A self-proclaimed programmer arrested on suspicion of being involved in the cybercrime group 'Trickbot' that caused global ransomware damage



The U.S. Department of Justice has announced that it has indicted a 55-year-old Latvian national, Ala Witte, who claims to be a programmer. Witte is a member of an international cybercrime group and is believed to have infected millions of malware called 'Trickbots.'

Latvian National Charged for Alleged Role in Transnational Cybercrime Organization | OPA | Department of Justice

https://www.justice.gov/opa/pr/latvian-national-charged-alleged-role-transnational-cybercrime-organization

Case 1:21-mj-02236-AOR Document 1 Entered on FLSD Docket 02/08/2021
(PDF file) https://www.justice.gov/opa/press-release/file/1401766/download


How Does One Get Hired by a Top Cybercrime Gang? – Krebs on Security
https://krebsonsecurity.com/2021/06/how-does-one-get-hired-by-a-top-cybercrime-gang/


Trickbot is the name of the Trojan horse malware and the name of the group that runs the world-famous botnet. Trickbot malware steals bank account information, email accounts, and network information and installs backdoors on infected systems to make them part of a botnet.

As malware for installing ransomware, Trickbot has already infected more than 1 million computers and IoT devices around the world, and Microsoft will play a central role in the 2020 US presidential election. Trickbot operation prevention project was being promoted.

Microsoft embarks on blocking the infamous malware 'TrickBot' for presidential election-GIGAZINE



Witte, who lives in Suriname , north of Brazil, was arrested when he arrived in Florida, USA, for some reason.

According to the complaint, Whitte suspected that he provided a code that displayed the status of infected computers and bots in red, yellow, and blue, allowing co-conspirators to know the status of the machine's infection. He also stole money from the victim's bank account and sent it to the money laundering network.

Witte is shown in the image below.



The investigative team regularly patrolled paid job sites based in Russia and Belarus to check the resumes of programmers seeking employment, seeking clues to Trickbot. The Trickbot group contacted programmers looking for a job and asked them to create various programs to test their problem-solving skills and coding skills.

Below is a log of conversations actually exchanged by instant messages by Trickbot officials. The log shows that job seekers quickly understand that their employer is a cybercriminal group. The Justice Department believes that Witte also connected to Trickbot through a job site and interacted with Trickbot for approximately two years from 2018 to 2020.



The Justice Department said, 'Trickbot's hiring model allows criminals to hire talented developers cheaply and secretly, but it provides a way for investigators to infiltrate the group, and in some cases. Carries the risk of identifying a conspirator. '

Also, as of 2020, Witte said that he was hosting ransomware and malware used in Trickbot in a domain using his real name 'allawitte.nl'. In addition, Witte was found to have revealed in his social media account that he used his close relative's first name, 'Max,' as his handle.

Security researcher Brian Krebs also points out that the information released by Witte himself may have led to his arrest, as hackers involved in crime usually do not reveal personal information online. doing.



According to the Justice Department, Whitte has one conspiracy charge for computer fraud and personal information theft, one conspiracy charge for interception and bank fraud affecting financial institutions, and eight conspiracy charges for bank fraud affecting financial institutions. He was charged with eight conspiracy charges for theft of personal information and one conspiracy charge for money laundering. If all charges are convicted, Witte will be sentenced to a minimum of 30 years in prison.

in Security, Posted by log1i_yk