{
	"id": "e881f010-2a62-4687-9947-d510df0112b5",
	"created_at": "2026-04-06T00:13:51.617751Z",
	"updated_at": "2026-04-10T03:20:46.696226Z",
	"deleted_at": null,
	"sha1_hash": "95eb78b75124a7c3a2ddd3f183b916cd272dc38b",
	"title": "Multiple Foreign Nationals Charged in Connection with Trickbot Malware and Conti Ransomware Conspiracies",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 52226,
	"plain_text": "Multiple Foreign Nationals Charged in Connection with Trickbot\r\nMalware and Conti Ransomware Conspiracies\r\nPublished: 2023-09-07 · Archived: 2026-04-05 23:38:26 UTC\r\nThree indictments in three different federal jurisdictions have been unsealed charging multiple Russian cybercrime\r\nactors involved in the Trickbot malware and Conti ransomware schemes.\r\nAccording to court documents and public reporting, Trickbot, which was taken down in 2022, was a suite of\r\nmalware tools designed to steal money and facilitate the installation of ransomware. Hospitals, schools, and\r\nbusinesses were among the millions of Trickbot victims who suffered tens of millions of dollars in losses. While\r\nactive, Trickbot malware, which acted as an initial intrusion vector into victim computer systems, was used to\r\nsupport various ransomware variants, including Conti. Conti was a ransomware variant used to attack more than\r\n900 victims worldwide, including victims in approximately 47 states, the District of Columbia, Puerto Rico, and\r\napproximately 31 foreign countries. According to the FBI, in 2021, Conti ransomware was used to attack more\r\ncritical infrastructure victims than any other ransomware variant. \r\n“The Justice Department has taken action against individuals we allege developed and deployed a dangerous\r\nmalware scheme used in cyberattacks on American school districts, local governments, and financial institutions,”\r\nsaid Attorney General Merrick B. Garland. “Separately, we have also taken action against individuals we allege\r\nare behind one of the most prolific ransomware variants used in cyberattacks across the United States, including\r\nattacks on local police departments and emergency medical services. These actions should serve as a warning to\r\ncybercriminals who target America’s critical infrastructure that they cannot hide from the United States\r\nDepartment of Justice.”\r\n“Today’s announcement shows our ongoing commitment to bringing the most heinous cyber criminals to justice –\r\nthose who have devoted themselves to inflicting harm on the American public, our hospitals, schools, and\r\nbusinesses,” said FBI Director Christopher Wray. “Cyber criminals know that we will use every lawful tool at our\r\ndisposal to identify them, tirelessly pursue them, and disrupt their criminal activity. We, alongside our federal and\r\ninternational partners, will continue to impose costs through joint operations no matter where these criminals may\r\nattempt to hide.”\r\n“The defendants charged in these three indictments across three different jurisdictions allegedly used their cyber\r\nknowledge and capabilities to victimize people and businesses around the world without regard for the damage\r\nthey caused,” said Acting Assistant Attorney General Nicole M. Argentieri of the Justice Department’s Criminal\r\nDivision. “These indictments should serve as a reminder that no matter a cybercriminal’s location, we will identify\r\nand pursue them by doing everything in our power to ensure they face the consequences of their actions.”\r\n“Conti ransomware was used to exploit our financial systems and target hundreds of innocent victims,” said\r\nSpecial Agent in Charge William Mancino of the U.S. Secret Service’s Criminal Investigative Division. “The\r\nSecret Service will continue to work with our local, state, and federal law enforcement partners to investigate\r\ncybercriminals and bring offenders to justice.”