Skip to main content

Notorious Russian cybercrime network unmasked and sanctioned by US and UK

Notorious Russian cybercrime network unmasked and sanctioned by US and UK


Seven members connected to the Russian Trickbot ransomware group have been exposed and punished by US and UK governments.

Share this story

If you buy something from a Verge link, Vox Media may earn a commission. See our ethics statement.

A collection of warning signs, bugs, and notifications emulating malware or a cyber attack. The images are placed in a connected web against a blue background.
Illustration by Carlo Cadenas / The Verge

Seven individuals connected to an infamous Russia-based cybercrime network that launched attacks against schools, hospitals, public utilities, and governments were exposed on Thursday after sanctions were imposed by US and UK authorities. The US Department of the Treasury and the UK Foreign Office released pictures of the seven individuals alongside their online aliases, full legal names, email addresses, and dates of birth

The accused cybercriminals had their assets frozen and face travel bans. The sanctions additionally prohibit companies and organizations in the US and UK from making funds available to the seven individuals, including extortion payments made in cryptocurrency.

Vitaly Kovalev, Maksim Mikhailov, Valentin Karyagin, Mikhail Iskritskiy, Dmitry Pleshevskiy, Ivan Vakhromeyev, and Valery Sedletski are reportedly members of the Russia-based cybercrime gang Trickbot, which is now believed to be affiliated with a single network connected to the Ryuk and (allegedly) disbanded Conti ransomware groups. The group is accused of fraud, money laundering, and developing malicious hacking tools.

Trickbot’s eponymous trojan malware tool was originally designed to capture online banking credentials but has since evolved into an expansive malware enterprise responsible for infecting millions of computers worldwide. The US treasury department alleges that Trickbot targeted hospitals during the height of the covid pandemic in 2020, with three Minnesota medical facilities forced to divert ambulances due to the ensuing disruption to its telephone and computer networks.

The sanctioned group members are based in Russia, which doesn’t extradite to the UK or US

US authorities also unsealed an indictment against Kovalev, a “senior figure” within Trickbot otherwise known as “Bentley,” who is now being charged with one count of conspiracy to commit bank fraud and eight counts of bank fraud. All seven of the accused being sanctioned are based in Russia, which doesn’t share an extradition treaty with the US or UK.

“By sanctioning these cyber criminals, we are sending a clear signal to them and others involved in ransomware that they will be held to account,” said UK foreign secretary James Cleverly in a statement. “These cynical cyberattacks cause real damage to people’s lives and livelihoods. We will always put our national security first by protecting the UK and our allies from serious organized crime – whatever its form and wherever it originates.”

Authorities in both the UK and US also said on Thursday that current members of the Trickbot group are connected with Russia’s intelligence services. “The Trickbot Group’s preparations in 2020 aligned them to Russian state objectives and targeting previously conducted by Russian Intelligence Services,” reads a statement from the US Treasury. “This included targeting the US government and US companies.”

The UK National Cyber Security Centre similarly claims that Conti group members “highly likely maintain links to the Russian Intelligence Services from whom they have likely received tasking. The targeting of certain organizations, such as the International Olympic Committee, by the group almost certainly aligns with Russian state objectives.”

The sanctions are the first of their kind for the UK and mark the start of a new wave of coordinated action between the US and UK against international cybercrime. Just last month, US authorities accused crypto exchange Bitzlato of playing a critical role in facilitating transactions for Russian-affiliated ransomware groups like Conti and arrested the Russian co-founder of Bitzlato for allegedly processing $700 million in illicit funds.