Andrey Zhuikov hacked the restrictions
The leader of the TrickBot group and his 10 accomplices were sanctioned by the US and UK for extorting more than $180 million and £27 million from 149 Britons
Let me remind you that hack group TrickBot (aka ITG23, Gold Blackburn and Wizard Spider) is considered a financially motivated group, which is known mainly for the development of the TrickBot banking Trojan of the same name.
Over the years, TrickBot has evolved from a classic banker designed to steal funds from bank accounts to a multifunctional dropper that distributes other threats (from miners and encryptors to information stealers). Last year TrickBot completely moved under the control of the operators of the Conti malware, which used the group’s malware to support its own attacks and strengthen such malware as BazarBackdoor and Anchor.
After February 2022 researcher leaked internal correspondence of the Conti group, and shortly after that another person under the pseudonym TrickLeaks started draining information about the work of TrickBot, which confirmed the connection between these groups.
Ultimately, these leaks led to Conti going out of business and broke up to several other groups, including Royal, Black Basta and ZEON.
Eleven members of TrickBot and Conti are now sanctioned in connection with their cybercriminal activities, which resulted in the theft of $180 million from companies and organizations around the world, the US and UK governments are now reporting.
“The NCA estimates that the group was responsible for extorting at least £180 million from victims around the world, as well as at least £27 million from 149 victims in the UK. The attackers targeted British hospitals, schools, local authorities and businesses,” the UK National Crime Agency said.
The US Treasury Department also announced sanctions:
“Today’s targets include key players involved in managing and supplying the Trickbot group, which has targeted the U.S. government and U.S. businesses, including hospitals,” the Treasury Department said in a statement. “During the COVID-19 pandemic, the Trickbot group has attacked many critical infrastructure and medical facilities in the United States.”
The result of the imposed sanctions should be the blocking of all property and funds belonging to hackers in the US and UK. Also, individuals and companies are now prohibited from making transactions with these individuals, including paying ransoms.
The 11 individuals sanctioned are listed below. According to authorities, all of them are Russian citizens.
Andrey Zhuikov is considered one of the heads of the group, who served as a senior administrator. Known online under the nicknames Dif and Defender.
Maxim Galochkin led a group of testers, responsible for the development, control and execution of tests. Known online under the nicknames Bentley, Crypt, Volhvb.
Maxim Rudensky is also considered one of the key members of the Trickbot group and the head of coders.
Mikhail Tsarev allegedly held the position of manager in the group, supervised personnel and financial management, and was also responsible for management and accounting. Known online under the nicknames Mango, Super Misha, “Alexander Grachev”, Ivanov Mixail, “Misha Krutysha”, “Nikita Andreevich Tsarev”.
Dmitry Putilin was allegedly involved in procurement for Trickbot infrastructure. Known online under the nicknames Grad and Staff.
Maxim Khaliullin, according to the authorities, was the HR manager of the hack group, and was also involved in procurement for the Trickbot infrastructure, including virtual private servers (VPS). Known online under the nickname Kagas.
Sergey Loguntsov is considered one of the developers of Trickbot.
Vadim Valiakhmetov was allegedly a Trickbot coder, known under the nicknames Weldon, Mentos, Vasm.
Artem Kurov is also considered one of the coders and developers of Trickbot. Known online under the pseudonym Naned.
Mikhail Chernov allegedly belonged to the utilities group Trickbot and was known under the nickname Bullet.
Alexander Mozhaev is considered one of the administrators responsible for general administrative functions, known online as Green and Rocco.
“RAPSI”, 09/08/2023, “In the USA, charges of cyber fraud have been brought against a group of Russians”: Each defendant is charged with conspiracy to violate the Computer Fraud and Abuse Act, conspiracy to commit wire fraud, and conspiracy to launder the proceeds of the above crimes. If convicted, each defendant faces a maximum penalty of 62 years in prison. […]
Galochkin, Rudensky, Tsarev and Zhuikov are charged with conspiracy to violate the US Computer Fraud and Abuse Act and conspiracy to commit wire fraud. If found guilty, each defendant faces a maximum penalty of 25 years in prison. Additionally, a federal grand jury in the Southern District of California returned an indictment against Galochkin for using Conti ransomware in a cyberattack on Scripps Health, a nonprofit integrated health care delivery system, on May 1, 2021. Galochkin’s actions, the document states, led to the obstruction of medical examination, diagnosis, treatment and care of one or more persons. Galochkin was charged with three counts of computer hacking. If convicted, he faces a maximum penalty of 20 years in prison.
