{
	"id": "01ddf23f-896a-40b9-8f25-f78f60a26301",
	"created_at": "2026-04-06T00:22:20.636344Z",
	"updated_at": "2026-04-10T03:24:30.025704Z",
	"deleted_at": null,
	"sha1_hash": "6965d8f6159e6772edf64f838ba57935dac94d6d",
	"title": "United States and United Kingdom Sanction Additional Members of the Russia-Based Trickbot Cybercrime Gang",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 54275,
	"plain_text": "United States and United Kingdom Sanction Additional Members\r\nof the Russia-Based Trickbot Cybercrime Gang\r\nPublished: 2026-02-13 · Archived: 2026-04-05 16:33:11 UTC\r\nU.S. Department of Justice Concurrently Unsealing Nine Indictments\r\nWASHINGTON — Today, the United States, in coordination with the United Kingdom, sanctioned eleven\r\nindividuals who are part of the Russia-based Trickbot cybercrime group. Russia has long been a safe haven for\r\ncybercriminals, including the Trickbot group. Today’s action was taken by the U.S. Department of the Treasury’s\r\nOffice of Foreign Assets Control (OFAC). The U.S. Department of Justice (DOJ) is concurrently unsealing\r\nindictments against nine individuals in connection with the Trickbot malware and Conti ransomware schemes,\r\nincluding seven of the individuals designated today.\r\nToday’s targets include key actors involved in management and procurement for the Trickbot group, which has\r\nties to Russian intelligence services and has targeted the U.S. Government and U.S. companies, including\r\nhospitals. During the COVID-19 pandemic, the Trickbot group targeted many critical infrastructure and health\r\ncare providers in the United States.\r\n“The United States is resolute in our efforts to combat ransomware and respond to disruptions of our critical\r\ninfrastructure,” said Under Secretary of the Treasury Brian E. Nelson. “In close coordination with our British\r\npartners, the United States will continue to leverage our collective tools and authorities to target these malicious\r\ncyber activities.”\r\nThe targets designated today include administrators, managers, developers, and coders who have materially\r\nassisted the Trickbot group in its operations. This designation is part of continued collaborative efforts by the U.S.\r\nand the UK to disrupt Russian cybercrime and ransomware, and follows the first joint U.S.-UK cyber designation\r\nof several Trickbot group members in February 2023, the first designation under the UK’s new cyber authority.\r\nTreasury coordinated extensively with UK partners, including the Foreign, Commonwealth, and Development\r\nOffice; National Crime Agency; and His Majesty’s Treasury. Today’s action represents the continued commitment\r\nof the United States and the United Kingdom to target, combat, and counter ransomware actors and to address\r\nRussian cybercrime.\r\nTRICKBOT: RUSSIA’S NOTORIOUS CYBER GANG\r\nTrickbot, first identified in 2016 by security researchers, was a trojan virus that evolved from the Dyre trojan.\r\nDyre was an online banking trojan operated by Moscow-based individuals who began targeting non-Russian\r\nbusinesses and entities in mid-2014. Dyre and Trickbot were developed and operated by a group of cybercriminals\r\nto steal financial data from targets outside of Russia. The Trickbot trojan infected millions of victim computers\r\nworldwide, including those of U.S. businesses and individuals. It has since evolved into a highly modular malware\r\nsuite that provides the Trickbot group the ability to conduct a variety of malicious cyber activities, including\r\nransomware. During the height of the COVID-19 pandemic in 2020, the Trickbot group launched a wave of\r\nhttps://home.treasury.gov/news/press-releases/jy1714\r\nPage 1 of 3\n\nransomware disruptions against hospitals and other healthcare centers across the United States. In one instance,\r\nthe Trickbot group deployed ransomware against three Minnesota medical facilities, disrupting their computer\r\nnetworks and telephones, and causing a diversion of ambulances. Members of the Trickbot group publicly gloated\r\nover the ease of targeting the medical facilities and the speed with which ransoms had been paid to the\r\ngroup. Members of the Trickbot group are associated with Russian intelligence services. The Trickbot group’s\r\npreparations in 2020 aligned them to Russian state objectives and actions taken by the Russian intelligence\r\nservices. This included targeting the U.S. Government and U.S. companies.\r\nAndrey Zhuykov was a central actor in the group and acted as a senior administrator. Andrey Zhuykov is also\r\nknown by the online monikers Dif and Defender.\r\nMaksim Galochkin led a group of testers, with responsibilities for development, supervision, and implementation\r\nof tests. Maksim Galochkin is also known by the online monikers Bentley, Crypt, and Volhvb.