Recent developments regarding the notorious Trickbot malware have shed light on the identity of one of its alleged key figures, Andrey Kovalev. Multiple cybersecurity researchers who have monitored Trickbot closely reported they were unaware of an announcement related to his identity. An anonymous account on the platform X recently claimed Kovalev operated under the alias “Stern” and shared supposed details about him. Attempts by WIRED to contact accounts purportedly belonging to Kovalev revealed no responses and have raised questions about the validity of the claims made by the anonymous source.
Kovalev’s name may ring a bell for observers of Trickbot’s activities, as he was jointly sanctioned by both the United States and the United Kingdom in early 2023 for alleged senior involvement within the group. In addition, Kovalev faced criminal charges in the United States connected to hacking-related bank fraud as far back as 2010. Notably, he was also placed on the US’s most-wanted list. Throughout this scrutiny, Kovalev has been identified online under the aliases “ben” and “Bentley,” though there was no mention in the sanctions or indictment of a connection to the Stern handle. The 2023 indictment notably categorized his use of “Bentley” as a historic reference, distinct from another Trickbot associate sharing the same handle.
Trickbot first emerged around 2016, stemming from the disruption of the Dyre malware by Russian authorities. The group has utilized its namesake malware, alongside various ransomware variants like Ryuk, IcedID, and Diavol, and has increasingly operated in tandem with the Conti group. Following the Russian invasion of Ukraine in early 2022, Conti openly supported this military action, while a cybersecurity researcher infiltrating both groups leaked over 60,000 messages, unveiling critical insights into their operations and structure.
The persona known as Stern has been characterized by researchers as functioning similarly to a CEO within Trickbot and Conti, managing their operations with the kind of professionalism typically seen in legitimate business environments. Experts assert that Trickbot established a paradigm for the contemporary ‘as-a-service’ model in cybercrime, marked by an increasing level of sophistication. Leslie from Recorded Future noted that while organized crime existed prior to Trickbot, Stern’s leadership facilitated a heightened professionalization of Russian cybercrime that remains evident today across various global groups on the dark web.
The presence of Stern has been widely substantiated within the realm of Russian cybercrime. Although the cryptocurrency firm Chainalysis refrained from commenting on Kovalev’s identification, it has identified Stern as one of the most profitable actors it monitors in ransomware. The BKA in Germany has corroborated that Stern amassed substantial profits from illicit activities, mostly tied to ransomware.
Experts describe Stern as a leader who collaborates with technically adept individuals, relying on their expertise for significant responsibilities. Keith Jarvis from Sophos noted that Stern is likely accustomed to operating in this organizational capacity, underscoring a degree of strategic delegation within his structure.
Recent investigations have suggested that Stern might have associations with Russian intelligence, including the Federal Security Service (FSB). Evidence points to discussions about establishing an office for “government topics” in mid-2020, further complicating the narrative surrounding his operations. Some members of Trickbot reportedly view Stern as a connection between their group and more significant elements within Russian governmental structures.
In terms of operational effectiveness, Stern’s consistent involvement has been critical for both Trickbot and Conti, largely attributed to their ability to maintain a high standard of operational security. Jarvis remarked on the lack of compelling prior narratives regarding Stern’s identity, highlighting the significance of the recent announcement and the implications it carries for understanding the increasing complexity of cybersecurity threats.