The United States Department of Treasury and United Kingdom Foreign Office announced today that they have sanctioned 11 people for their alleged involvement in the Trickbot cybercriminal gang. The US Department of Justice also unsealed indictments against nine people whom it says are connected to Trickbot and its sibling organization Conti. Seven of those nine also appear on today’s sanctions list.
US and UK law enforcement working with officials around the world have made a concerted effort in recent years to deter cybercrime—particularly ransomware attacks and those launched by Russia-based actors. And Trickbot, a notorious and prolific gang, has repeatedly been a specific target of these actions. In February, the US and UK announced sanctions against seven alleged Trickbot actors and an indictment against them.
The new round of censures includes alleged Trickbot members who are accused of acting as coders and administrators for the group, as well as senior staff, the developer team lead, and a human resources and finance manager. The sanctions also name Trickbot’s alleged head of testing for the gang’s malware and technical infrastructure. This individual, Maksim Galochkin, goes by the handle Bentley, among others. WIRED identified Galochkin last week as part of an extensive investigation into Trickbot and its operations.
The Department of Justice announced three indictments today that include Galochkin. One in the Northern District of Ohio, filed on June 15, charges him and 10 other alleged Trickbot members with “conspiring to use the Trickbot malware to steal money and personal and confidential information from unsuspecting victims, including businesses and financial institutions located in the United States and around the world, beginning in November 2015.” This timeline means that the charges essentially relate to all Trickbot activity going back to the group’s inception.
An indictment from the Middle District of Tennessee, filed on June 12, charges Galochkin and three others with use of the Conti ransomware in attacks targeting “businesses, nonprofits, and governments in the United States” between 2020 and June 2022. And an indictment in the Southern District of California, filed on June 14, charges Galochkin in connection with the May 1, 2021, Conti ransomware attack on Scripps Health.
“Today’s announcement shows our ongoing commitment to bringing the most heinous cyber criminals to justice—those who have devoted themselves to inflicting harm on the American public, our hospitals, schools, and businesses,” FBI director Christopher Wray said in a statement on Thursday. “Cyber criminals know that we will use every lawful tool at our disposal to identify them, tirelessly pursue them, and disrupt their criminal activity. We, alongside our federal and international partners, will continue to impose costs through joint operations no matter where these criminals may attempt to hide.”
It has been difficult for global law enforcement to make progress on deterring cybercrminal activity, especially when actors are based in countries like Russia that allow them to operate with impunity. But independent researchers say that imposing public accountability does have impacts on the individuals as well as the broader criminal landscape.
Cybercriminals “often think they can conduct cyberattacks against corporations and individuals under anonymity,” says Landon Winkelvoss, vice president of research for the digital intelligence firm Nisos, which conducted a detailed investigation of Bentley’s real-world identity at WIRED’s request. But “they all make mistakes and the very nature of their crimes requires that their digital footprint is in the wild.”
Winkelvoss notes that while cybercriminals have systematized strategies for maintaining their operational security and staying out of the limelight, their efforts to remain invisible are far from foolproof.
“Reusing command and control infrastructure servers and selectors like emails addresses and phone numbers is often the quickest return on their investment,” Winkelvoss says. “Unfortunately for them, this makes their unmasking relatively straightforward, especially when law enforcement and private industry [have] more publicly available data than they do.”