(BLOOMBERG) – Alla Witte’s plans for a new career as a computer programmer included helping clients make enough money to see the world. The Russian was in her late 40s with a degree in applied mathematics and an itch to do computer programming.
But there was a darker side to her interest in computers. In the six years leading to October 2018, Witte allegedly transformed from amateur developer to a key cog in a cybercrime syndicate known as Trickbot.
Witte, now 55, assumed the identity “Max” and started writing illicit code, according to a US federal indictment unsealed on Feb 8, after she was detained in Miami. She is one of seven alleged members of the Trickbot gang facing charges for their role in a global fraud, data theft and ransomware operation with roots in Russia, Ukraine and Belarus.
Trickbot is the name of a cybercrime group, a piece of malicious code and a botnet, a network of hijacked Internet-connected devices used to carry out cyber attacks. The cybercrime group manages the botnet and sells its malware to “affiliates” who then use it to target various victims, according to Malwarebytes, a cyber-research company.
Once infected, victims become part of the botnet, a network of thousands of computers and servers around the world that are carriers of the Trickbot malware.
The malware is used as a point of entry for hackers hunting for data for espionage or looking to inject ransomware. It is among the most popular sources of entry for ransomware attacks in use today, according to cyber-security company Eclypsium.
Since it was first detected in 2016, Trickbot operators have stolen tens to hundreds of millions of dollars from victims in the United States, including banks, universities and local governments, according to cyber-security experts and court documents.
As coronavirus cases surged in the US, the authorities warned of an “increased and imminent cybercrime threat to US hospitals and healthcare providers” from Trickbot and other hacking groups.
At first brush, Witte’s public persona does not offer any hints at her alleged interest in cybercrime. Her friends sent her digital postcards of cats celebrating Christmas and requests to play games together, according to her account on Russian social media site VK.
In addition, hackers tend to be relatively young men. In her first week working for the Trickbot group in 2018, Witte wrote a code to track each of the hundreds of users weaponising its malware, according to the indictment. Within months, she produced a video tutorial showing her Trickbot partners how to use the tracking software.
By the time she had been with the group for a year, she had authored code for the Web panel that Trickbot uses to store its massive database of stolen victim data, including a colour-coding system so fellow users could monitor the progress of each infection, according to court records.
Witte would go on to write the code that controls the deployment of ransomware, including the note victims received announcing that their computer system had been encrypted, the indictment said.
She grew up along the Black Sea in the Russian city of Rostov-on-Don. After studying at the University of Latvia, she worked as a sales manager and teacher in the 1980s.
After getting married in 2007, her family moved from the Netherlands to Suriname, in South America. It was around this time, in 2013, that she began dabbling professionally in website development. In her posts, she expressed determination to find success and happiness in her newfound career. In language forums in Russian, her native language, she offered advice to younger professionals and thanked those who had helped her follow her path.
“You are absolutely correct that you have to exclude from your life those who try to prove that you will not accomplish anything,” she posted in the comments section of a video about job hunting.
But last year, Witte allegedly stopped being careful and allowed her alleged cybercrime persona to blend in with her social media profile. In January, Mr Alex Holden, the founder of cyber-investigations firm Hold Security, said she used her personal website to distribute Trickbot malware. By that time, her colleagues inside the Trickbot operation were familiar with the identity of “Max”, referring to her “almost like they would address their mothers”, said Mr Holden, who specialises in Trickbot activity.