DOJ charges alleged Trickbot developer

The U.S. Department of Justice has gone public with its first known arrest surrounding Trickbot, the infamous malware tool used for ransomware deployment.

Alla Witte, also known as "Max," was arraigned in a Cleveland federal court Friday on multiple charges related to her alleged role in developing and deploying Trickbot. The 55-year-old Latvian national was indicted last August and arrested on Feb. 6 in Miami, according to a DOJ press release.

Witte faces 19 counts on a 47-count indictment, with the rest of the charges belonging to a number of unnamed defendants and alleged co-conspirators. The names of the six other defendants were redacted in an unsealed indictment, though the documents showed the suspects were citizens of Russia and Ukraine. 

According to the indictment, Witte is accused of developing Trickbot and managing portions of the malware-as-a-service operation. Unlike the other defendants, however, Witte's charges involve ransomware.

"Witte was a malware developer for the Trickbot Group, overseeing the creation of code related to the monitoring and tracking of authorized users of the Trickbot malware, the control and deployment of ransomware, obtaining payments from ransomware victims, and developing tools and protocols for the storage of credentials stolen and exfiltrated from victims infected by Trickbot," the indictment read.

Trickbot was first observed in 2014 as a banking Trojan named Dyre before threat actors expanded it to the realms of malware as a service, botnets and ransomware over the following years. The primarily Eastern European Trickbot Group has become infamous for its activities, infecting millions of computers in the process. It was the fourth most prevalent malware in 2020 according to Check Point Software Technologies' global threat index.

Last October, a private sector coalition led by Microsoft, CrowdStrike and Intel 471 initiated a legal takedown against Trickbot that supposedly took down 94% of the malware gang's infrastructure. Though this action had major impact on its operations, the gang managed to continue its attacks and has introduced a new firmware-targeting module. 

Witte's charges include aggravated identity theft (eight counts), bank fraud affecting a financial institution (eight counts), conspiracy to commit computer fraud and aggravated identity theft (one count), conspiracy to commit money laundering (one count) and conspiracy to commit wire and bank fraud affecting a financial institution (one count).

Conspiracy to commit wire and bank fraud carries a potential 30-year maximum sentence, as does each count of bank fraud. Conspiracy to commit money laundering carries a 20-year maximum sentence.

The DOJ did not respond to SearchSecurity's request for comment.

Alexander Culafi is a writer, journalist and podcaster based in Boston.