\r\nMaksim Rudenskiy was a key member of the Trickbot group and the team lead for coders.\r\nMikhail Tsarev was a manager with the group, overseeing human resources and finance. He was responsible for\r\nmanagement and bookkeeping. Mikhail Tsarev is also known by the monikers Mango, Alexander Grachev, Super\r\nMisha, Ivanov Mixail, Misha Krutysha, and Nikita Andreevich Tsarev.\r\nDmitry Putilin was associated with the purchase of Trickbot infrastructure. Dmitry Putilin is also known by the\r\nonline monikers Grad and Staff.\r\nMaksim Khaliullin was an HR manager for the group. He was associated with the purchase of Trickbot\r\ninfrastructure including procuring Virtual Private Servers. Maksim Khaliullin is also known by the online moniker\r\nKagas.\r\nSergey Loguntsov was a developer for the Trickbot group.\r\nVadym Valiakhmetov worked as a coder for the Trickbot group and is known by the online monikers Weldon,\r\nMentos, and Vasm.\r\nArtem Kurov worked as a coder with development duties in the Trickbot group. Artem Kurov is also known by\r\nthe online moniker Naned.\r\nMikhail Chernov was part of the internal utilities group for Trickbot and is also known by the online moniker\r\nBullet.\r\nAlexander Mozhaev was part of the admin team responsible for general administrative duties and is also known\r\nby the online monikers Green and Rocco.\r\nOFAC is designating each of these individuals pursuant to Executive Order (E.O.) 13694, as amended by E.O.\r\n13757, for having materially assisted, sponsored, or provided financial, material, or technological support for, or\r\ngoods or services to or in support of, an activity described in subsection (a)(ii) of section 1 of E.O. 13694, as\r\namended.\r\nSANCTIONS IMPLICATIONS\r\nhttps://home.treasury.gov/news/press-releases/jy1714\r\nPage 2 of 3\n\nAs a result of today’s action, all property and interests in property of the individuals that are in the United States\r\nor in the possession or control of U.S. persons must be blocked and reported to OFAC. OFAC’s regulations\r\ngenerally prohibit all dealings by U.S. persons or within the United States (including transactions transiting the\r\nUnited States) that involve any property or interests in property of blocked or designated persons.\r\nIn addition, persons that engage in certain transactions with the individuals designated today may themselves be\r\nexposed to designation. Furthermore, any foreign financial institution that knowingly facilitates a significant\r\ntransaction or provides significant financial services for any of the individuals or entities designated today could\r\nbe subject to U.S. correspondent or payable-through account sanctions.\r\nThe power and integrity of OFAC sanctions derive not only from its ability to designate and add persons to the\r\nSpecially Designated Nationals and Blocked Persons (SDN) List but also from its willingness to remove persons\r\nfrom the SDN List consistent with the law. The ultimate goal of sanctions is not to punish but to bring about a\r\npositive change in behavior. For information concerning the process for seeking removal from an OFAC list,\r\nincluding the SDN List, please refer to OFAC’s Frequently Asked Question 897. For detailed information on the\r\nprocess to submit a request for removal from an OFAC sanctions list, please refer to OFAC’s website.\r\nSee OFAC’s Updated Advisory on Potential Sanctions Risk for Facilitating Ransomware Payments here, for\r\ninformation on the actions that OFAC would consider to be mitigating factors in any related enforcement action\r\ninvolving ransomware payments with a potential sanctions risk. For information on complying with sanctions\r\napplicable to virtual currency, see OFAC’s Sanctions Compliance Guidance for the Virtual Currency Industry\r\nhere. See also the UK’s Office of Financial Sanctions Implementation’s recently issued Guidance on Financial\r\nSanctions and Ransomware.\r\nFor more information on the individuals designated today, click here.\r\n###\r\nSource: https://home.treasury.gov/news/press-releases/jy1714\r\nhttps://home.treasury.gov/news/press-releases/jy1714\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://home.treasury.gov/news/press-releases/jy1714"
	],
	"report_names": [
		"jy1714"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434940,
	"ts_updated_at": 1775791470,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6965d8f6159e6772edf64f838ba57935dac94d6d.pdf",
		"text": "https://archive.orkl.eu/6965d8f6159e6772edf64f838ba57935dac94d6d.txt",
		"img": "https://archive.orkl.eu/6965d8f6159e6772edf64f838ba57935dac94d6d.jpg"
	}
}