The Trickbot Trojan horse is one of the most famous in the world. The group of cybercriminals of the same name and the botnet created by it caused a lot of problems for network users: hackers are ready to sell their dangerous software to anyone, and their clients are already using the code at their own discretion. One of the key figures in the Trickbot team over the past years was a certain Max (Max), a gifted programmer who gave his talent to the “dark side”. Like the rest of the gang, Max's real name and identity were unknown. But in early June, “Max” was brought before an American court: it turned out that, according to the investigation, 55-year-old Alla Witte from Rostov-on-Don was hiding under this name. “Lenta.ru” studied the investigative documents and figured out what the native of Russia is accused of, and most importantly – how she got into one of the most influential hacker groups on the planet and what role she played in its development.
Path into the shadow
Alla Witte is more than not like a criminal: in the photographs there is a pretty red-haired woman with an attentive gaze. Numerous resumes on profile sites convince: Witte is a high-class professional who can quickly and efficiently perform complex work. Almost nothing hints at the other side of her life, where she, as a member of the Trickbot gang, keeps the virtual life of many people on a leash. But if you take a closer look at her online life, you can find some clues.
Photo: holdsecurity.com
Witte ruined her online activity. Despite her expertise in hacking, she clearly had big security problems. Many cybercriminals have profiles on social networks, there they can even be very sociable and active, but none of them would think to bring their criminal activities into the public field. And at first glance, everything in Witte's accounts is very common: pictures with cats, virtual greeting cards, invitations to play together on the VKontakte platform. However, in one of the posts on the social network, she mentions a certain Maxim. It may be a coincidence, but it was this name that she used as a pseudonym.
The next step seems completely strange for a hacker: in January 2020, Witte used her personal website to distribute malicious software. The last case was posted on Twitter by a cybersecurity expert under the nickname gorimpthon (more than a thousand people have signed up to his page), and this is how many learned about it. Just over a month earlier, the suspect had infected one of her devices with malware – the software had downloaded her data to a botnet and registered it. These failures clearly demonstrate Witte's carelessness, for which she paid. It is also reported that most of the members of the Trickbot team, who are most concerned with issues of anonymity, knew her first and last name perfectly.
Alla Witte's review of the capital creation course. Screenshot: n.mrochkovskiy.ru
The real name of Alla Witte is Klimova. She was born in 1965 in Rostov-on-Don, and in 1983 she moved to Riga, where she entered the University of Latvia and studied applied mathematics for several years. Interest in programming arose immediately, but was not realized: Klimova managed to work as both a teacher and a sales manager. She later married, changed her last name and moved to Amsterdam. The Witte couple traveled a lot, and in recent years settled in Suriname.
Alla Witte's love of life and desire for self-realization can be envied: “I want to be an excellent programmer, able to create exclusive solutions and travel to clients in different countries. I work for myself and clients for a gigantic amount of time because I can do it, and therefore I do it, ”she writes. On Russian-language forums, she advises beginners to exclude from their lives those who are trying to prove their failure to them. According to her, it is necessary to seek support and advice from professionals, and reject those who pull back.
Alla Witte's commentary on the developer site. Screenshot: dle-faq.ru
Witte has advertised her services as a developer in a large number of freelance communities. Since 2012, she has received continuous positive reviews: customers note the quality of her work and professionalism. Presumably, it was on the site of freelancers that Trickbot members found her.
USA vs Witte
On February 6, Witte was arrested in Miami. She appeared in court for the first time on June 4: charges were brought related to her alleged membership in a dangerous group. It was this team that was entrusted with the responsibility for creating and deploying a banking Trojan and a set of other ransomware programs on the network, collectively known as Trickbot. On June 8, 2021, the United States of America v. Alla Witte case was opened, which promises to be high-profile.
Alla Witte is charged with 19 out of 47 counts of her involvement in a criminal organization known as the Trickbot group that deployed the Trickbot malware. The indictment alleges that since November 2015, Witte and her accomplices allegedly worked together to infect victims' computers with the Trickbot malware designed to hijack online banking credentials and collect other personal information, including credit card numbers, electronic letters, passwords, dates of birth, social security numbers and addresses. Witte and others also allegedly hijacked login credentials and other personal information in order to access bank accounts online, make unauthorized wire transfers, and launder money through recipients' accounts in the United States and abroad.
