UK and US sanction 11 Russians connected to notorious Trickbot group

This article was updated at 12:45 p.m. EST

Eleven Russian nationals alleged to have been part of the criminal group operating the Trickbot malware and Conti ransomware schemes were sanctioned Thursday by authorities in the United States and United Kingdom.

The individuals targeted by the sanctions “include key actors involved in management and procurement for the Trickbot group, which has ties to Russian intelligence services,” according to the U.S. Treasury. The infamous banking trojan and botnet is believed to have stolen more than $180 million worldwide.

It follows a first tranche of sanctions in February against what officials told Recorded Future News was a single criminal network behind the Conti and Ryuk ransomware gangs, as well as those who have been involved with the Trickbot banking trojan.

While announcing the sanctions Thursday morning, the U.S. Department of Justice unsealed indictments against seven of the individuals.

The 11 new additions, as described in the sanctions release, are:

• Andrey Zhuykov was a central actor in the group and acted as a senior administrator. He is also known by the online monikers Dif and Defender.
• Maksim Galochkin led a group of testers, with responsibilities for development, supervision, and implementation of tests. Galochkin is also known by the online monikers Bentley, Crypt, and Volhvb.
• Maksim Rudenskiy was a key member of the Trickbot group and the team lead for coders.
• Mikhail Tsarev was a manager with the group, overseeing human resources and finance. He was responsible for management and bookkeeping. He is also known by the monikers Mango, Alexander Grachev, Super Misha, Ivanov Mixail, Misha Krutysha, and Nikita Andreevich Tsarev.
• Dmitry Putilin was associated with the purchase of Trickbot infrastructure. Putilin is also known by the online monikers Grad and Staff.
• Maksim Khaliullin was an HR manager for the group. He was associated with the purchase of Trickbot infrastructure including procuring Virtual Private Servers. Khaliullin is also known by the online moniker Kagas.
• Sergey Loguntsov was a developer for the Trickbot group.
• Vadym Valiakhmetov worked as a coder for the Trickbot group and is known by the online monikers Weldon, Mentos, and Vasm.
• Artem Kurov worked as a coder with development duties in the Trickbot group. Kurov is also known by the online moniker Naned.
• Mikhail Chernov was part of the internal utilities group for Trickbot and is also known by the online moniker Bullet.
• Alexander Mozhaev was part of the admin team responsible for general administrative duties and is also known by the online monikers Green and Rocco.

“All 18 of these cyber criminals are now subject to travel bans and asset freezes, and are severely restricted in their use of the legitimate global financial system,” said the National Crime Agency (NCA), whose director general of operations, Rob Jones, described the sanctions as “a continuation of our campaign against international cyber criminals.”

The Trickbot group has been pursued by law enforcement for years and is believed to be responsible for extorting at least $180 million from victims globally, and at least £27 million ($33 million) from 149 victims across Britain — including hospitals, schools, local authorities and businesses — according to an investigation by the NCA.

While the majority of the names on the list had not been publicly associated with Trickbot, those of Galochkin, Loguntsov, Kurov, Mozhaev, and Valiakhmetov were previously identified by security blogger Dario Fadda based on a dossier containing thousands of chat logs released in March 2022 by a Twitter account calling itself Trickleaks.

That leak, which occurred just after the Contileaks — a similar dump of chat logs ostensibly conducted by a Ukrainian member of the gang who opposed its support for the Russian invasion — has been described as the “Panama Papers” of the ransomware world because it assisted researchers in identifying and exposing so many of the criminal network’s participants.

“These cyber criminals thrive off anonymity, moving in the shadows of the internet to cause maximum damage and extort money from their victims,” said the U.K.’s Foreign Secretary James Cleverly in a statement published alongside the announcement of the second tranche of sanctions.

The action against the gang was a method to show that the criminals couldn’t act with “impunity,” Cleverley explained. “We know who they are and what they are doing. By exposing their identities, we are disrupting their business models and making it harder for them to target our people, our businesses and our institutions.”

Brian Nelson, the under secretary for terrorism and financial intelligence at the U.S. Treasury, said: “The United States is resolute in our efforts to combat ransomware and respond to disruptions of our critical infrastructure. In close coordination with our British partners, the United States will continue to leverage our collective tools and authorities to target these malicious cyber activities.”

Correction: A previous version of this article misstated how many of the sanctioned individuals had previously been connected to Trickbot. Five of them had been identified by security blogger Dario Fadda.