US readies prison cell for another Russian Trickbot developer

Another member of the Trickbot malware crew now faces a lengthy prison sentence amid US law enforcement's ongoing search for its leading members.

Russian national Vladimir Dunaev, 40, faces a maximum sentence of 35 years in prison for his involvement in the now-shuttered Trickbot malware, which was often used to deploy ransomware.

Pleading guilty to the charges against him on Thursday, Dunaev was one of the developers behind Trickbot – malware that was used to attack various organizations including hospitals and schools.

The Department of Justice (DoJ) said that tens of millions of dollars in losses have been incurred by Trickbot victims since it was first launched in 2016.

"As set forth in the plea agreement, Vladimir Dunaev misused his special skills as a computer programmer to develop the Trickbot suite of malware," said Rebecca C Lutzko, US attorney for the Northern District of Ohio, in response to Dunaev's plea hearing.

"Dunaev and his codefendants hid behind their keyboards, first to create Trickbot, then using it to infect millions of computers worldwide – including those used by hospitals, schools, and businesses – invading privacy and causing untold disruption and financial damage.

"The Justice Department and our office have prioritized investigating and prosecuting cybercrime, and today's guilty plea demonstrates our willingness to reach across the globe to bring cybercriminals to justice. We will continue to work closely with our partners, foreign and domestic, and use all resources at our disposal to stop similar behavior."

Dunaev was extradited to the US from the Republic of Korea in 2021 and joins a growing list of Trickbot members firmly in the crosshairs of US prosecutors.

Earlier that year, fellow Trickbot developer Alla Witte, 55, was snared by the DoJ and faced a 47-count indictment, potentially leading to a lifetime sentence. Witte was sentenced in June 2023 and ultimately received just two years and eight months in prison.

In September this year, the US and UK jointly issued financial sanctions on 11 other members of Trickbot, all believed to hold roles in the development or administration of the malware.

These were the second round of sanctions against members of the group, with the first coming earlier in February. Seven individuals were named in what was the UK's first-ever cybercrime-related round of sanctions.

All 18 now have travel bans imposed, are barred from doing business with US or UK organizations, and many have already been indicted by the US pending extradition.

• Admin of $19M marketplace that sold social security numbers gets 8 years in jail
• Black Basta ransomware operation nets over $100M from victims in less than two years
• British Library begins contacting customers as Rhysida leaks data dump
• Europol shutters ransomware operation with kingpin arrests

The UK's National Crime Agency (NCA) said the group had extorted at least $180 million from victims globally, at least $34 million of which came from 149 victims in the UK.

Trickbot started life as a banking trojan and is widely believed to be the successor to the Dyre malware, another banking trojan first spotted two years earlier in 2014.

The code similarities between the two led researchers to believe the same team behind Dyre may have also helped bring Trickbot to life, though US prosecutors have made no such links.

From its birth in 2016, Trickbot was under consistent active development with new features regularly being added to the kit, including wormabilty in 2017 – a feature that researchers at Malwarebytes believe was inspired by WannaCry and EternalPetya.

Over the years it's helped deploy ransomware variants such as Ryuk and was a long-time partner of Emtotet, even playing a role in its 2021 rebirth just six months after an internationally coordinated law enforcement effort brought it down.

It eventually shut down in early 2022 after a lengthy period of inactivity. Many of its members were thought to have already shifted to the hugely successful (at the time) Conti ransomware gang.

The Russia-linked group behind Trickbot, Conti, and Ryuk is Wizard Spider, which has also attracted heavy attention from the US, including multimillion-dollar bounties for information about its members.

When the infosec industry refers to certain cybercriminal groups as "business-like," the most sophisticated and well-run operations that in some cases even operate out of normal metropolitan office buildings, Wizard Spider is among the groups that fit this definition, according to researchers.

Wizard Spider's reportedly comprised of a complex network of subgroups. According to the list of sanctioned individuals tied to Trickbot, it even has normal-sounding job titles such as human resources officers.

Should the links to Russia be true, it's unlikely the sanctioned individuals will ever be extradited and face their charges, unless they enter a country with an extradition agreement with the US. ®