Unmasking Trickbot, One of the World’s Top Cybercrime Gangs
“The Russian criminal problem isn’t going anywhere. In fact, now it’s probably closer with the security services than it’s ever been,” says John Hultquist, Google Cloud’s chief analyst for Mandiant Intelligence. “They’re actually carrying out attacks and doing things that benefit the security services, so the security services have every interest in protecting them.”
Analysts have repeatedly concluded that cybercriminals working in Russia have connections to the Kremlin. And these connections have become increasingly clear. When the UK and US sanctioned Trickbot and Conti members in February, both countries said members were associated with “Russian intelligence services.” They added that it was “likely” some of their actions were directed by the Russian government and that the criminals choose at least some of their victims based on “targeting previously conducted by Russian intelligence services.”
Chat logs included in the Trickleaks data offer rare insight into the nature of these connections. In 2021, two alleged Trickbot members, Alla Witte and Vladimir Dunaev, appeared in US courts charged with cybercrime offenses. In November 2021, according to Nisos’ analysis, the Trickleaks chats show members were worried about their safety and panicked when their own cryptocurrency wallets were no longer accessible. But someone using the handle Silver—allegedly a senior Trickbot member—offered reassurance. While the Russian Ministry of Internal Affairs was “against” them, they said, the intelligence agencies were “for us or neutral.” They added: “The boss has the right connections.”
The same month, the Manuel handle, which is linked to Galochkin, said he believed Trickbot leader Stern had been involved in cybercrime “since 2000,” according to the Nisos analysis. Another member, known as Angelo, responded that Stern was “the link between us and the ranks/head of department type at FSB.” The previous Conti leaks also indicated some links to Russia’s intelligence and security services.
Business as Usual
Despite a concerted global effort to disrupt Russian cybercriminal activity through sanctions and indictments, gangs like Trickbot continue to thrive. “Less has changed than meets the eye,” says Ole Villadsen, a senior analyst at IBM’s X-Force security group. He notes that many Trickbot and Conti members are still active, continue to communicate among themselves, and are using shared infrastructure to launch attacks. The group’s factions “continue to collaborate behind the scenes,” Villadsen says.
Chainalysis’ Burns Koven says the firm sees the same long-standing relationships reflected in its cryptocurrency wallet data. “Since the Conti diaspora, we can still see the interconnectivity financially between the old guard,” she says. “There are still some symbiotic relationships.”
Deterring cybercrime is difficult across different jurisdictions and under an array of geopolitical conditions. But even with limited leverage in Russia—where there is little chance for Western law enforcement to arrest individuals, much less extradite them—efforts to name and shame cybercriminals can have an impact. Holden, the longtime Trickbot researcher, says Trickbot members have had mixed reaction to being unmasked. “Some of them have retired, some of them changed their nicknames—some of them basically didn’t care because the community was not impacted significantly,” Holden says. But, he adds, exposing people’s identities can mean they “become unwelcome” in their communities.
Vasovic, the Cybernite Intelligence CEO, says when the Trickleaks account first began posting on Twitter, he also published pictures of Galochkin to expose his identity. Along with other cybersecurity researchers calling out ransomware criminals, Vasovic received threats of violence and online harassment following his disclosures. Emails and private chat messages he shared with WIRED appear to show an unknown person, who claimed to work for multiple unnamed cybercrime groups, threatening not just Vasovic but also his family.
“They try to strike fear. And if it works, it works. And if it doesn’t, it doesn’t,” Vasovic says. In fact, the person making the threats claimed to Vasovic that they had already been indicted and could no longer take their wife and daughter on holiday overseas. The person also claimed that at one point they had been interrogated by Russian investigators for two hours about Trickbot specifically, before being let go. Yet the person still seemed to feel secure that they could threaten Vasovic from within Russia’s borders with impunity. “Nobody will be sent to America,” they bragged. “No risk over here.”
Gloss