Earlier, the Ministry of Justice clarifies, Trickbot developers, Latvian citizen Alla Witte and Russian Vladimir Dunaev, were detained on similar charges. Witte pleaded guilty to conspiracy to commit computer fraud and was sentenced to more than 2.5 years in prison in June 2023. Dunaev, as RAPSI already reported, is in pre-trial detention awaiting trial. — Insert K.ru
All this complements sanctionsalready introduced against seven TrickBot participants in February 2023.
Lenta.Ru, 02/09/2023, “The USA and Great Britain introduced sanctions against Russian hackers”: In Washington and London they claim that the current members of Trickbot are coordinated by Russian intelligence services and act on orders from the Russian leadership. It is noted that Trickbot Trojans infected millions of computers around the world, including computers of American companies. — Insert K.ru
As noted above, after the “closure” of Conti, many members of the group moved to other hack groups, that is, the imposed sanctions can significantly complicate the payment of ransoms to other extortionists. The list is believed to include BlackCat, Royal Group, AvosLocker, Karakurt, LockBit, Silent Ransom and DagonLocker.
In the past, similar sanctions have led to the closure and “rebranding” of extortion groups, as negotiators refused transfer payments to persons subject to sanctions.
How members of the TrickBot hack group interacted with each other
WIRED Investigationbased on a cache of documents posted by an unknown individual, reveals the secrets of the ransomware group Trickbot, including the identity of one of its central members.
Maxim Sergeevich G.
Extremely active on the Internet. In his work chat, the 41-year-old man chats with colleagues day and night. He complains that he’s losing money trading cryptocurrency, says he’s “addicted as hell” to Metallica, and agrees with a colleague that the crime thriller Hackers is the perfect weekend movie. Galochkin admits to his colleague that he prefers to work in the office, it’s easier for him to concentrate there – his wife “scolds” him when he’s at home. And he knows what he wants in life.
“I have big goals,” he told a colleague in September 2021. “I want to be rich. A millionaire.” His more idealistic colleague calls money a “nonsense goal.” But the man has a plan. “No,” he replies, “money is a means to achieve what you want.”
He may seem like an ordinary office worker, but in fact he has chosen the right profession, which allows him to earn a lot of money. According to numerous cybercrime researchers, the man is a key member of the notorious Russian cybercrime syndicate Trickbot, which has launched thousands of cyberattacks in recent years, crippling businesses, hospitals and even governments around the world. His Trickbot colleagues know him by his online nicknames: Bentley and Manuel.
The revelation was the result of a months-long investigation by WIRED involving several Russian cybersecurity and cybercrime experts who linked him to the Bentley alias. The analysis includes a detailed assessment of the massive amount of data that was leaked from the ransomware group and posted online. The investigation also sheds light on the inner workings of the Trickbot cybercrime syndicate, connecting its key members to a broader network of cybercriminals and uncovering connections between these criminal groups.
In March 2022, a Twitter account known as “Trickleaks” published thousands of online chat logs from about 35 members of the group. The total size of the Trickbot group is difficult to estimate, but researchers estimate it includes between 100 and 400 people. An anonymous tipper published 250,000 internal Trickbot messages and a series of homemade dossiers revealing the people believed to be behind the group. The discovery includes the real names, photographs, social media accounts, passport numbers, telephone numbers, cities of residence and other personal information of the alleged gang members.
The cache also includes 2,500 IP addresses, 500 cryptocurrency wallets, thousands of domains and email addresses. Collectively, these files represent one of the largest cybercriminal data leaks in history.
At the time of publication in early 2022, the Trickleaks files had gone largely unnoticed by the public as global attention was focused on other issues and another major data breach from ransomware group Conti, which researchers believe has close ties to Trickbot.
But the Trickleaks leak did not go unnoticed by global law enforcement agencies, who assessed the data. Its publication last year comes amid concerted efforts by the US and UK to crack down on the activities of Russian cybercriminals, including some members of Trickbot.
However, such government investigations often lag behind the current agenda for years and require long-term strategic coordination. For cybercriminals seeking anonymity, it is very important to maintain distance from their colleagues.
But when you’re texting each other all day, even the most private and security-conscious people can reveal some personal information. And in Bentley’s case, such missteps inadvertently helped reveal his true identity, researchers say.
For example, in June 2020, a Trickbot participant named Defender asked Bentley for an address on the Jabber instant messaging service so they could communicate outside of the group’s internal channels. According to researchers from the cybersecurity company Nisos, who conducted an investigation at WIRED’s request, Bentley sent a colleague the user’s email address.
