EU sanctions $300M Trickbot ransomware operations kingpin

Wait 5 sec.

Vitaly Nikolayevich Kovalev, the Russian national who ran the Trickbot ransomware syndicate under the alias “Stern,” has been sanctioned by the European Union. The sanction is the result of a coordinated action with the United States and the United Kingdom that targeted a wide network of cybercriminals and the services that keep them online. Who is Stern? Vitaly Nikolayevich Kovalev, a 36-year-old Russian national who ran the Trickbot ransomware syndicate, has been sanctioned by the EU. This is the first time any sanctioning body has tied the “Stern” handle to Kovalev by name. The U.S. Treasury’s Office of Foreign Assets Control and the UK’s Office of Financial Sanctions Implementation first sanctioned Kovalev in February 2023, but the listings connected him to the handles “Ben” and “Bentley.” Germany’s federal police, the BKA, publicly named him as the man behind Stern in May 2025, and an Interpol red notice was issued after the discovery.Kovalev occupied the role of a “CEO-like” leader of the Trickbot and Conti groups. According to the more than 300,000 internal messages a member leaked in 2022, he had authority over the group’s budget, hiring, and attack planning. The group consisted of more than 100 members, had physical offices, and members’ salaries were paid in Bitcoin. They even offered employee-of-the-month bonuses.His group hit more than 1,000 organizations worldwide, including Ireland’s Health Service Executive during the COVID-19 pandemic in May 2021, the jeweler Graff, and numerous other hospitals and banks across the U.S. and Europe. An estimated $180 million was acquired in 2021 alone.Kovalev also moved funds connected to multiple ransomware strains, including Ryuk, Conti, Diavol, Karakurt, Royal, Quantum, and Bitpaymer. His wallets have taken in more than $300 million as his personal cut of ransom payments.Thanks to the sanctions, Kovalev’s on-chain wallet addresses have been published, making it harder for him to move funds through cryptocurrency exchanges and financial services. He is believed to be in Russia, which unfortunately does not extradite its nationals to face foreign charges.What other services did the sanction target?OFAC also sanctioned First VPN Service (1VPNS) and its administrator, Dmytro Rashevskyi. The service reportedly allowed criminals to hide their internet traffic and true location. It had been operating since 2014 and advertised its services on cybercriminal forums, promising it did not keep logs and would not cooperate with law enforcement. Investigators were able to connect wallet addresses to both the platform and its administrator across eight blockchains, including Bitcoin, Zcash, Dogecoin, Ethereum, Litecoin, Dash, TRON, and Solana. European authorities took down the 1VPNS website in May 2026 with help from the FBI’s Boston Field Office.The EU also sanctioned the developers behind the LummaC2 infostealer, Maksim Voronin and Maksim Gordienko, whose platform was highly ranked among the most-used infostealers globally in 2024 and 2025 before a takedown led by the U.S. Department of Justice, Europol, and Japan’s Cybercrime Control Center that started in May 2025. Other names that landed on the sanction list are cryptor provider, Yevgeniy Silayev, Media Land LLC, the Russian GRU’s Unit 29155, and pro-Russia hacktivist groups CARR and Z-Pentest.Don’t just read crypto news. Understand it. Subscribe to our newsletter. It's free.