For years, members of the Russian cybercrime cartel Trickbot unleashed a relentless hacking spree on the world. The group attacked thousands of victims, including businesses, schools, and hospitals. “Fuck clinics in the usa this week,” one member wrote in internal Trickbot messages in 2020 about a list of 428 hospitals to target. Orchestrated by an enigmatic leader using the online moniker “Stern,” the group of around 100 cybercriminals stole hundreds of millions of dollars over the course of roughly six years.

Despite a wave of law enforcement disruptions and a damaging leak of more than 60,000 internal chat messages from Trickbot and the closely associated counterpart group Conti, the identity of Stern has remained a mystery. Last week, though, Germany’s federal police agency, the Bundeskriminalamt or BKA, and local prosecutors alleged that Stern’s real-world name is Vi­ta­ly Ni­ko­lae­vich Kovalev, a 36-year-old, 5-foot-11-inch Russian man who cops believe is in his home country and thus shielded from potential extradition.

A recently issued Interpol red notice says that Kovalev is wanted by Germany for allegedly being the “ringleader” of a “criminal organisation.”

“Stern’s naming is a significant event that bridges gaps in our understanding of Trickbot—one of the most notorious transnational cybercriminal groups to ever exist,” says Alexander Leslie, a threat intelligence analyst at the security firm Recorded Future. “As Trickbot’s ‘big boss’ and one of the most noteworthy figures in the Russian cybercriminal underground, Stern remained an elusive character, and his real name was taboo for years.”

Stern has notably seemed to be absent from multiple rounds of Western sanctions and indictments in recent years calling out alleged Trickbot and Conti members. Leslie and other researchers have long speculated to WIRED that global law enforcement may have strategically withheld Stern’s alleged identity as part of ongoing investigations. Kovalev is suspected of being the “founder” of Trickbot and allegedly used the Stern moniker, the BKA said in an online announcement.

“It has long been assumed, based on numerous indications, that ‘Stern’ is in fact Kovalev,” a BKA spokesperson says in written responses to questions from WIRED. They add that “the investigating authorities involved in Operation Endgame were only able to identify the actor Stern as Kovalev during their investigation this year,” referring to a multi-year international effort to identify and disrupt cybercriminal infrastructure, known as Operation Endgame.

The BKA spokesperson also notes in written statements to WIRED that information obtained through a 2023 investigation into the Qakbot malware as well as analysis of the leaked Trickbot and Conti chats from 2022 were “helpful” in making the attribution. They added, too, that the “assessment is also shared by international partners.”

The German announcement is the first time that officials from any government have publicly alleged an identity for a suspect behind the Stern moniker. As part of Operation Endgame, BKA’s Stern attribution inherently comes in the context of a multinational law enforcement collaboration. But unlike in other Trickbot- and Conti-related attributions, other countries have not publicly concurred with BKA’s Stern identification thus far. Europol, the US Department of Justice, the US Treasury, and the UK’s Foreign, Commonwealth & Development Office did not immediately respond to WIRED’s requests for comment.

Several cybersecurity researchers who have tracked Trickbot extensively tell WIRED they were unaware of the announcement. An anonymous account on the social media platform X recently claimed that Kovalev used the Stern handle and published alleged details about him. WIRED messaged multiple accounts that supposedly belong to Kovalev, according to the X account and a database of hacked and leaked records compiled by District 4 Labs but received no response.

Meanwhile, Kovalev’s name and face may already be surprisingly familiar to those who have been following recent Trickbot revelations. This is because Kovalev was jointly sanctioned by the United States and United Kingdom in early 2023 for his alleged involvement as a senior member in Trickbot. He was also charged in the US at the time with hacking linked to bank fraud allegedly committed in 2010. The US added him to its most-wanted list. In all of this activity, though, the US and UK linked Kovalev to the online handles “ben” and “Bentley.” The 2023 sanctions did not mention a connection to the Stern handle. And, in fact, Kovalev’s 2023 indictment was mainly noteworthy because his use of “Bentley” as a handle was determined to be “historic” and distinct from that of another key Trickbot member who also went by “Bentley.”

The Trickbot ransomware group first emerged around 2016, after its members moved from the Dyre malware that was disrupted by Russian authorities. Over the course of its lifespan, the Trickbot group—which used its namesake malware, alongside other ransomware variants such as Ryuk, IcedID, and Diavol—increasingly overlapped in operations and personnel with the Conti gang. In early 2022, Conti published a statement backing Russia’s full-scale invasion of Ukraine, and a cybersecurity researcher who had infiltrated the groups leaked more than 60,000 messages from Trickbot and Conti members, revealing a huge trove of information about their day-to-day operations and structure.

Stern acted like a “CEO” of the Trickbot and Conti groups and ran them like a legitimate company, leaked chat messages analyzed by WIRED and security researchers show.

“Trickbot set the mold for the modern ‘as-a-service’ cybercriminal business model that was adopted by countless groups that followed,” Recorded Future’s Leslie says. “While there were certainly organized groups that preceded Trickbot, Stern oversaw a period of Russian cybercrime that was characterized by a high level of professionalization. This trend continues today, is reproduced worldwide, and is visible in most active groups on the dark web.”

24 Comments