German police claim they have committed the mysterious Trickbot Ransomware Kingpin

Several cybersecurity researchers tracking Trickbot widely told Wired that they didn’t know the news. An anonymous account on social media platform X recently claimed that Kovalev used a stern handle and posted details about him. According to a database of hacking records and leaked records compiled by Account X and District 4 labs, Cable delivered multiple accounts that were said to belong to Kovalev, but received no response.

Meanwhile, Kovalev’s name and face may have been familiar with the recent Trickbot revelation. This is because Kovalev was jointly sanctioned by the United States and the United Kingdom in early 2023 for allegedly participating in senior members of Trickbot. At the time, he was also charged with hacking attacks related to alleged bank fraud in 2010. However, in all these activities, the United States and the United Kingdom linked Kovalev to the online handles “Ben” and “Bentley”. The 2023 sanctions do not mention links to the stern handle. And, in fact, Kovalev’s 2023 indictment is mainly noteworthy, as he was identified as “historic” with “Bentley” as the handle, and unlike another who is also a main skill member of “Bentley”.

The Trickbot Ransomware Group first appeared around 2016 after its members moved from Dyre malware interrupted by Russian authorities. Over its lifespan, the Trickbot Group (using its malware of the same name) and other ransomware variants such as Ryuk, Icedid, and Diavol overlap with Conti Gang’s operations and personnel. In early 2022, Conti published a statement supporting Russia’s full-scale invasion of Ukraine, and a cybersecurity researcher who infiltrated more than 60,000 messages to Trickbot and Conti members, uncovered a wealth of information about its day-to-day operations and structure.

Stern acted like the “CEO” of the Trick’s Feet and Conti group and operated them like a legitimate company, leaking chat messages analyzed by Wired and security researchers.

“Trickbot sets the mold for the modern ‘AS-Service’ cybercrime business model, which was adopted by countless groups that followed,” said Leslie of Rectud Future. “While of course there were organized groups before Trickbot, Stern was responsible for a period of cybercrime in Russia, characterized by a high degree of specialization. This trend continues to be replicated globally today and can be seen in most active groups on the dark web.”

Stern’s outstandingness in Russian cybercrime has been widely documented. The cryptocurrency tracking company’s chain analysis did not publicly name cybercriminal participants and declined to comment on BKA’s identity, but the company stressed that only the harsh role was one of the most lucrative ransom actors it tracked.

A BKA spokesman told Wired: “The investigation shows that Stern has earned considerable income from illegal activities, especially those related to ransomware.”

Stern “has been with very technical people, many of whom claim to sometimes have decades of experience, and he is willing to delegate substantive missions to these experienced people,” said Keith Jarvis, a senior security researcher at cybersecurity firm Sophos Sophos. “I think he probably has lived in an organizational role all the time.”

In recent years, there has been growing evidence that Stern has at least some loose links with Russian intelligence agencies, including its major security agency, the Federal Security Services Agency (FSB). The stern handle mentioned the establishment of an office for the “government theme” in July 2020, and researchers saw other members of the Trickbot Group say Stern could be “a connection between us with department-level/department heads at the FSB”.

The consistent presence of Stern is an important contribution to the effectiveness of trick feet and Conti, which is the ability of entities to keep strong operational security and to keep hidden.

As Sophos’s Jarvis said, “I have no idea about attribution because I have never heard of Stern’s compelling story about Stern’s identity before this announcement.”