Trickbot botnet sanctioned by the United States and the United Kingdom

Authorities in the United States and the United Kingdom have imposed sanctions on seven individuals tied to the Russia-based cybercriminal group Trickbot.

Among those named on the sanctions list were:

• Vitaliy Kovalev (“Bentli”, “Ben”) — a senior manager of the Trickbot Group. A federal judge in New Jersey charged him with conspiracy to commit bank fraud and eight counts of bank fraud in connection with a series of breaches of victims’ bank accounts at various US financial institutions;
• Maxim Mikhailov (“Baget”) — developer;
• Valentin Karyagin (“Globus”) — developer;
• Mikhail Iskritsky (“Tropa”) — developer of money-laundering projects;
• Dmitry Pleshyevsky (“Izeldor”) — worked on injecting malicious code on sites to steal victims’ credentials;
• Ivan Vakhromeov (“Grib”) — manager;
• Valeriy Sedletskiy (“Strix”) — administrator and manager of servers.

Authorities pointed to ties between Trickbot group members and Russian security services.

OFAC blocked any Trickbot property within the United States. Residents and citizens are prohibited from dealing with the service. Foreign financial institutions are also at risk of sanctions for conducting operations in support of Trickbot.

OFSI froze the criminals’ assets on UK soil and barred individuals from making transfers to those under sanctions.

Chainalysis analysts established a close link between Trickbot operators and the creators of Ryuk, Conti, Diavol and Karakurt ransomware.

According to experts, the ransomware operators associated with Trickbot have accumulated cryptocurrency worth at least $724 million over the group’s existence. This makes them the second-largest cybercrime group after the North Korean Lazarus group.

Although OFAC and OFSI did not include specific cryptocurrency addresses as identifiers, Chainalysis identified wallets belonging to several members of the group.

The Trickbot administrator under the nickname Stern sent funds to at least four of the seven sanctioned individuals, including Vakhromeev, Mikhailov, Karyagin and Sedletskiy.

Analysts believe these payments were made for Trickbot operations or to fund services and subscriptions necessary for developing malware.

The Trickbot botnet is one of the most popular trojans among criminals. It is used to infiltrate systems and further data theft, covert mining and deployment of ransomware.

According to investigators, the Trickbot group operated in Russia, Belarus, Ukraine and Suriname. The operators are also suspected of undermining the electoral process in the United States.

Earlier in 2020, an international group of specialists conducted an operation to neutralize Trickbot.

In October 2021, six Russians and one Ukrainian were accused of operating Trickbot and infecting more than a million computers.