Russian Cybercrime Kingpin "Stern" Unmasked as Vitaly Kovalev in Major Law Enforcement Breakthrough
German authorities have identified the elusive leader of the notorious Russian cybercrime group Trickbot as Vitaly Nikolaevich Kovalev, a 36-year-old Russian national operating under the alias "Stern." The revelation, announced by Germany’s Bundeskriminalamt (BKA) and local prosecutors, marks a significant milestone in the fight against one of history’s most prolific cybercriminal organizations.
For nearly six years, Trickbot—alongside its affiliate group Conti—orchestrated a global hacking campaign, targeting thousands of victims, including businesses, schools, and hospitals. Internal messages from 2020 revealed the group’s ruthless intent, with one member explicitly listing 428 U.S. hospitals for attack. Under Stern’s leadership, the cartel stole hundreds of millions of dollars, cementing its reputation as a dominant force in the Russian cybercriminal underground.
Despite previous law enforcement disruptions, including a 2022 leak of over 60,000 internal chat logs, Stern’s true identity remained a closely guarded secret. Kovalev, now the subject of an Interpol red notice, is accused of being the "ringleader" of a criminal organization. German authorities allege he founded Trickbot and operated under the Stern alias, though he has evaded prior sanctions and indictments targeting other group members.
The breakthrough came as part of Operation Endgame, a multi-year international effort to dismantle cybercriminal infrastructure. Investigators linked Kovalev to Stern through evidence from a 2023 Qakbot malware investigation and analysis of the leaked Trickbot/Conti chats. The BKA confirmed that the attribution is supported by international partners, though Kovalev’s location in Russia likely shields him from extradition.
Threat intelligence analysts, including Alexander Leslie of Recorded Future, describe the unmasking as a critical development in understanding Trickbot’s operations. For years, Stern’s identity was considered "taboo" among researchers, with speculation that law enforcement withheld his name for strategic reasons. Now, the revelation provides a clearer picture of the group’s hierarchy and its ties to the broader cybercrime ecosystem.
Source: https://www.wired.com/story/stern-trickbot-identified-germany-bka/
Conti Group Building Consultants cybersecurity rating report: https://www.rankiteo.com/company/conti-group-building-consultants
"id": "CON1766104576",
"linkid": "conti-group-building-consultants",
"type": "Cyber Attack",
"date": "5/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '428 hospitals targeted',
'industry': 'Healthcare',
'location': 'USA',
'type': 'Hospitals'},
{'location': 'Global', 'type': 'Businesses'},
{'industry': 'Education',
'location': 'Global',
'type': 'Schools'}],
'attack_vector': 'Unknown (likely phishing, malware, or exploit-based)',
'data_breach': {'data_exfiltration': True,
'personally_identifiable_information': True,
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Personally identifiable '
'information, payment '
'information, sensitive '
'organizational data'},
'description': 'Russian cybercrime cartel Trickbot conducted a relentless '
'hacking spree targeting thousands of victims, including '
'businesses, schools, and hospitals. The group, led by an '
"individual known as 'Stern,' stole hundreds of millions of "
'dollars over six years. Internal messages revealed targeted '
'attacks on 428 hospitals in the USA in 2020.',
'impact': {'brand_reputation_impact': 'Severe for affected entities',
'data_compromised': True,
'financial_loss': 'Hundreds of millions of dollars',
'identity_theft_risk': True,
'operational_impact': 'Significant disruption to targeted '
'organizations, including healthcare '
'services',
'payment_information_risk': True,
'systems_affected': 'Thousands of systems across businesses, '
'schools, and hospitals'},
'initial_access_broker': {'high_value_targets': 'Hospitals, businesses, '
'schools'},
'investigation_status': 'Ongoing (Operation Endgame)',
'motivation': 'Financial gain, disruption of critical services',
'post_incident_analysis': {'root_causes': 'Organized cybercrime, lack of '
'attribution, international '
'jurisdiction challenges'},
'ransomware': {'data_exfiltration': True},
'references': [{'source': 'WIRED'},
{'source': 'Bundeskriminalamt (BKA)'},
{'source': 'Recorded Future'}],
'regulatory_compliance': {'legal_actions': 'Interpol red notice issued, '
'German BKA investigation'},
'response': {'law_enforcement_notified': True},
'threat_actor': 'Trickbot (Russian cybercrime cartel)',
'title': 'Trickbot Cybercrime Cartel Operations',
'type': 'Cybercrime, Ransomware, Data Theft'}