\r\nhttps://www.justice.gov/opa/pr/multiple-foreign-nationals-charged-connection-trickbot-malware-and-conti-ransomware\r\nPage 1 of 4\n\nAs detailed below, a federal grand jury in the Northern District of Ohio returned an indictment charging Maksim\r\nGalochkin, aka Bentley; Maksim Rudenskiy, aka Buza; Mikhail Mikhailovich Tsarev, aka Mango; Andrey\r\nYuryevich Zhuykov, aka Defender; Dmitry Putilin, aka Grad and Staff; Sergey Loguntsov, aka Begemot and\r\nZulas; Max Mikhaylov, aka Baget; Valentin Karyagin, aka Globus; and Maksim Khaliullin, aka Maxfax, Maxhax,\r\nand Kagas, all Russian nationals, with conspiring to use the Trickbot malware to steal money and personal and\r\nconfidential information from unsuspecting victims, including businesses and financial institutions located in the\r\nUnited States and around the world, beginning in November 2015.\r\nA federal grand jury in the Middle District of Tennessee returned an indictment charging Galochkin, Rudenskiy,\r\nTsarev, and Zhuykov with conspiring to use Conti ransomware to attack businesses, nonprofits, and governments\r\nin the United States beginning in 2020 and continuing through June 2022.\r\nA federal grand jury in the Southern District of California returned an indictment charging Galochkin in\r\nconnection with the Conti ransomware attack on Scripps Health on May 1, 2021.\r\nNorthern District of Ohio\r\nThe indictment returned in the Northern District of Ohio charged all nine defendants for their alleged roles in\r\ndeveloping, deploying, managing, and profiting from the malware known as Trickbot. Trickbot was a\r\nsophisticated, modular, multi-functional suite of malware tools which (a) infected victims’ computers with\r\nmalware designed to capture victims’ online banking login credentials; (b) obtained and harvested other personal\r\nidentification information, including credit cards, emails, passwords, dates of birth, social security numbers, and\r\naddresses; (c) infected other computers connected to the victim computer; (d) used the captured login credentials\r\nto fraudulently gain unauthorized access to victims’ online bank accounts at financial institutions; (e) stole funds\r\nfrom victims’ bank accounts and laundered those funds using U.S. and foreign beneficiary bank accounts provided\r\nand controlled by the defendants and co-conspirators; and (f) installed ransomware on victim computers.\r\n“As alleged in the indictment, Trickbot infected millions of computers worldwide, including those used by\r\nhospitals, schools, and businesses,” said U.S. Attorney Rebecca C. Lutzko for the Northern District of Ohio.\r\n“Today’s announcement demonstrates that these dangerous cybercriminals are not anonymous, as they once\r\nbelieved. The indictments unsealed today show the resolve of the international community to work together to\r\nbring cybercriminals to justice. We will continue to use all resources at our disposal to stop cybercrime.”\r\nEach defendant is charged with one count of conspiracy to violate the Computer Fraud and Abuse Act, one count\r\nof wire fraud conspiracy, and one count of conspiracy to launder the proceeds of the scheme. The indictment also\r\nincluded an enhancement for falsely registering domains. If convicted, each defendant faces a maximum penalty\r\nof 62 years in prison.\r\nTrickbot malware developers Alla Witte and Vladimir Dunaev were previously indicted and apprehended. Witte, a\r\nLatvian national pleaded guilty to conspiracy to commit computer fraud and was sentenced to 32 months in June\r\n2023. Dunaev, a Russian national, currently is in custody and pending trial in Cleveland.\r\nMiddle District of Tennessee\r\nThe Middle District of Tennessee indictment charges that the individuals behind Conti ransomware, including\r\nGalochkin, Rudenskiy, Tsarev, and Zhuykov, conspired to use Conti to attack hundreds of victims. Conti’s victims\r\nhttps://www.justice.gov/opa/pr/multiple-foreign-nationals-charged-connection-trickbot-malware-and-conti-ransomware\r\nPage 2 of 4\n\nincluded hospital systems, local governments, and foreign governments. Conti conspirators allegedly extorted\r\nfunds from victims in the Middle District of Tennessee and encrypted the computer systems of a local sheriff’s\r\ndepartment, a local police department, and local emergency medical services, among others. Ransom notes left on\r\nConti victims’ computer systems typically boasted “if you don’t [know Conti] – just ‘google it.’”