TrickBot developer Vladimir Danaev extradited to the USA

The South Korean authorities handed over 38-year-old Russian TrickBot developer Vladimir Dunaev to US law enforcement in accordance with an extradition request. Dunaev is suspected of developing the TrickBot browser component. In the United States, he faces up to 60 years in prison.

Dunaev arrived in South Korea back in February 2020. Initially, he was going to leave the country rather quickly, but the COVID-19 pandemic began, and the country’s authorities banned international travel. When the restrictions on air travel were finally cancelled, the suspect’s passport expired, and as a result he was forced to live in a one-room apartment in Seoul, while waiting for the Russian embassy to prepare replacement documents.

While the suspect was waiting for his passport to be replaced, the US authorities launched an official investigation into TrickBot. Although the operation to eliminate malware, carried out in the fall of 2020, ultimately ended in failure, the US authorities soon managed to arrest 55-year-old Latvian citizen Alla Witte, who, according to investigators, was one of the programmers of TrickBot.

Dunaev is believed to have been associated with the TrickBot group since mid-2016, when he passed the hackers’ “test task”, which included creating an application that mimics a SOCKS server, and also modified copies of the Firefox browser. According to court documents, he passed the test brilliantly, demonstrating the skills needed by the attackers. “He is capable of anything. We need such a person,” wrote the members of the hack group.

The indictment says that since 2016 Dunaev has worked on various components of TrickBot, as well as that the TrickBot group consists of at least 17 members, each of whom deals with their own issues.

1. Malware manager: identifies coding needs, manages finances, deploys TrickBot.
2. Malware developers: create modules for TrickBot and transfer them to other members of the group for encryption.
3. Cryptors: encrypt TrickBot modules to avoid detection by security products.
4. Spammers: distribute TrickBot through spam and phishing campaigns.

In addition to Dunaev and Alla Witte, the US Department of Justice has filed charges against other TrickBot members whose names have not been released. The suspects are located in different countries, including Russia, Belarus and Ukraine.