{
	"id": "c27ae004-7da0-4715-8f73-1b63256e3923",
	"created_at": "2026-04-06T00:10:27.079421Z",
	"updated_at": "2026-04-10T13:12:19.266769Z",
	"deleted_at": null,
	"sha1_hash": "8b598e151f9ae585365405b18dc0670b4447d470",
	"title": "TrickBot gang member arrested after getting stuck in South Korea due to COVID-19 pandemic",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 258828,
	"plain_text": "TrickBot gang member arrested after getting stuck in South Korea\r\ndue to COVID-19 pandemic\r\nBy Catalin Cimpanu\r\nPublished: 2023-01-19 · Archived: 2026-04-05 15:48:36 UTC\r\nA Russian man was arrested last week at the Seoul international airport on accusations of developing code for the\r\nTrickBot malware gang.\r\nThe man, identified in local media reports only as Mr. A, was arrested trying to leave South Korea for his native\r\nhome in Russia after he'd been stuck in the Asian country for more than a year and a half.\r\nThe suspect, who arrived in February 2020, was initially prevented from leaving after Seoul officials canceled\r\ninternational travel at the onset of the COVID-19 pandemic.\r\nWhen air travel restrictions were lifted, the suspect's passport had expired, forcing Mr. A to live in a Seoul studio\r\napartment until this summer while the local Russian embassy issued a replacement.\r\nHowever, while the suspect was awaiting a passport replacement, US officials started an official investigation\r\nagainst TrickBot, a Russian-based malware gang that had used its botnet to facilitate ransomware attacks across\r\nthe US throughout 2020.\r\nWhile a takedown operation spearheaded by several security firms failed in October 2020, US officials had more\r\nsuccess on a legal front, announcing the arrest of a 55-year-old Latvian woman named Alla Witte, who US\r\nprosecutors said worked as one of TrickBot's programmers.\r\nSimilar to Witte's indictment, a South Korean judge said Mr. A was charged for working with the TrickBot gang\r\nand developing a web browser-related component for the group after answering a job ad in 2016 — the same way\r\nWitte was recruited.\r\nDocuments in Witte's case cite private conversations between TrickBot members regarding the recruitment\r\nprocess. Per these conversations, the TrickBot gang was upfront with the people who applied and told them what\r\nthey're doing was not legal.\r\nhttps://therecord.media/trickbot-gang-member-arrested-after-getting-stuck-in-south-korea-due-to-covid-19-pandemic/\r\nPage 1 of 3\n\nImage: The Record\r\nPer the same conversations cited in the Witte case, most who applied for the jobs realized they were doing\r\n\"blackhat stuff.\"\r\nTrickbot lead members said in private conversations to each other that they were looking for candidates who did\r\nthe recruitment test without asking too many questions.\r\n\"If they ask additional questions, this person is not suitable,\" one message read.\r\nImage: The Record\r\nSouth Korean news outlet KBS said the suspect was arraigned in a Seoul court on Wednesday, September 2, on an\r\ninternational arrest warrant and extradition request to the US.\r\nMr. A is fighting this extradition. His lawyer claimed that if his client is sent to the US, he \"will be subjected to\r\nexcessive punishment.\"\r\nhttps://therecord.media/trickbot-gang-member-arrested-after-getting-stuck-in-south-korea-due-to-covid-19-pandemic/\r\nPage 2 of 3\n\nNo previous article\r\nNo new articles\r\nCatalin Cimpanu\r\nis a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement\r\nactions against hackers.\r\nSource: https://therecord.media/trickbot-gang-member-arrested-after-getting-stuck-in-south-korea-due-to-covid-19-pandemic/\r\nhttps://therecord.media/trickbot-gang-member-arrested-after-getting-stuck-in-south-korea-due-to-covid-19-pandemic/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://therecord.media/trickbot-gang-member-arrested-after-getting-stuck-in-south-korea-due-to-covid-19-pandemic/"
	],
	"report_names": [
		"trickbot-gang-member-arrested-after-getting-stuck-in-south-korea-due-to-covid-19-pandemic"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434227,
	"ts_updated_at": 1775826739,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8b598e151f9ae585365405b18dc0670b4447d470.pdf",
		"text": "https://archive.orkl.eu/8b598e151f9ae585365405b18dc0670b4447d470.txt",
		"img": "https://archive.orkl.eu/8b598e151f9ae585365405b18dc0670b4447d470.jpg"
	}
}