{ "id": "6521b11e-2849-4511-80e5-4f7ed1e4cb3e", "created_at": "2026-04-06T00:16:37.439363Z", "updated_at": "2026-04-10T13:11:24.831236Z", "deleted_at": null, "sha1_hash": "3002b96fb54cd5321cf853c44a349b5e25d80829", "title": "Germany doxxes Conti ransomware and TrickBot ring leader", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3064371, "plain_text": "Germany doxxes Conti ransomware and TrickBot ring leader\r\nBy Sergiu Gatlan\r\nPublished: 2025-05-30 · Archived: 2026-04-05 14:16:07 UTC\r\nThe Federal Criminal Police Office of Germany (Bundeskriminalamt or BKA) claims that Stern, the leader of the Trickbot\r\nand Conti cybercrime gangs, is a 36-year-old Russian named Vitaly Nikolaevich Kovalev.\r\n\"The subject is suspected of having been the founder of the 'Trickbot' group, also known as 'Wizard Spider,'\" BKA said last\r\nweek [English PDF], after another round of seizures and charges part of Operation Endgame, a joint global law enforcement\r\naction targeting malware infrastructure and the threat actors behind it.\r\n\"The group used the Trickbot malware as well as other malware variants such as Bazarloader, SystemBC, IcedID, Ryuk,\r\nConti and Diavol.\"\r\nhttps://www.bleepingcomputer.com/news/security/germany-doxxes-conti-ransomware-and-trickbot-ring-leader/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/germany-doxxes-conti-ransomware-and-trickbot-ring-leader/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nKovalev is now also wanted in Germany, according to a recently issued Interpol red notice saying he was charged with being\r\nthe ringleader of an unnamed criminal organization.\r\nHowever, this isn't the first time law enforcement has targeted Kovalev for his involvement in a cybercriminal organization.\r\nIn February 2023, he was one of seven Russians sanctioned and charged in the United States for their links to the TrickBot\r\nand Conti cybercrime gangs.\r\nStill, he was only tagged at the time as a senior figure within the Trickbot group using the aliases \"Bentley,\" \"Bergen,\" \"Alex\r\nKonor,\" and \"Ben.\"\r\nVitaly Nikolayevich Kovalev (U.S. Secret Service)\r\nThe sanctions came after a massive trove of personal information and internal conversations was leaked from TrickBot and\r\nConti members in what was called TrickLeaks and ContiLeaks.\r\nWhile ContiLeaks provided access to the gang's internal conversations and source code, TrickLeaks went one step further,\r\nleaking the identities, online accounts, and personal information of TrickBot members on Twitter.\r\nThese conversations exposed that Kovalev, under the alias \"Stern,\" was in charge of the TrickBot operation and the Ryuk\r\nand Conti ransomware gangs. The chats illustrated how the other members would contact Stern for approval before\r\nconducting attacks or hiring lawyers for Trickbot members arrested in the United States.\r\nThe leaks ultimately expedited Conti's shutdown, with the cybercrime members moving to other operations or starting new\r\ngangs, including Royal, Black Basta, BlackCat, AvosLocker, Karakurt, LockBit, Silent Ransom, DagonLocker, and ZEON.\r\n\"According to the investigations conducted by the BKA, at times, the Trickbot group consisted of more than 100 members.\r\nIt works in an organized and hierarchically structured manner and is project and profit-oriented,\" BKA added last Friday.\r\n\"The group is responsible for the infection of several hundred thousand systems in Germany and worldwide; through its\r\nillegal activities it has obtained funds in the three-digit million range. Its victims include hospitals, public facilities,\r\ncompanies, public authorities, and private individuals.\"\r\nWhile Kovalev's current whereabouts are unknown, German police believe that he currently lives in Russia and have asked\r\nfor any information that could lead to his capture, including his current online accounts or what communication channels he\r\nuses.\r\nhttps://www.bleepingcomputer.com/news/security/germany-doxxes-conti-ransomware-and-trickbot-ring-leader/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/germany-doxxes-conti-ransomware-and-trickbot-ring-leader/\r\nhttps://www.bleepingcomputer.com/news/security/germany-doxxes-conti-ransomware-and-trickbot-ring-leader/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.bleepingcomputer.com/news/security/germany-doxxes-conti-ransomware-and-trickbot-ring-leader/" ], "report_names": [ "germany-doxxes-conti-ransomware-and-trickbot-ring-leader" ], "threat_actors": [ { "id": "d87fb380-03db-447c-a560-33e1b6e70e87", "created_at": "2025-05-29T02:00:03.231385Z", "updated_at": "2026-04-10T02:00:03.881295Z", "deleted_at": null, "main_name": "Luna Moth", "aliases": [ "Silent Ransom", "TG2729" ], "source_name": "MISPGALAXY:Luna Moth", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "6ad410c7-e291-4327-a54b-281c23f0d4fa", "created_at": "2022-10-25T16:07:24.501468Z", "updated_at": "2026-04-10T02:00:05.013427Z", "deleted_at": null, "main_name": "Karakurt", "aliases": [ "Mushy Scorpius" ], "source_name": "ETDA:Karakurt", "tools": [ "7-Zip", "Agentemis", "AnyDesk", "Cobalt Strike", "CobaltStrike", "FileZilla", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "WinZip", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2af9bea3-b43e-4a6d-8dc6-46dad6e3ff24", "created_at": "2022-10-25T16:47:55.853415Z", "updated_at": "2026-04-10T02:00:03.856263Z", "deleted_at": null, "main_name": "GOLD TOMAHAWK", "aliases": [ "Karakurt", "Karakurt Lair", "Karakurt Team" ], "source_name": "Secureworks:GOLD TOMAHAWK", "tools": [ "7-Zip", "AnyDesk", "Mega", "QuickPacket", "Rclone", "SendGB" ], "source_id": "Secureworks", "reports": null }, { "id": "079e3d6e-24ef-42b0-b555-75c288f9efd8", "created_at": "2023-03-04T02:01:54.105946Z", "updated_at": "2026-04-10T02:00:03.359009Z", "deleted_at": null, "main_name": "Karakurt", "aliases": [ "Karakurt Lair" ], "source_name": "MISPGALAXY:Karakurt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434597, "ts_updated_at": 1775826684, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3002b96fb54cd5321cf853c44a349b5e25d80829.pdf", "text": "https://archive.orkl.eu/3002b96fb54cd5321cf853c44a349b5e25d80829.txt", "img": "https://archive.orkl.eu/3002b96fb54cd5321cf853c44a349b5e25d80829.jpg" } }