TrickBot gang member arrested after getting stuck in South Korea due to COVID-19 pandemic
A Russian man was arrested last week at the Seoul international airport on accusations of developing code for the TrickBot malware gang.
The man, identified in local media reports only as Mr. A, was arrested trying to leave South Korea for his native home in Russia after he'd been stuck in the Asian country for more than a year and a half.
The suspect, who arrived in February 2020, was initially prevented from leaving after Seoul officials canceled international travel at the onset of the COVID-19 pandemic.
When air travel restrictions were lifted, the suspect's passport had expired, forcing Mr. A to live in a Seoul studio apartment until this summer while the local Russian embassy issued a replacement.
However, while the suspect was awaiting a passport replacement, US officials started an official investigation against TrickBot, a Russian-based malware gang that had used its botnet to facilitate ransomware attacks across the US throughout 2020.
While a takedown operation spearheaded by several security firms failed in October 2020, US officials had more success on a legal front, announcing the arrest of a 55-year-old Latvian woman named Alla Witte, who US prosecutors said worked as one of TrickBot's programmers.
Similar to Witte's indictment, a South Korean judge said Mr. A was charged for working with the TrickBot gang and developing a web browser-related component for the group after answering a job ad in 2016 — the same way Witte was recruited.
Documents in Witte's case cite private conversations between TrickBot members regarding the recruitment process. Per these conversations, the TrickBot gang was upfront with the people who applied and told them what they're doing was not legal.
Per the same conversations cited in the Witte case, most who applied for the jobs realized they were doing "blackhat stuff."
Trickbot lead members said in private conversations to each other that they were looking for candidates who did the recruitment test without asking too many questions.
"If they ask additional questions, this person is not suitable," one message read.
South Korean news outlet KBS said the suspect was arraigned in a Seoul court on Wednesday, September 2, on an international arrest warrant and extradition request to the US.
Mr. A is fighting this extradition. His lawyer claimed that if his client is sent to the US, he "will be subjected to excessive punishment."
Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.