Sign in Subscribe

German Police IDed Trickbot Ransomware Kingpin 'Stern'

German Police IDed Trickbot Ransomware Kingpin 'Stern'

For years, the Russian cybercrime cartel known as Trickbot wreaked havoc worldwide, targeting thousands of victims, including businesses, schools, and hospitals. Organized by a mysterious figure with the online alias "Stern," the group, composed of nearly 100 cybercriminals, managed to steal hundreds of millions of dollars over around six years. Despite numerous attempts by international law enforcement to disrupt their operations, the identity of Stern has remained elusive—until now.

Recently, Germany’s federal police agency, the Bundeskriminalamt (BKA), and local prosecutors announced they have identified Stern as Vitaly Nikolaevich Kovalev, a 36-year-old Russian man. Although believed to be residing in Russia and protected from extradition, Kovalev is now the subject of an Interpol red notice, wanted by Germany for allegedly leading a criminal organization.

The naming of Stern bridges gaps in the understanding of Trickbot, one of the most notorious cybercriminal groups. Alexander Leslie, a threat intelligence analyst, stated that Stern was a significant figure within the Russian cybercriminal underground, and his real name remained shrouded in secrecy for years. Notably, Stern had evaded multiple rounds of Western sanctions and indictments aimed at Trickbot and its affiliates.

Research suggests that international law enforcement may have intentionally kept Stern’s identity under wraps as part of ongoing investigations. Kovalev, suspected to be Trickbot’s founder, allegedly operated under the moniker "Stern." However, this is the first time any government has publicly alleged an identity for Stern.

The BKA’s attribution is backed by a multi-year international effort known as Operation Endgame, aimed at disrupting cybercriminal infrastructure. Insights gained from investigating Qakbot malware and analyzing leaked Trickbot and Conti chats contributed significantly to this breakthrough. However, unlike other Trickbot-related identifications, no other countries have yet confirmed Germany's findings.

Vitaly Kovalev is no stranger to international scrutiny. In early 2023, he was sanctioned by the US and UK for his alleged involvement in Trickbot and linked to the handles "ben" and "Bentley." Interestingly, these sanctions did not mention the Stern moniker.

Emerging in 2016, Trickbot evolved from the Dyre malware, disrupted by Russian authorities, and expanded its operations using various ransomware variants such as Ryuk, IcedID, and Diavol. Stern appeared to run Trickbot and Conti like a formal business, acting almost as their "CEO," as revealed by leaked chat messages.

Trickbot was pioneering in establishing the "as-a-service" cybercriminal business model adopted by many subsequent groups. This professionalization period overseen by Stern became a hallmark of Russian cybercrime, impacting cybercriminal activities globally.
Stern's suspected ties to Russian intelligence, particularly the FSB, include potential coordination on "government projects," added complexity to tracking his activities. Despite his domain as a cybercrime leader, individual Spotlight on Stern's true identity sheds light on a longstanding enigma.

Nevertheless, Stern's prominence in Russian cybercrime has been comprehensively documented, with Chainalysis noting him as one of the most lucrative ransomware actors globally. His operations are said to have generated significant revenues, facilitated by a technically skilled network.

This breakthrough marks a critical step in the collective international effort to curtail organized cybercriminals, yet many details continue to emerge regarding Stern’s extensive operations and influences.