German Police Name Vitaly Kovalev as “Stern,” Alleged Mastermind of the Trickbot Ransomware Empire
German federal police have publicly identified Vitaly Nikolaevich Kovalev, a 36-year-old Russian national, as “Stern,” the elusive mastermind behind the notorious Trickbot and Conti cyber-extortion gangs. The Bundeskriminalamt (BKA) and state prosecutors in North Rhine-Westphalia issued an arrest warrant and secured an INTERPOL Red Notice accusing Kovalev of leading a transnational criminal organisation that stole hundreds of millions of dollars from hospitals, schools, and businesses worldwide.
First official naming of “Stern”
Although Western governments have sanctioned or indicted dozens of Trickbot and Conti members since 2020, “Stern” had remained unnamed in public legal documents. Investigators say they finally linked the handle to Kovalev during Operation Endgame, a multi-year international crackdown that dismantled parts of the group’s infrastructure last month. Chat logs leaked in 2022 and forensic clues from last year’s takedown of the Qakbot malware provided the breakthrough, according to the BKA.
Threat-intelligence analyst Alexander Leslie of Recorded Future called the attribution “a significant event that bridges gaps in our understanding of Trickbot—one of the most notorious transnational cyber-criminal groups to ever exist.”
A familiar face, new alias
Kovalev is not new to investigators. The United States and United Kingdom jointly sanctioned him in early 2023 for his alleged role in Trickbot under the aliases “ben” and “Bentley,” and a U.S. indictment accused him of earlier bank-fraud hacks. Neither government had previously linked him to the Stern persona.
How Trickbot set the template
Emerging in 2016 from the remnants of the Dyre banking-trojan crew, Trickbot evolved from credential-theft to a full-blown “ransomware-as-a-service” empire. At its peak, the cartel fielded roughly 100 members, merged talent with the Conti gang, and deployed malware families such as Ryuk, IcedID, and Diavol. Internal chats portray Stern as a hands-off chief executive who ran the operation “like a legitimate company,” complete with HR policies, performance reviews, and salary tiers. Security firms credit Trickbot with pioneering the professional franchise model that many newer ransomware groups now follow.
Hospitals in the cross-hairs
Leaked messages also exposed chilling targets: in one 2020 exchange a Trickbot lieutenant bragged about a list of 428 U.S. medical centres, writing “Fuck clinics in the USA this week.” During the height of the Covid-19 surge, multiple U.S. and European hospitals were hit with Ryuk or Conti ransomware, forcing staff to divert ambulances and postpone surgeries.
Possible links to Russian security services
Researchers have long debated whether Stern enjoyed protection from, or cooperation with, Russian intelligence agencies. Chat logs include references to setting up an office for “government topics,” and several Trickbot insiders described Stern as a conduit to the Federal Security Service (FSB). The BKA did not elaborate on any intelligence ties, and Moscow has not commented on the allegations.
What happens next?
Kovalev is believed to reside in Russia, where extradition to Germany or the United States is highly unlikely. The Red Notice nonetheless restricts his international travel, freezes assets in cooperating jurisdictions, and could complicate any future attempts to launder cryptocurrency proceeds.
Law-enforcement officials say Operation Endgame is continuing with partners in the United States, the United Kingdom, the Netherlands, France, and Ukraine. While the takedown has disrupted Trickbot’s infrastructure, security experts warn that core developers could regroup under new brands—as happened after previous shutdowns—unless Russia itself prosecutes the suspects.
“Trickbot set the mould for the modern ‘as-a-service’ cyber-criminal business model,” Leslie added. “Unmasking its founder removes a key pillar of impunity, even if he never sees a courtroom.”
Photo Credit: DepositPhotos.com