{ "id": "a03a0ceb-cb68-44cf-84ff-571a512af46e", "created_at": "2026-04-06T01:29:30.427031Z", "updated_at": "2026-04-10T03:21:43.815892Z", "deleted_at": null, "sha1_hash": "05e2a6f50ec632278738084899162e7044852967", "title": "Trickbot in Light of Trickleaks Data", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 34539, "plain_text": "Trickbot in Light of Trickleaks Data\r\nBy Vincas Čižiūnas\r\nPublished: 2023-08-30 · Archived: 2026-04-06 00:59:55 UTC\r\nEXECUTIVE SUMMARY\r\nAttribution work by its very nature is challenging and dependent on the timeliness and accuracy the data\r\nresearchers initially have on the unknown actor. The challenge is to increase confidence in the accuracy of any\r\nadditional selectors by corroborating them with the primary selector and other data points found during an\r\ninvestigation.\r\nIn February 2023, the US Treasury Department and Secret Service named Vitaly Kovalev as the ransomware actor\r\nuser of the handle “bentley,” based on activity using that handle in 2009 and 2010.\r\nIn May 2022, a Twitter account known as @trickleaks released chat logs claiming to be from the ransomware\r\nactor group Trickbot, along with several dossiers profiling the individual actors, including one using the handle\r\n“bentley.” The report that follows will provide an alternate possibility of the true identity for the threat actor\r\nknown as “bentley” based on the more recent TrickLeaks release. Nisos examined chat logs, dated June 2020 to\r\nNovember 2021, from the Trickleaks breach data set to identify any ties between Trickbot actors and the Russian\r\ngovernment. For context, similar to ContiLeaks, TrickLeaks provided intimate details about the TrickBot gang;\r\nhowever, where the majority of the data contained with the ContiLeaks disclosure focused on source code, the\r\nTrickLeaks disclosure included identity and account related personal information of the actual Trickbot members.\r\nWhile analysts did not identify a direct link between Trickbot actors and the Russian government, multiple\r\nTrickbot actors, including “silver,” “manuel” (aka “bentley,” “max17,” and “volhvb”), and “angelo” likely\r\nbelieved that the FSB and/or SVR supported them and that their leadership had FSB ties.\r\nAdditionally, actor bentley is believed to be a senior member of the Trickbot group performing human resources-related roles, such as payments for the group, and subscriptions needed to conduct ransomware attacks. He was\r\nalso charged with “crypting” the group’s malware—ensuring that it goes undetected by all or at least most\r\nantivirus products on the market. Nisos determined that bentley, who revealed his username as\r\nvolhvb@exploit[.]im for the popular exploit.im jabber service, is currently identifiable as Maksim Sergeevich\r\nGalochkin. Nisos further identified that Galochkin changed his name from Maksim Sergeevich Sipkin, and that he\r\nhas significant financial debt as of 2022. In 2010, Sipkin was an active member of the “Solidarity” in Khakassia, a\r\ngroup associated with the assassinated Russian opposition leader, Boris Nemtsov.\r\nNisos cannot rule out the possibility that both individuals were users of the handle at different times.\r\nSource: https://www.nisos.com/research/trickbot-trickleaks-data-analysis/\r\nhttps://www.nisos.com/research/trickbot-trickleaks-data-analysis/\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.nisos.com/research/trickbot-trickleaks-data-analysis/" ], "report_names": [ "trickbot-trickleaks-data-analysis" ], "threat_actors": [], "ts_created_at": 1775438970, "ts_updated_at": 1775791303, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/05e2a6f50ec632278738084899162e7044852967.pdf", "text": "https://archive.orkl.eu/05e2a6f50ec632278738084899162e7044852967.txt", "img": "https://archive.orkl.eu/05e2a6f50ec632278738084899162e7044852967.jpg" } }