Alla Witte’s plans for a new career as a computer programmer were to help clients earn enough money to see the world, according to YouTube videos and social media posts. She was in her late forties with a degree in applied mathematics and an itch to do computer programming.
But there was a darker side to Witte’s interest in computers, according to federal prosecutors. In the six years leading up to October 2018, Witte reportedly transformed from an amateur developer to a key cog in a cybercrime syndicate known as Trickbot.
Witte, now 55, assumed the identity “Max” and began writing an illicit code, according to an unsealed federal indictment on February 8 after her arrest in Miami. She has since been transferred to Cleveland, where she is one of seven suspected members of the Trickbot gang indicted for their role in a global fraud, data theft and ransomware operation with roots in Russia, Ukraine and Belarus. .
But Witte is the first suspected member of the Trickbot cybergang to be detained in the United States. She appeared before a U.S. investigating judge on June 4 for her arraignment, where she waived her rights to a detention hearing. She has not yet made a plea in the case.
Witte’s Cleveland Public Defender Ed Bryan did not respond to requests for comment.
If Witte were to cooperate with authorities, his ideas could be invaluable as the Biden administration and a new Justice Department task force tackle ransomware and other cybercrime, said Alex Holden, founder of the company. Hold Security cybersecurity investigations. . She could also help US officials understand the structure of a stubborn and large-scale cybercrime operation with so many tentacles that it managed to escape a pair of teardown operations by US Cyber Command and Microsoft Corp. in 2020, he said.
Trickbot is the name of a cybercrime group, a piece of malicious code and a botnet, a network of hacked internet-connected devices used to carry out cyber attacks. The cybercrime group manages the botnet and sells its malware to “affiliates,” who then use it to target various victims, according to cybersecurity research firm Malwarebytes Inc.
Once infected, victims become part of the botnet, a network of thousands of computers and servers around the world that carry the Trickbot malware. The malware is used as an entry point for hackers to search for data for spy purposes or to inject ransomware. It is one of the most popular entry sources for ransomware attacks currently in use, according to cybersecurity company Eclypsium Inc.
Since it was first detected in 2016, Trickbot operators have stolen tens to hundreds of millions of dollars from victims in the United States, including banks, universities and local governments, according to cybersecurity experts and court documents. In October, as coronavirus cases increased in the United States, authorities warned of “an increased and imminent cybercrime threat to US hospitals and healthcare providers” from Trickbot and other hacking groups.
At first glance, Witte’s public figure offers no clue about his alleged interest in cybercrime. Her friends have sent her digital postcards of cats celebrating Christmas and requests to play games together, according to her account on Russian social media site VK.
Additionally, hackers tend to be relatively young males. When Holden first heard of Witte, he said he thought it might be an elaborate hoax.
“Alla Witte is a unicorn,” he said. “She combines a passion for learning technology at an old age with the life of a hapless cybercriminal who has developed malware and ransomware that has harmed many.”
During his first week on the job for the Trickbot Group in 2018, Witte wrote code to track each of the hundreds of users arming his malware, according to the indictment. Within months, she produced a video tutorial showing her Trickbot partners how to use the tracking software. By the time she had been with the group for a year, she had created the code for the web panel that Trickbot uses to store its massive database of stolen victim data, including a color coding system so that other users can monitor everyone’s progress. infection, according to court records.
Witte would continue to write the code that controls the deployment of the ransomware, including the note received by victims announcing that their computer system has been encrypted, according to the indictment.
Witte provides details of his background on social media accounts, which was discovered and translated by Holden. She grew up along the Black Sea in the Russian city of Rostov-on-Don. After graduating from the University of Latvia, Witte worked as a sales manager and teacher in the 1980s. His interest in technology emerged in the late 1990s and early 2000s, according to the articles.
After getting married in 2007, her family moved from the Netherlands to Suriname, South America. It was around this time, in 2013, that she began to professionally embark on website development. In her posts, she expressed her determination to find success and happiness in her new career. In language forums in Russian, her mother tongue, she offered advice to young professionals and thanked those who helped her follow her path.
“You are absolutely right that you have to exclude from your life those who are trying to prove that you won’t accomplish anything,” she posted in the comments section of a job search video, in an article translated by Holden. “I’ve heard it all, you are too old for this type of work. Overall, I have spoken on the internet with several people who have supported me or given me professional advice.”
But in 2020, she reportedly stopped paying attention and allowed her so-called cybercrime character to blend into her social media profile. In January, she used her personal website to distribute the Trickbot malware. By this time, her colleagues in Operation Trickbot knew the identity of “Max”, referring to her “almost as if they were speaking to their mother,” said Holden, a specialist in Trickbot activity.
Witte will remain detained in the United States in Cleveland until she is brought to trial. The case against her and her alleged cyber-gangster colleagues is based on at least five years of reports from victims of Trickbot cyber attacks in the United States, including from local school districts, real estate companies, country clubs, law firms. and utilities, coupled with single access to the FBI. to the hacking group’s own command and control servers dating back to at least 2016, according to the indictment.
The Justice Department declined to detail the circumstances of her arrest except to say that she was living with her family in Suriname when she arrived in Miami and was detained.