Nisos principal investigator Vincas Ciziunas linked the Jabber contact to an email address and a YouTube account of the same name that posted videos about cryptocurrency trading. One of the videos posted on YouTube under the nickname “Mrvolhvb” shows that the user is also logging into a Jabber account in another window. “He uses the login in many places,” Chiziunas said.
Vitaly Kremez, a longtime cybersecurity researcher who has worked extensively on Conti and Trickbot, also noticed the error in the video. In March 2022, Kremez, who died late last year in a scuba diving accident, claimed that “Max” was behind the Bentley nickname.
Thanks to information about the Russian telephone industry, data leaks and other information obtained by Nisos, the Gmail account was linked to Bentley’s phone number. This connection helped reveal the person’s personality offline. Records obtained by Nisos linked Bentley’s phone number to an address in the city of Abakan. Further research by the company showed that he was born in May 1982, and his tax identification number indicates that he previously bore the legal name Maxim Sergeevich S. As Nisos found out, these names are linked by the same date of birth and Russian passport number.
Other cybersecurity researchers who have followed Trickbot agree that Maxim Sergeevich is behind Bentley.
Alex Holden, president and chief information security officer of Hold Security and a researcher who has been following Trickbot for several years, says Bentley’s identity data is “very consistent” with his previous findings.
Radoje Vasovic, CEO of Cybernite Intelligence, who analyzed Trickleaks data and conducted open source research, is also confident that this person is Bentley. In December 2022, the German newspaper Die Zeit also published an investigation into Conti, which identified Bentley as “Maxim G.”
Exposure is important. Bentley is one of the “key people” running Trickbot, thanks in part to his experience and connections in the world of cybercrime, Holden said. While there are many Russian cybercrime groups that pose a significant global threat, Trickbot has attracted particular attention and reprisals due to the seriousness of its crimes. For example, in the run-up to the 2020 US election, US Cyber Command carried out an unusually public attack aimed at taking down the Trickbot botnet. In the weeks that followed, companies including Microsoft took legal and technical steps to take down the Trickbot network as part of protecting election and other critical infrastructures.
Cybercriminals often avoid accountability by remaining nameless and faceless. But it is possible to get a detailed picture of their activities both inside and outside of Trickbot.
In the photo that appeared on the cybercriminal’s profiles on GitHub and Gravatar, he appears to be a well-built man with thick dark brown eyebrows and an equally dark brown beard. He has long gray hair and poses on a mountainside, carrying a hiking backpack, wearing jeans and a white T-shirt. It is unknown when the photograph was taken.
The leaked messages also suggest that Bentley’s work may have caused tension in his personal life. In one message, he tells a colleague that his wife has come to terms with what he is doing. “I tell her that we are ruining the lives of the arrogant assholes from American corporations,” one message reads. “The main thing is that we don’t persecute ordinary poor people.”
No one knows where the Trickleaks data came from, and no one has ever claimed responsibility for the leak. “With the amount of information they had access to, it was either someone who had a good infiltration or a researcher who would find a way to get pretty deep into their infrastructure,” says Joe Vreeden, a cyber threat analyst at Cyjax. , who compiled the only major public report on Trickleaks and analyzed Bentley’s messages for WIRED.
Intelligence dossiers posted by Trickleaks reveal a number of similarities between alleged gang members. All of them are men. Many people publicly say they work in technology. They are mainly based in Russia, some in large cities such as Moscow and St. Petersburg, others in smaller towns. It is alleged that one of the gang members lives in Belarus. All of the alleged gang members named in the leak range from 25 to 40 years old.
Vreeden said whoever compiled the dossier likely combined external information with data from the group’s own systems, since document details such as tax numbers and employment records do not appear in the leaked chat messages.
While it’s unclear whether all the people named in the leaks work for Trickbot, Holden says many of the details match what he’s seen previously. For example, information about a Trickbot member known as Tropa published by Trickleaks matches the name, age and email listed in the sanctions documents.
However, there are also some inconsistencies, Holden says, including cases where some gang members are not shown in the Trickleaks data even though other research suggests they must have been in close contact.
WIRED attempted to contact 20 alleged Trickbot members using email addresses published in the Trickleaks files. The request for comment asks about how accurate the personal information contained in the leak is and whether these people are affiliated with Trickbot. Many of the email addresses are no longer valid. Others appear to be working, but WIRED has not heard back from them.
However, WIRED received four responses. These people denied any connection to Trickbot, and most of them said they were unaware that their personal information was published online. Some of them said they were legal tech workers. One of them asked if he was the target of an attack. Another said he works as a bus driver. WIRED attempted to send detailed questions to Bentley via email and WhatsApp, but received no response.