Germany Exposes Leaders of Conti Ransomware and TrickBot Cybercrime Operations

Hacker

The Federal Criminal Police Office of Germany (Bundeskriminalamt or BKA) has identified Vitaly Nikolaevich Kovalev, a 36-year-old Russian, as the leader of the notorious Trickbot and Conti cybercrime organizations. The BKA claims Kovalev is the suspected founder of the Trickbot group, also recognized as “Wizard Spider.” This announcement was made last week in conjunction with a series of seizures and charges as part of Operation Endgame—a comprehensive global law enforcement initiative focused on dismantling malware infrastructures and prosecuting cybercriminals.

The Trickbot group has been implicated in the deployment of various malware types, including Trickbot itself, Bazarloader, SystemBC, IcedID, Ryuk, Conti, and Diavol. An Interpol red notice has been issued for Kovalev, who is now wanted in Germany on charges pertaining to leading an unnamed criminal organization. This is not Kovalev’s first encounter with law enforcement; he was previously sanctioned by U.S. authorities in February 2023 alongside six other individuals for links to the Trickbot and Conti groups.

At that time, Kovalev was recognized as a senior figure within the Trickbot alliance, employing several aliases such as “Bentley,” “Bergen,” “Alex Konor,” and “Ben.”

Vitaly Nikolayevich Kovalev
Vitaly Nikolayevich Kovalev (U.S. Secret Service)

The sanctions followed the massive leak of sensitive personal information and internal communications within the Trickbot and Conti networks, dubbed TrickLeaks and ContiLeaks. The leaks revealed that Kovalev, operating under the alias “Stern,” played a central role in managing the Trickbot operations and coordinated activities with the Ryuk and Conti ransomware teams. Conversations uncovered through these leaks demonstrated that associates would seek Kovalev’s approval prior to launching attacks or engaging legal assistance for Trickbot members facing arrest in the United States.

The exposure of these internal communications hastened the discontinuation of Conti’s operations, prompting members to either join new frameworks or establish separate entities such as Royal, Black Basta, BlackCat, AvosLocker, Karakurt, LockBit, Silent Ransom, DagonLocker, and ZEON.

According to the BKA’s investigations, the Trickbot group once comprised over 100 operatives, functioning in an organized hierarchy with specific profit-driven projects. The group is attributed with compromising hundreds of thousands of systems both in Germany and around the globe, accruing illicit earnings in the several hundreds of millions. Victims include healthcare facilities, public institutions, corporate entities, and private individuals.

As of now, Kovalev’s location remains unknown; however, German authorities believe he may still reside in Russia. They are actively seeking information that could assist in his apprehension, including current online activities and communication practices.