Germany’s Federal Criminal Police Office (BKA) has identified “Stern” as 36-year-old Russian national Vitaly Nikolaevich Kovalev. Kovalev is strongly suspected of having founded the notorious ‘Trickbot’ group, also known by the alias ‘Wizard Spider,’ according to the BKA. This prolific cybercrime group utilized Trickbot malware alongside other dangerous variants like Bazarloader, SystemBC, IcedID, Ryuk, Conti, and Diavol. An Interpol red notice now seeks Kovalev in Germany, officially charging him as the ringleader of this unnamed criminal organization. This recent development isn’t Kovalev’s first encounter with law enforcement, as he was previously sanctioned and charged in the United States. Those February 2023 U.S. actions were for his significant links to both the TrickBot and Conti widespread cybercrime gangs.
Kovalev’s more definitive unmasking as “Stern” followed massive information leaks from TrickBot and Conti members, known as TrickLeaks and ContiLeaks. While ContiLeaks provided access to the gang’s internal private conversations and valuable source code, TrickLeaks went a step further. It exposed the identities, various online accounts, and detailed personal information of numerous active TrickBot members on social media platforms. These leaked crucial conversations clearly revealed that Kovalev, operating under his alias “Stern,” was in charge of the entire TrickBot operation. He also directly orchestrated the infamous Ryuk and Conti ransomware gangs, showcasing his extensive control over these global criminal activities. The chat logs illustrated how other members consistently contacted Stern for his vital approval before conducting major cyberattacks against their targets.
According to comprehensive investigations conducted by the German BKA, the Trickbot group at certain peak times consisted of more than 100 members.
This large and sophisticated criminal enterprise operated in a highly organized and clearly hierarchically structured manner, primarily being project and profit-oriented. The group is held directly responsible for the widespread infection of several hundred thousand computer systems in Germany and also across the world. Through its extensive illegal cyber activities spanning multiple years, it has successfully obtained illicit funds estimated to be in the three-digit million range. Its numerous victims included critical global entities like hospitals, various public facilities, numerous private companies, public authorities, and also many private individuals.
Vitaly Kovalev’s current specific whereabouts are unfortunately unknown to the international law enforcement agencies that are actively seeking his immediate capture.
However, German police authorities strongly believe that he currently resides somewhere within the Russian Federation, making his potential apprehension significantly more challenging. They have consequently issued a public appeal for any available information that could potentially lead to his successful capture and subsequent prosecution. Specifically, these authorities are seeking any details regarding his current online accounts or any communication channels that he is known to presently use. This ongoing international manhunt highlights the dedicated global effort to bring high-profile cybercriminals like Kovalev to face justice for their actions.
Reference: