Alla Witte’s plans for a new career as a computer programmer included helping clients make enough money to see the world, according to YouTube videos and social media posts. She was in her late 40s with a degree in applied mathematics and an itch to do computer programming.
But there was a darker side to Witte’s interest in computers, according to federal prosecutors. In the six years leading to October 2018, Witte allegedly transformed from amateur developer to a key cog in a cybercrime syndicate known as Trickbot.
Witte, now 55, assumed the identity “Max” and started writing illicit code, according to a federal indictment unsealed on Feb. 8 after she was detained in Miami. She’s since been transferred to Cleveland, where she’s one of seven alleged members of the Trickbot gang facing charges for their role in a global fraud, data theft and ransomware operation with roots in Russia, Ukraine and Belarus.
But Witte is the first alleged member of the Trickbot cybergang ever to be detained in the U.S. She appeared before a U.S. magistrate judge on June 4 for her arraignment, where she waived her rights to a detention hearing. She hasn’t yet made any pleadings in the case.
Witte’s public defender in Cleveland, Ed Bryan, didn’t respond to requests for comment.
If Witte were to cooperate with authorities, her insights could be invaluable at a time when the Biden administration and a newly formed Justice Department task force are taking aim at ransomware and other cybercrime, said Alex Holden, the founder of the cyber-investigations firm Hold security . She could also help U.S. officials understand the structure of a tenacious and wide-ranging cybercrime operation with so many tentacles that it managed to evade a pair of takedown operations by U.S. Cyber Command and Microsoft Corp in 2020, he said.
Trickbot is the name of a cybercrime group, piece of malicious code and a botnet, a network of hijacked internet-connected devices used to carry out cyberattacks. The cybercrime group manages the botnet and sells its malware to “affiliates” who then use it to target various victims, according to the cyber research firm, Malwarebytes Inc.
Once infected, victims become part of the botnet, a network of thousands of computers and servers around the world that are carriers of the Trickbot malware. The malware is used as a point of entry for hackers hunting for data for espionage or looking to inject ransomware. It is among the most popular sources of entry for ransomware attacks in use today, according to the cybersecurity company, Eclypsium Inc.
Since it was first detected in 2016, Trickbot operators have stolen tens to hundreds of millions of dollars from victims in the U.S., including banks, universities and local governments, according to cybersecurity experts and court documents. In October, as coronavirus cases surged in the U.S., authorities warned of “increased and imminent cybercrime threat to U.S. hospitals and health-care providers” from Trickbot and other hacking groups.
At first brush, Witte’s public persona doesn’t offer any hints at her alleged interest in cybercrime. Her friends sent her digital postcards of cats celebrating Christmas and requests to play games together, according to her account on the Russian social media site VK.
In addition, hackers tend to be relatively young men. When Holden first learned about Witte, he said he thought it might be an elaborate hoax. “Alla Witte is a unicorn,” he said. “She combines a passion of learning about technology, and that at an old age, with the life of a hapless cybercriminal who developed malware and ransomware that hurt many.”
In her first week working for the Trickbot group in 2018, Witte wrote a code to track each of the hundreds of users weaponizing its malware, according to the indictment. Within months, she produced a video tutorial showing her Trickbot partners how to use the tracking software. By the time she’d been with the group for a year, she had authored code for the web panel that Trickbot uses to store its massive database of stolen victim data, including a color-coding system so fellow users could monitor the progress of each infection, according to court records.
Witte would go on to write the code that controls deployment of ransomware, including the note victims received announcing that their computer system had been encrypted, according to the indictment.
Witte provides details about her background on social media accounts, which were discovered and translated by Holden. She grew up along the Black Sea in the Russian city of Rostov-on-Don. After studying at the University of Latvia, Witte worked as a sales manager and teacher in the 1980s. Her interest in technology emerged in the late ‘90s and early 2000s, according to the posts.
After getting married in 2007, her family moved from the Netherlands to Suriname, in South America. It’s around this time, in 2013, that she began dabbling professionally in website development. In her posts, she expressed determination to find success and happiness in her newfound career. In language forums in Russian, her native language, she offered advice to younger professionals and thanked those who’ve helped her follow her path.
“You are absolutely correct that you have to exclude from your life those who try to prove that you will not accomplish anything,” she posted in the comments section of a video about job hunting, in a post translated by Holden. “I have heard everything – you are too old for this type of job. Overall, I spoke over the internet with several people who supported me or gave me professional advice.”
But in 2020, she allegedly stopped being careful and allowed her alleged cybercrime persona to blend in with her social media profile. In January, Holden said she used her personal website to distribute Trickbot malware. By that time, her colleagues inside the Trickbot operation were familiar with ‘Max’s’ identity, referring to her “almost like they would address their mothers,” said Holden, who specializes in Trickbot activity.
Witte will remain in U.S. custody in Cleveland until she faces trial. The case against her and her fellow alleged cyber gangsters is built on at least five years of victim reports of Trickbot cyberattacks in the U.S., including from local school districts, real estate firms, country clubs, law firms and utilities, coupled with unique FBI access to the hacking group’s own command-and-control servers dating back to at least 2016, according to the indictment.
The Justice Department has declined to detail the circumstances of her arrest, except to say that she was living with her family in Suriname when she arrived in Miami and was detained.