A Russian man accused of being part of cybercrime ring that infected millions of computers worldwide was arraigned in federal court in Ohio on Thursday after being extradited from South Korea, the Justice Department announced.
US prosecutors allege that 38-year-old Vladimir Dunaev was part of a transnational criminal group that since 2015 has tried to steal millions of dollars from victims in the US and elsewhere.
The group allegedly used a piece of malicious software known as Trickbot and other tools to steal money and confidential data from businesses in multiple countries including the US, United Kingdom, Russia and India. The hackers also targeted the computer networks of hospitals, schools, public utilities and governments, according to prosecutors.
Dunaev is charged with conspiracy to commit computer fraud and aggravated identity theft, and multiple counts of wire and bank fraud, among other charges, the Justice Department said. He faces up to 60 years in prison if convicted on all counts.
Dunaev entered a not guilty plea in his initial court appearance Thursday and waved detention, according to Daniel Ball, a spokesman for the United States Attorney for the Northern District of Ohio.
An attorney for Dunaev could not be immediately reached for comment.
The arrest is a notable win for the US Justice Department, which is typically forced to wait until accused Russian cybercriminals leave Russia to pursue them because Washington and Moscow do not have an extradition treaty. It comes as the Biden administration has tried to pressure the Russian government to crack down on cybercrime amid continued ransomware attacks against US companies.
In a press release that did not mention Dunaev by name, the South Korean Ministry of Justice said it had extradited a Russian national accused of being involved in the Trickbot malware to the United States on October 20. The ministry said the Russian national was arrested in June at South Korea’s Incheon International Airport.
Another person allegedly involved with Trickbot, a Latvian national known as Alla Witte, was arrested in Miami in February and is also being prosecuted in the Northern District of Ohio. Prosecutors accused Witte of writing computer “code related to the control, deployment, and payments of ransomware.”
Witte pleaded not guilty in June, according to Ball, the Northern District of Ohio spokesman.
Dunaev also allegedly used his technical skills in support of Trickbot. According to prosecutors, he helped the malware avoid being detected by security software.
The extradition of Dunaev follows the FBI and European law enforcement agencies’ arrest last month of two people in Ukraine who have allegedly made multimillion-dollar ransom demands following hacks of US organizations.
The Justice Department’s pursuit of foreign cybercriminals is meant as a complement to diplomatic pressure that US officials are putting on Moscow to address the issue. Despite a June meeting between Biden and Putin on the topic, ransomware attacks on US companies have continued.
Earlier this month a ransomware incident interrupted programming at Sinclair Broadcast Group, the second largest operator of TV stations in the US. A hacking tool used to encrypt Sinclair’s networks is similar to malicious code previously used by a Russian crime group sanctioned by the US government, analysts told CNN.
Trickbot has had a key role in some ransomware attacks on US companies; hackers have used the malicious software to access victim networks and then deploy ransomware to lock up their computers. The FBI and US Cybersecurity and Infrastructure Security Agency in October 2020 warned that Trickbot was being used in a wave of ransomware attacks on US health care organizations.
Concerned by the potential threat of ransomware to election infrastructure in 2020, Microsoft and other tech companies last year knocked some computer servers used by Trickbot offline.
While some of the people allegedly involved in Trickbot have been apprehended, the malicious code itself is alive and well. Researchers with IBM reported this month some of the developers of Trickbot had begun working with two additional criminal groups to distribute malicious code to targeted organizations.
The Biden administration has also sought to expand international coordination in prosecuting ransomware groups and curtailing their sources of revenue. The White House this month convened a 30-country virtual meeting to that end.
Andres Sutt, a senior Estonian government official who attended the meeting, told CNN that governments need to invest a greater proportion of their IT budgets in cybersecurity to effectively defend against ransomware.
“If we look at the intensity of [ransomware] attacks, the sophistication, the impacts, I think it’s only clear that we need to respond in being more cyber resilient,” said Sutt, who is Estonia’s minister of entrepreneurship and information technology.
CNN’s Jake Kwon contributed reporting