Sensing that law enforcement was onto him, a Ukrainian suspect who developed and managed the IcedID malware botnet faked his own death in an attempt to escape extradition to the US. It worked, but only for a while.
According to court documents, the suspect bribed Ukrainian police officers to falsify papers and issue a death certificate in his name in April 2024.
The unnamed individual probably knew that the cops were closing in. Indeed, a month later, Europol and the US Federal Bureau of Investigation (FBI) seized IcedID servers as part of Operation Endgame.
This, of course, suggests a leak in the massive international investigation – over 1,025 servers were taken down or disrupted worldwide, and 20 domains were seized – or that the Ukrainian man saw agencies probing his servers.
Since the suspect was presumably one of the most important members of the IcedID malware operation, he knew jail time was on the cards and decided to act.
“Acting in a preliminary collusion with a law enforcement officer and other unidentified persons, PERSON_6 organized a scheme to stage his own death,” the court documents say.
“Thus, in the period of March-April 2024, by falsifying the identification materials of the corpse of an unidentified person, grounds were created for making changes to the death certificate.”
Based on this false information, in April 2024, the Kyiv Department of State Registration of Death issued a death certificate in the name of PERSON_6. It then led to the termination of the search for the latter.
According to the court, the suspect intended to conceal the assets obtained through criminal means by transferring the ownership of expensive real estate and vehicles to close relatives and acquaintances.
Officials have now seized the suspect’s apartments, parking spaces, and cars, and the judge, deeming him a flight risk, imposed a bail of $9.3 million.
The individual still made a mistake. He continued to live at his usual residence in Uzhhorod, a Ukrainian city near the border with Slovakia, and, after a while, law enforcement began to suspect that something fishy was going on.
The Ukrainian investigators hired experts to forensically examine the documents and relevant photos, re-analyzed information received from Interpol and the FBI, and questioned witnesses again.
After concluding that the suspect wasn’t actually dead, they finally moved to arrest him in late 2025. Even then, the suspect tried to pass as another individual and showed fake documents in his new name – to no avail.
Officials have now seized the suspect’s apartments, parking spaces, and cars, and the judge, deeming him a flight risk, imposed a bail of $9.3 million.
IcedID, by the way, is still active and remains a significant threat in the cybercriminal landscape. Although it originally appeared in 2017 as a banking trojan, it has evolved into a highly versatile loader often used to deploy ransomware.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked