{
	"id": "4216d1a9-1449-4383-b5cb-f6f6eed50f69",
	"created_at": "2026-04-06T00:08:24.572971Z",
	"updated_at": "2026-04-10T03:21:25.192852Z",
	"deleted_at": null,
	"sha1_hash": "a9ed589d0c31c58779992074ac4e69bab390771e",
	"title": "US arrests Latvian woman who worked on Trickbot malware source code",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 530467,
	"plain_text": "US arrests Latvian woman who worked on Trickbot malware\r\nsource code\r\nBy Catalin Cimpanu\r\nPublished: 2022-12-12 · Archived: 2026-04-05 22:19:43 UTC\r\nThe US Department of Justice has arraigned in court today a Latvian woman who was part of the Trickbot\r\nmalware crew, where she served as a programmer and wrote code for controlling the malware and deploying\r\nransomware on infected computers.\r\nAlla Witte, 55, of Latvia, but who resided in Paramaribo, Suriname, was arrested on February 6 in Miami,\r\nFlorida, the DOJ said in a press release today.\r\nUS officials said that Witte, who went online as \"Max,\" has been working with the Trickbot malware gang since\r\nthe group formed in November 2015, when remnants of the Dyre malware gang assembled to create and distribute\r\na revamped version of the Dyre trojan that was subsequently named Trickbot.\r\nAccording to court documents [PDF], Witte was identified as one of 17 suspects behind the Trickbot malware,\r\nwhich is belived to have infected millions of computers across the world since 2015.\r\nUS investigators said Witte oversaw \"the creation of code related to the monitoring and tracking of authorized\r\nusers of the Trickbot malware, the control and deployment of ransomware, obtaining payments from ransomware\r\nvictims, and developing tools and protocols for the storage of credentials stolen and exfiltrated from victims\r\ninfected by Trickbot.\"\r\nHer role in the Trickbot gang evolved as the malware also changed—which went from a classic banking trojan\r\nfocused on stealing funds from bank accounts to a loader for other malware payloads (such as ransomware\r\noperations).\r\nUS officials have charged Witte in 19 counts in a 47-count indictment. Public comments from cybersecurity\r\nprofessionals suggest that Witte did not did a good job at hiding her identity, even hosting in-dev versions of the\r\nTrickbot malware on her personal website.\r\n— Vitali Kremez (@VK_Intel) June 4, 2021\r\nhttps://therecord.media/us-arrests-latvian-woman-who-worked-on-trickbot-malware-source-code/\r\nPage 1 of 4\n\nImage: William Thomas, Cyjax\r\nWitte is the first member of the Trickbot gang to be arrested. US officials said other Trickbot suspects are still at\r\nlarge in Russia, Belarus, Ukraine, and Suriname.\r\nIn October 2020, US officials filed charges against a criminal group known as QQAAZZ that helped the Trickbot\r\ngang launder funds they stole from victims' bank accounts.\r\nIn the same month, a coalition of tech companies attempted to take down the Trickbot botnet. While the Trickbot\r\ngang's operation were disrupted for a few weeks, the botnet has since recovered and is still active today.\r\nWhat is Trickbot\r\nHistorically, the Trickbot botnet is one of the largest and most successful operations to date.\r\nIt began operations in 2015 after members of the Dyre malware gang scattered following a series of high-profile\r\narrests that crippled the group's leadership structure.\r\nTrickbot was set up as an alternative and initially it continued where Dyre left off, with its operators investing\r\nmost of their time in email spam campaigns aimed at tricking users into downloading and installing the malware\r\non their computers.\r\nIn its early history, Trickbot worked as a classic banking trojan that infected computers and then tampered with\r\nusers browsers' to dump and steal credentials, and then show \"web injects\" that allowed the gang to collect e-banking credentials and interact with e-bank accounts in real-time.\r\nHowever, as banks began deploying security features that made the life of banking trojans harder, circa 2017, the\r\nTrickbot gang followed other malware groups that were active at the time and converted their banking trojan into\r\na simpler and leaner malware strain. Known as a loader (from downloader) or dropper, Trickbot would continue\r\nto infect victims with the help of email spam, but once it infected a host, it's primary purpose would be to\r\ndownload and install other malware strains.\r\nhttps://therecord.media/us-arrests-latvian-woman-who-worked-on-trickbot-malware-source-code/\r\nPage 2 of 4\n\nThis way, throughout the years, the Trickbot gang built a giant botnet to which they sold access to other criminal\r\ngroups. Known as a Crimeware-as-a-Service, Trickbot operators allowed customers to deploy their own malware\r\nor created specialized modules that customers could deploy for specific tasks.\r\nDepending on the victims they infected, the Trickbot malware was often used to steal banking credentials,\r\npasswords for enterprise networks, give BEC scammers an entry into large companies, allow data brokers to pilfer\r\nsecrets and sensitive files from corporate networks, or even deploy ransomware , such as Ryuk and Conti, for\r\ndestructive attacks.\r\nAfter it survived its takedown last year and after the Emotet takedown earlier this year, Trickbot is now considered\r\none of the most dangerous botnets active today, together with Dridex, Qbot, and IcedID.\r\nThe court documents filed in Witte's case today are heavily redacted to hide the name of the other 16 Trickbot\r\noperators, suggesting US officials are aware of their identities already and that future arrests and charges are\r\nbound to follow.\r\nhttps://therecord.media/us-arrests-latvian-woman-who-worked-on-trickbot-malware-source-code/\r\nPage 3 of 4\n\nCatalin Cimpanu\r\nis a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement\r\nactions against hackers.\r\nSource: https://therecord.media/us-arrests-latvian-woman-who-worked-on-trickbot-malware-source-code/\r\nhttps://therecord.media/us-arrests-latvian-woman-who-worked-on-trickbot-malware-source-code/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://therecord.media/us-arrests-latvian-woman-who-worked-on-trickbot-malware-source-code/"
	],
	"report_names": [
		"us-arrests-latvian-woman-who-worked-on-trickbot-malware-source-code"
	],
	"threat_actors": [],
	"ts_created_at": 1775434104,
	"ts_updated_at": 1775791285,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a9ed589d0c31c58779992074ac4e69bab390771e.pdf",
		"text": "https://archive.orkl.eu/a9ed589d0c31c58779992074ac4e69bab390771e.txt",
		"img": "https://archive.orkl.eu/a9ed589d0c31c58779992074ac4e69bab390771e.jpg"
	}
}