Photo: Steve Marcus / Reuters
The Trickbot group operated in Russia, Belarus, Ukraine and Suriname, and primarily targeted victims' computers belonging to businesses, organizations and individuals, including in the Northern District of Ohio and other areas of the United States. Targets included hospitals, schools, utilities, and governments.
Materials of the case “United States of America v. Alla Witte”
The Office of the US Attorney's Office for the Northern District of Ohio has already announced that it considers 55-year-old Latvian citizen Witte to be Max from the Trickbot team. The case against the hacker group builds on at least a five-year archive of victims' reports of Trickbot cyberattacks in the United States – from local school districts, real estate companies, country clubs, law firms, utilities – as well as information from the FBI, which conducted the work. in the group since 2016.
Over the years, Witte has gone from being an amateur developer to being a key figure in the Trickbot syndicate, according to federal prosecutors. It is assumed that the team has a total of seven people
The accused herself refused to hear about her detention and did not make any official statements. However, experts are confident that if she agrees to cooperate with the authorities, her testimony will make an invaluable contribution to exposing the cybercriminal network. Witte will remain in custody in Cleveland, America until he is brought to trial. The Justice Department declined to describe in detail the circumstances of her arrest, except that she arrived in Miami from Suriname, where she resides with her family.
As noted by Deputy Attorney General Lisa Monaco, Witte's case should be interpreted as a warning to potential cybercriminals that the Ministry of Justice, through a task force, will use all available tools to disrupt the cybercriminal system.
Passionate but unlucky cybercriminal
It is generally accepted that hackers are relatively young people. Some experts, having learned about Witt, suggested that this was a hoax or forgery. Alex Holden, the creator of the cyber investigations consulting company Hold Security, called her a unicorn: “She combines a passion for learning technology, and this in her old age, with the life of a hapless cybercriminal who developed malware and ransomware that hurt many.” – he stressed.
Photo: Alla Witte's page on VKontakte
For the first time, Trickbot became known in the fall of 2016 – a banking Trojan attacked the PayPal payment system and CRM systems. Later, new and new components were added to the system: the addition of self-propagating viruses, programs for stealing credentials and cookies, active counteraction to security systems (including bypassing two-factor authentication), and much more. Malicious software is most often spread by phishing emails, including programs, Google Docs, and batch (batch) files.
The group sells its malware to everyone. Because of this, infection can occur in different directions and at the same time. Once infected, the victims become part of a huge botnet, networks of thousands of computers and servers around the world that carry the dangerous Trickbot program. It is also used as an entry point for hackers hunting for data for espionage or wanting to introduce ransomware. According to Eclypsium, this is one of the most popular entry sources for ransomware attacks in use today.
Since its first discovery, Trickbot operators have stolen hundreds of millions of dollars from their victims in the United States. Hackers did not disdain anything: when statistics of COVID-19 diseases rose sharply in the United States, the authorities immediately warned of imminent attacks on hospitals and health care providers from the largest hacker groups, including Trickbot.
Frame: Alla Witte / Youtube
So, in September 2020, the entire American healthcare system was paralyzed: the infection occurred through phishing emails and the subsequent installation of Trickbot, and then the ransomware Ryuk. All attempts by the FBI to destroy Trickbot were in vain: attacks could significantly damage the operation of Trickbot, but hackers have developed excellent backup recovery mechanisms for it, and such failures do not significantly affect it. By 2021, cybersecurity researchers have warned that hackers have improved their brainchild again. Experts believe that the authorities should not stop in pursuit of cybercriminals who are trying to leave them far behind every second.
In her first week on the Trickbot group, which Witte joined in 2018, a woman is believed to have written code to track each of the hundreds of users using malware. Over the course of several months, she also prepared a manual in which she showed her “colleagues” how to use the proposed surveillance and espionage software. Over the next year, she also wrote code for a web panel that Trickbot uses to store a giant database of stolen data. It is known that it also included a color-coding system so that users can track the progress of each unique infection. According to court records and indictment, Witte later continued to write code to control the deployment of ransomware, and even oversaw the content of messages about encryption of the system intended for victims. Now the reckless hacker faces a long prison sentence for each of the imputed episodes, some of which are about 20 and 30 years in prison.
