Several cybersecurity researchers who have tracked Trickbot extensively tell WIRED they were unaware of the announcement. An anonymous account on the social media platform X recently claimed that Kovalev used the Stern handle and published alleged details about him. WIRED messaged multiple accounts that supposedly belong to Kovalev, according to the X account and a database of hacked and leaked records compiled by District 4 Labs but received no response.
Meanwhile, Kovalevâs name and face may already be surprisingly familiar to those who have been following recent Trickbot revelations. This is because Kovalev was jointly sanctioned by the United States and United Kingdom in early 2023 for his alleged involvement as a senior member in Trickbot. He was also charged in the US at the time with hacking linked to bank fraud allegedly committed in 2010. The US added him to its most wanted list. In all of this activity, though, the US and UK linked Kovalev to the online handles âbenâ and âBentley.â The 2023 sanctions did not mention a connection to the Stern handle. And, in fact, Kovalevâs 2023 indictment was mainly noteworthy because his use of âBentleyâ as a handle was determined to be âhistoricâ and distinct from that of another key Trickbot member who also went by âBentley.â
The Trickbot ransomware group first emerged around 2016, after its members moved from the Dyre malware that was disrupted by Russian authorities. Over the course of its lifespan, the Trickbot groupâwhich used its namesake malware, alongside other ransomware variants such as Ryuk, IcedID, and Diavolâincreasingly overlapped in operations and personnel with the Conti gang. In early 2022, Conti published a statement backing Russiaâs full-scale invasion of Ukraine, and a cybersecurity researcher who had infiltrated the groups leaked more than 60,000 messages from Trickbot and Conti members, revealing a huge trove of information about their day-to-day operations and structure.
Stern acted like a âCEOâ of the Trickbot and Conti groups and ran them like a legitimate company, leaked chat messages analyzed by WIRED and security researchers show.
âTrickbot set the mold for the modern âas-a-serviceâ cybercriminal business model that was adopted by countless groups that followed,â Recorded Futureâs Leslie says. âWhile there were certainly organized groups that preceded Trickbot, Stern oversaw a period of Russian cybercrime that was characterized by a high level of professionalization. This trend continues today, is reproduced worldwide, and is visible in most active groups on the dark web.â
Sternâs eminence within Russian cybercrime has been widely documented. The cryptocurrency tracing firm Chainalysis does not publicly name cybercriminal actors and declined to comment on BKAâs identification, but the company emphasized that the Stern persona alone is one of the all-time most profitable ransomware actors it tracks.
âThe investigation revealed that stern generated significant revenues from illegal activities, in particular in connection with ransomware,â the BKA spokesperson tells WIRED.
Stern âsurrounds himself with very technical people, many of which he claims to have sometimes decades of experience, and heâs willing to delegate substantial tasks to these experienced people whom he trusts,â says Keith Jarvis, a senior security researcher at cybersecurity firm Sophosâ Counter Threat Unit. âI think heâs always probably lived in that organizational role.â
Increasing evidence in recent years has indicated that Stern has at least some loose connections to Russiaâs intelligence apparatus, including its main security agency, the Federal Security Service (FSB). The Stern handle mentioned setting up an office for âgovernment topicsâ in July 2020, while researchers have seen other members of the Trickbot group say that Stern is likely the âthe link between us and the ranks/head of department type at FSB.â
Sternâs consistent presence was a significant contributor to Trickbot and Contiâs effectivenessâas was the entityâs ability to maintain strong operational security and remain hidden.
As Sophosâ Jarvis put it, âI have no thoughts on the attribution as Iâve never heard a compelling story about Sternâs identity from anyone prior to this announcement.â