{
	"id": "3dcd5809-8898-4aa9-acfd-9636978541a1",
	"created_at": "2026-04-06T00:17:29.928429Z",
	"updated_at": "2026-04-10T13:11:23.450341Z",
	"deleted_at": null,
	"sha1_hash": "b7a4b5415ed47771fe9b0b7c85a8da9d015436d6",
	"title": "United States and United Kingdom Sanction Members of Russia-Based Trickbot Cybercrime Gang",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 54286,
	"plain_text": "United States and United Kingdom Sanction Members of Russia-Based Trickbot Cybercrime Gang\r\nPublished: 2026-02-13 · Archived: 2026-04-05 19:48:30 UTC\r\nThe United States and United Kingdom issue historic joint cyber sanctions\r\nWASHINGTON — Today, the United States, in coordination with the United Kingdom, is designating seven\r\nindividuals who are part of the Russia-based cybercrime gang Trickbot. This action represents the very first\r\nsanctions of their kind for the U.K., and result from a collaborative partnership between the U.S. Department of\r\nthe Treasury’s Office of Foreign Assets Control and the U.K.’s Foreign, Commonwealth, and Development Office;\r\nNational Crime Agency; and His Majesty’s Treasury to disrupt Russian cybercrime and ransomware.\r\n“Cyber criminals, particularly those based in Russia, seek to attack critical infrastructure, target U.S. businesses,\r\nand exploit the international financial system,” said Under Secretary Brian E. Nelson.  “The United States is\r\ntaking action today in partnership with the United Kingdom because international cooperation is key to addressing\r\nRussian cybercrime.”\r\nRussia is a haven for cybercriminals, where groups such as Trickbot freely perpetrate malicious cyber activities\r\nagainst the U.S., the U.K., and allies and partners. These malicious cyber activities have targeted critical\r\ninfrastructure, including hospitals and medical facilities during a global pandemic, in both the U.S. and the U.K.\r\nLast month, Treasury’s Financial Crimes Enforcement Network (FinCEN) identified a Russia-based virtual\r\ncurrency exchange, Bitzlato Limited, as a “primary money laundering concern” in connection with Russian illicit\r\nfinance.  The United States and the United Kingdom are leaders in the global fight against cybercrime and are\r\ncommitted to using all available authorities and tools to defend against cyber threats.\r\nThis action follows other recent sanctions actions taken jointly by the U.S. and the U.K. including in the Russia\r\nand Burma programs, as well as last year’s multilateral action against the Kinahan Crime Group. It also reflects\r\nthe finding from the 2021 Sanctions Review that sanctions are most effective when coordinated with international\r\npartners and highlights the deepened partnership between OFAC and the UK’s Office of Financial Sanctions\r\nImplementation.\r\nTrickbot: A Notorious Cyber Gang in Russia\r\nTrickbot, first identified in 2016 by security researchers, was a trojan virus that evolved from the Dyre trojan.\r\nDyre was an online banking trojan operated by individuals based in Moscow, Russia, that began targeting non-Russian businesses and entities in mid-2014.  Dyre and Trickbot were developed and operated by a group of\r\ncybercriminals to steal financial data. The Trickbot trojan viruses infected millions of victim computers\r\nworldwide, including those of U.S. businesses, and individual victims. It has since evolved into a highly modular\r\nmalware suite that provides the Trickbot Group with the ability to conduct a variety of illegal cyber activities,\r\nincluding ransomware attacks. During the height of the COVID-19 pandemic in 2020, Trickbot targeted hospitals\r\nand healthcare centers, launching a wave of ransomware attacks against hospitals across the United States. In one\r\nhttps://home.treasury.gov/news/press-releases/jy1256\r\nPage 1 of 3\n\nof these attacks, the Trickbot Group deployed ransomware against three Minnesota medical facilities, disrupting\r\ntheir computer networks and telephones, and causing a diversion of ambulances. Members of the Trickbot Group\r\npublicly gloated over the ease of targeting the medical facilities and the speed with which the ransoms were paid\r\nto the group.\r\nCurrent members of the Trickbot Group are associated with Russian Intelligence Services. The Trickbot Group’s\r\npreparations in 2020 aligned them to Russian state objectives and targeting previously conducted by Russian\r\nIntelligence Services. This included targeting the U.S. government and U.S. companies.