Searching the username GHackiHG in data leaks revealed:
- A phone number: +380667138024
- An email address: makc1901@yandex.ua

Searching for this username on VK revealed that Maxim used it to promote his developer services: vk.com/wall-98119902

It also gave us a VK profile: vk.com/navi_ghacking

Clicking on the deleted post led to another VK account with the ID id170399893.

Using , numerous snapshots of this VK profile are accessible for further investigation.vk.watch

We have photos of Maxim!

Using Search4Faces, I discovered an additional VK profile linked to Maxim vk.com/id377254012

Did you notice the bloodzz.fenix Skype account is both listed on Maxim's VK profile? He mentioned it too in posts on certain hacker forums 🤦‍♂️

That concludes the OSINT phase of our investigation. We traced the Dendimirror alias back to Maxim, who is clearly connected to malicious activity and stealer development.

However, the question remains: is he definitively the developer of RedLine, as Foxovsky claimed?

Being an @FBI agent made the difference, they accessed server logs from providers like Binance, GitHub, Apple, and Skype.

By analyzing Maxim’s connection patterns, they confirmed his role in RedLine's development and operation.

PS1: The VK group we found previously has been created by Maxim. In the group info we can find:
- 2 projects: VkApiChecker and VkGroupParser
- 1 website: best-shop-items.blogspot.com
- His name: Maksim Roudomiotov

x.com/fs0c131y/statu…

PS2: On GitHub, in the repository named "LicenseManager" there's a file titled Wolk.exe, available at this link: github.com/GHackiHG/Licen…

This file has been uploaded to VirusTotal, where it's shown to connect to the domain sofatel4.ru

x.com/fs0c131y/statu…

In 2019, another file named myfile.exe, which also connects to the domain, was uploaded to VirusTotal virustotal.com/gui/file/d1418…

This analysis reveals two additional pieces of information: the IP address 93.189.41.63 and the domain gdlvw1.com

The graph has been updated with the latest info

predictagraph.com/graph/snapshot…