Vladimir Dunaev, a Russian national accused of being part of the group behind the notorious TrickBot malware, appeared in federal court in Ohio on Thursday after being extradited from South Korea.
Dunaev is facing several charges related to computer fraud, bank fraud, wire fraud, money laundering and identity theft. He pleaded not guilty and could face up to 60 years in prison if convicted of all charges.
The TrickBot malware, which dates back to at least 2016, was originally a Trojan that allowed attackers to steal financial data. But it evolved over time into a “highly modular, multi-stage malware that provides its operators a full suite of tools to conduct a myriad of illegal cyber activities,” the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency said in a notice earlier this in March.
Three months after that CISA notice, U.S. prosecutors unsealed an indictment alleging that a Latvian woman, Alla Witte, developed the code behind the malware. She was arrested in Miami in February and arraigned in federal court in Cleveland in June.
“This is the second overseas Trickbot defendant arrested in recent months, making clear that, with our international partners, the Department of Justice can and will capture cyber criminals around the world,” Deputy Attorney General Lisa Monaco said Thursday, crediting the arrest and extradition as “another success” for the DOJ’s ransomware task force.
Dunaev himself “allegedly performed a variety of developer functions in support of the Trickbot malware, including managing the malware’s execution, developing popular browser modifications and helping to conceal the malware from detection by security software,” according to DOJ.
TrickBot has long proved an elusive foe for U.S. authorities.
The TrickBot malware, and its associated botnet, were of such concern that the U.S. government and Microsoft separately worked to disable its ability to attack American targets ahead of the 2020 U.S. elections. The worry at the time was that the malware could be used to launch ransomware against election IT infrastructure such as voter registration systems.