\r\nVitaly Kovalev was a senior figure within the Trickbot Group. Vitaly Kovalev is also known as the online\r\nmonikers “Bentley” and “Ben”. Today, an indictment was unsealed in the U.S. District Court for the District of\r\nNew Jersey charging Kovalev with conspiracy to commit bank fraud and eight counts of bank fraud in connection\r\nwith a series of intrusions into victim bank accounts held at various U.S.-based financial institutions that occurred\r\nin 2009 and 2010, predating his involvement in Dyre or the Trickbot Group.\r\nMaksim Mikhailov has been involved in development activity for the Trickbot Group. Maksim Mikhailov is also\r\nknown as the online moniker “Baget”.\r\nValentin Karyagin has been involved in the development of ransomware and other malware projects. Valentin\r\nKaryagin is also known as the online moniker “Globus”.\r\nMikhail Iskritskiy has worked on money-laundering and fraud projects for the Trickbot Group. Mikhail Iskritskiy\r\nis also known as the online moniker “Tropa”.\r\nDmitry Pleshevskiy worked on injecting malicious code into websites to steal victims’ credentials. Dmitry\r\nPleshevskiy is also known as the online moniker “Iseldor”.\r\nIvan Vakhromeyev has worked for the Trickbot Group as a manager. Ivan Vakhromeyev is also known as the\r\nonline moniker “Mushroom”.\r\nValery Sedletski has worked as an administrator for the Trickbot Group, including managing servers. Valery\r\nSedletski is also known as the online moniker “Strix”.\r\nOFAC is designating each of these individuals pursuant to Executive Order (E.O.) 13694, as amended by E.O.\r\n13757, for having materially assisted, sponsored, or provided material, or technological support for, or goods or\r\nservices to or in support of, an activity described in subsection (a)(ii) of section 1 of E.O. 13694, as amended.\r\nSanctions Implications\r\nAs a result of today’s action, all property and interests in property of the individuals that are in the United States\r\nor in the possession or control of U.S. persons must be blocked and reported to OFAC. OFAC’s regulations\r\ngenerally prohibit all dealings by U.S. persons or within the United States (including transactions transiting the\r\nUnited States) that involve any property or interests in property of blocked or designated persons.\r\nIn addition, persons that engage in certain transactions with the individuals designated today may themselves be\r\nexposed to designation. Furthermore, any foreign financial institution that knowingly facilitates a significant\r\nhttps://home.treasury.gov/news/press-releases/jy1256\r\nPage 2 of 3\n\ntransaction or provides significant financial services for any of the individuals or entities designated today could\r\nbe subject to U.S. correspondent or payable-through account sanctions.\r\nThe power and integrity of OFAC sanctions derive not only from its ability to designate and add persons to the\r\nSpecially Designated Nationals and Blocked Persons (SDN) List but also from its willingness to remove persons\r\nfrom the SDN List consistent with the law. The ultimate goal of sanctions is not to punish but to bring about a\r\npositive change in behavior. For information concerning the process for seeking removal from an OFAC list,\r\nincluding the SDN List, please refer to OFAC’s Frequently Asked Question 897. For detailed information on the\r\nprocess to submit a request for removal from an OFAC sanctions list, please refer to OFAC’s website.\r\nSee OFAC’s Updated Advisory on Potential Sanctions Risk for Facilitating Ransomware Payments  for\r\ninformation on the actions that OFAC would consider to be mitigating factors in any related enforcement action\r\ninvolving ransomware payments with a potential sanctions risk. For information on complying with sanctions\r\napplicable to virtual currency, see OFAC’s Sanctions Compliance Guidance for the Virtual Currency Industry . See\r\nalso the UK’s Office of Financial Sanctions Implementation’s recently issued Guidance on Financial Sanctions\r\nand Ransomware.\r\nFor more information on the individuals designated today, click here.\r\nFor more information on the United Kingdom’s action, click here.\r\n###\r\nSource: https://home.treasury.gov/news/press-releases/jy1256\r\nhttps://home.treasury.gov/news/press-releases/jy1256\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://home.treasury.gov/news/press-releases/jy1256"
	],
	"report_names": [
		"jy1256"
	],
	"threat_actors": [],
	"ts_created_at": 1775434649,
	"ts_updated_at": 1775826683,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b7a4b5415ed47771fe9b0b7c85a8da9d015436d6.pdf",
		"text": "https://archive.orkl.eu/b7a4b5415ed47771fe9b0b7c85a8da9d015436d6.txt",
		"img": "https://archive.orkl.eu/b7a4b5415ed47771fe9b0b7c85a8da9d015436d6.jpg"
	}
}