NCA and DoJ Introduce New Sanctions Against Conti/Trickbot Hackers

Conti and Trickbot Hackers Got Sanctioned By US and UK Authorities
Even though authorities had not detained the hackers, they revealed their identities.

On September 7, 2023, NCA released a statement regarding the new complex pack of sanctions against Russian Conti cybercrime group members. Accused of participating in extortions worth $800 million, gang members have now lost any property and equity under the US and UK jurisdiction.

US and UK Authorities Uncover 11 More Russian Hackers Related to Conti And TrickBot

Notice regarding joint operations between American and British authorities appeared on several sites simultaneously. As in the previous case of sanctions towards russian hackers, US Treasury and UK National Crime Agency released statements regarding it. They successfully managed to uncover the personalities of 11 individuals that are related to the Trickbot/Conti cybercriminal gang.

Conti/Trickbot Sanctioned
Collection of mugshots of sanctioned hackers, published by the NCA

Authorities have found and proven the relation of the accused individuals to attacks on UK and US government and educational organisations, hospitals and companies. This in total led to a net loss of £27 million in the UK only, and over $800 million around the world. Despite the formal Conti group dissolution in June 2022, members remained active under the rule of other cybercriminal groups.

These sanctions are a continuation of our campaign against international cyber criminals.
Attacks by this ransomware group have caused significant damage to our businesses and ruined livelihoods, with victims having to deal with the prolonged impact of financial and data losses.
These criminals thought they were untouchable, but our message is clear: we know who you are and, working with our partners, we will not stop in our efforts to bring you to justice.NCA Director General of Operations Rob Jones

Authorities Published Hackers’ Personal Data

What may be the best revenge to someone fond of compromising identities than compromising their own identity? Authorities involved in the investigation and judgement probably think the same, as they have published detailed information about each of 11 sanctioned hackers.

Name Online Nicknames Position
Dmitry Putilin Grad, Staff Participated in Trickbot infrastructure purchases
Artem Kurov Naned One of the Trickbot developers
Maksim Galochkin Bentley, Max17, Volhvb Lead of the testers team, also responsible for actual development and supervision
Mikhail Tsarev Frances, Mango, Khano Mid-tier manager, responsible for money flows; also touched HR functions
Alexander Mozhaev Green, Rocco Part of the group administration
Maksim Rudenskiy Buza, Binman, Silver Lead of Trickbot’s developers team
Andrey Zhuykov Adam, Defender, Dif One of the major administrators in the cybercrime gang
Sergey Loguntsov Begemot_Sun, Begemot, Zulas Member of the development team
Mikhail Chernov m2686, Bullet Part of the group’s internal utilities
Vadym Valiakhmetov Weldon, Mentos, Vasm Part of the development team, responsible for backdoors and loaders
Maksim Khaliullin Kagas Chief HR manager of the group. Responsible for purchasing VPSs for TrickBot infrastructure.

What is the Conti/TrickBot group?

As cybercrime gangs are commonly named by their “mainstream” malware, the Conti gang was mostly known for their eponymous ransomware. But obviously, that was not the only payload they were using in their attacks. Throughout its lifetime, Conti was working with, or even directly using several stealer families. Among them is an infamous QakBot, whose botnet was hacked and dismantled at the edge of summer 2023, and TrickBot. They were mostly known as stand-alone names, besides being actively used in collaboration with different ransomware gangs, including Conti.

Conti infection chain

QakBot is an old-timer of the malware scene. Emerged in 2007 as Pinkslipbot, it quickly became successful as infostealer malware. With time, it was updated with new capabilities, particularly ones that make it possible to use it as an initial access tool/malware delivery utility. This predetermined the fate of this malware – it is now more known as a loader, than a stealer or spyware. Although it may be appropriate to speak of QBot in the past tense, as its fate after the recent botnet shutdown is unclear.

Trickbot’s story is not much different. The only thing in difference is its appearance date – it was first noticed in 2016. Rest of the story repeats – once an infostealer, then a modular malware that can serve as initial access tool and loader. Some cybercriminals who stand after Trickbot were already sanctioned – actually, they are the first sanctioned hackers ever.

Are sanctions seriously threatening hackers?

Actually, not much. Sanctions are not a detainment, thus the only thing they lose is property in the US and the UK. Though, I highly doubt that any of those 11 guys had any valuable property kept in the countries they were involved in attacks on. All this action is mostly a message to other hackers – “you are not as anonymous as you think you are, and not impunable.”. The very next step there may be their arrest – upon the fact of their arrival to the US/UK, or countries that assist them in questions of cybercrime investigation. But once again – I doubt they’re reckless enough to show up in the country where each police station has their mugshot pinned to the wanted deck.

By Stephanie Adlam

I write about how to make your Internet browsing comfortable and safe. The modern digital world is worth being a part of, and I want to show you how to do it properly.

Leave a comment

Your email address will not be published. Required fields are marked *