TrickBot member extradited to US faces up to 60 years in prison

An alleged member of the TrickBot gang, the Russian national Vladimir Dunaev (aka FFX), has been extradited to the US.

Vladimir Dunaev (38), a Russian national suspected to be a member of the infamous TrickBot gang, has been extradited to the U.S. and could be sentenced to up to 60 years in prison.

“He is charged with conspiracy to commit computer fraud and aggravated identity theft, conspiracy to commit wire and bank fraud, conspiracy to commit money laundering, and multiple counts of wire fraud, bank fraud, and aggravated identity theft. If convicted of all counts, Dunaev faces a maximum penalty of 60 years’ imprisonment. A federal district court judge will determine any sentence after considering the U.S. Sentencing Guidelines and other statutory factors.” reads a press release published by DoJ.

Dunaev, also known as FFX, was involved in the development of a browser injection module for the Trickbot malware.

The man was arrested at the end of August at the Seoul international airport, he has remained stuck in the Asian country since February 2020 due to the COVID-19 lockdown imposed by the local government and the cancelation of international travel.

According to The Record, which first reported the news, after the travel restrictions were lifted, the suspect has an ugly surprise, his passport had expired. Mr. A, this is the pseudonym used to identify the individual, was forced to live in a Seoul waiting for the replacement of his passport from the local Russian embassy.

The Seoul High Court Criminal Division 20 (Chief Judge Jeong Seon-jae Baek Suk-jong Lee Jun-hyun) charged Mr. A for being a developer for the TrickBot gang since 2016.

“Trickbot attacked businesses and victims across the globe and infected millions of computers for theft and ransom, including networks of schools, banks, municipal governments, and companies in the health care, energy, and agriculture sectors,” said Deputy Attorney General Lisa O. Monaco. “This is the second overseas Trickbot defendant arrested in recent months, making clear that, with our international partners, the Department of Justice can and will capture cyber criminals around the world. This is another success for the Department’s recently launched Ransomware and Digital Extortion Task Force in dismantling ransomware groups and disrupting the cybercriminal ecosystem that allows ransomware to exist and to threaten our critical infrastructure.”

“The Trickbot malware was designed to steal the personal and financial information of millions of people around the world, thereby causing extensive financial harm and inflicting significant damage to critical infrastructure within the United States and abroad,” said Acting U.S. Attorney Bridget M. Brennan of the Northern District of Ohio. “Today’s announcement underscores the great lengths federal law enforcement officials and our international partners will go to hold these alleged cybercriminals accountable for their actions.”

Investigators believe that the TrickBot gang was composed of at least 17 members, malware managers, malware developers, crypters, and spammers.

The Trickbot botnet continues to evolve despite the operations conducted by law enforcement aimed at dismantling it. The authors recently implemented an update for the VNC module used for remote control over infected systems.

In October, Microsoft’s Defender team, FS-ISAC, ESET, Lumen’s Black Lotus Labs, NTT, and Broadcom’s cyber-security division Symantec joined the forces and announced a coordinated effort to take down the command and control infrastructure of the infamous TrickBot botnet.

Even if Microsoft and its partners have brought down the TrickBot infrastructure, its operators attempted to resume the operations by setting up new command and control (C&C) servers online.

Following the takedown, the operators behind the TrickBot malware have implemented several improvements to make it more resilient.

TrickBot is a popular banking Trojan that has been around since October 2016, its authors have continuously upgraded it by implementing new features. Operators continue to offer the botnet through a multi-purpose malware-as-a-service (MaaS) model. Threat actors leverage the botnet to distribute a broad range of malware including info-stealer and ransomware such as Conti and Ryuk. To date, the Trickbot botnet has already infected more than a million computers.

In June, the US Department of Justice (DOJ) announced the arrest of Alla Witte (aka Max), a Latvian woman that was charged for her alleged role in the development of the Trickbot malware. Witte was arrested on February 6 in Miami, Florida, she has been charged with 19 counts of a 47-count indictment.“Alla Witte, aka Max, 55, is charged in 19 counts of a 47-count indictment, which accuses her of participating in a criminal organization referred to as the “Trickbot Group,” which deployed the Trickbot malware.” reads the press release published by the DoJ. “The Trickbot Group operated in Russia, Belarus, Ukraine, and Suriname, and primarily targeted victim computers belonging to businesses, entities, and individuals, including those in the Northern District of Ohio and elsewhere in the United States. Targets included hospitals, schools, public utilities, and governments. Witte, who previously resided in Paramaribo, Suriname, was arrested on Feb. 6, in Miami, Florida.”

Witte was a member of the development team of the Trickbot Group, she developed the code for the deployment and the control of the threat. Witte also worked on the code for payments and developed the tools and protocols used to store login credentials stolen by the malware from victims’ systems.

All the charges against him come with a maximum penalty of 60 years in a federal prison.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, cybercrime)

[adrotate banner=”5″]

[adrotate banner=”13″]