\r\n“The conspirators who developed and deployed Conti ransomware victimized businesses, governments, and non-profits around the world, including a sheriff’s office and an emergency medical service in Tennessee,” said U.S.\r\nAttorney Henry C. Leventis for the Middle District of Tennessee. “We will continue to use the full power of this\r\noffice to ensure that hackers can no longer hide behind their computer screens and to hold them accountable.”\r\nGalochkin was a “crypter” for Conti, modifying the ransomware so that it would not be detected by anti-virus\r\nprograms; Rudenskiy was a developer who supervised other Conti developers; Tsarev was a manager of other\r\nConti conspirators; and Zhuykov was a systems administrator who managed users of Conti infrastructure,\r\norganized and paid for infrastructure and tools, and assisted in problem solving infrastructure-related issues.\r\nGalochkin, Rudenskiy, Tsarev, and Zhuykov are each charged with one count of conspiracy to violate the\r\nComputer Fraud and Abuse Act and one count wire fraud conspiracy. If convicted, each defendant faces a\r\nmaximum penalty of 25 years in prison.\r\nSouthern District of California\r\nAs alleged in the Southern District of California indictment, Galochkin caused the transmission of the Conti\r\nmalware and impaired the medical examination, diagnosis, treatment, and care of one or more individuals.\r\nGalochkin is charged with three counts of computer hacking. If convicted, he faces a maximum penalty of 20\r\nyears in prison.\r\n“The indictment alleges a callous disregard for the medical care and the personal information of residents of the\r\nSouthern District of California,” said Acting U.S. Attorney Andrew R. Haden for the Southern District of\r\nCalifornia. “This office is committed to protecting victims of cybercrime and holding perpetrators accountable.”\r\nThe FBI Cleveland Field Office is leading the investigation into Trickbot malware.\r\nAssistant U.S. Attorneys Daniel Riedl and Duncan Brown for the Northern District of Ohio and Senior Counsel\r\nCandina Heath of the Criminal Division’s Computer Crime and Intellectual Property Section are prosecuting the\r\nTrickbot malware case.\r\nThe FBI San Diego, Memphis, and El Paso Field Offices, with U.S. Secret Service, are leading the investigation\r\ninto Conti ransomware. The U.S. Attorney’s Office for the Western District of Texas provided significant\r\nassistance.\r\nAssistant U.S. Attorney Taylor J. Phillips for the Middle District of Tennessee, Assistant U.S. Attorneys Jonathan\r\nShapiro and Kareem Salem for the Southern District of California, and Trial Attorney Sonia V. Jimenez and Senior\r\nCounsel Ryan K.J. Dickey of the Criminal Division’s Computer Crime and Intellectual Property Section are\r\nprosecuting the Conti ransomware cases.\r\nhttps://www.justice.gov/opa/pr/multiple-foreign-nationals-charged-connection-trickbot-malware-and-conti-ransomware\r\nPage 3 of 4\n\nThe Justice Department’s National Security Division provided significant assistance in the Conti ransomware and\r\nTrickbot malware investigations.\r\nAn indictment is merely an allegation. All defendants are presumed innocent until proven guilty beyond a\r\nreasonable doubt in a court of law.\r\nSource: https://www.justice.gov/opa/pr/multiple-foreign-nationals-charged-connection-trickbot-malware-and-conti-ransomware\r\nhttps://www.justice.gov/opa/pr/multiple-foreign-nationals-charged-connection-trickbot-malware-and-conti-ransomware\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.justice.gov/opa/pr/multiple-foreign-nationals-charged-connection-trickbot-malware-and-conti-ransomware"
	],
	"report_names": [
		"multiple-foreign-nationals-charged-connection-trickbot-malware-and-conti-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434431,
	"ts_updated_at": 1775791246,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/95eb78b75124a7c3a2ddd3f183b916cd272dc38b.pdf",
		"text": "https://archive.orkl.eu/95eb78b75124a7c3a2ddd3f183b916cd272dc38b.txt",
		"img": "https://archive.orkl.eu/95eb78b75124a7c3a2ddd3f183b916cd272dc38b.jpg"
	}
}