Unmasking Trickbot, One of the World’s Top Cybercrime Gangs

Unmasking Trickbot, One of the World’s Top Cybercrime Gangs

Maksim Sergeevich Galochkin is extremely online. On his work chat, the 41-year-old messages his colleagues day and night. He moans about losing money on cryptocurrency trading, says he’s “fucking addicted” to Metallica, and agrees with a colleague that the crime thriller Hackers is a perfect weekend movie. Galochkin confides to a teammate that he prefers working in the office and finds it easier to focus there—his wife “scolds” him when he’s at home. And he knows what he wants in life.

“I have big goals,” he told a coworker in September 2021. “I want to be rich. A millionaire.” His more idealistic colleague calls money “a bullshit goal.” But Galochkin has a plan. “Nah,” he replies, “money is a means to arrange what I want.”

Galochkin may seem like a typical office worker, but he’s actually in the right line of work to make big money. According to multiple cybercrime researchers, he’s a key member of the notorious Russian cybercrime syndicate Trickbot, which has launched thousands of cyberattacks in recent years, crippling businesses, hospitals, and even governments around the world. Within Trickbot, his colleagues know him by his online handles: Bentley and Manuel.

The unmasking of Galochkin comes after a monthslong WIRED investigation involving multiple cybersecurity and Russian cybercrime experts who link him to the Bentley moniker. The analysis includes detailed assessments of a massive data trove that was leaked from the ransomware gang and posted online. This investigation also sheds further light on the inner workings of the Trickbot cybercrime syndicate, connecting its key players to the wider cybercrime landscape and revealing links between these criminal gangs and the Russian government.

In March 2022, a Twitter account known as “Trickleaks” published thousands of online chat logs taken from roughly 35 members of the group. The total size of the Trickbot group is tough to gauge, but researchers estimate it has anywhere from 100 to 400 members. The anonymous leaker published 250,000 internal Trickbot messages and a series of homemade intelligence dossiers exposing the people allegedly behind the gang. The trove includes real-world names, photos, social media accounts, passport numbers, phone numbers, towns and cities of residence, and other personal details of the alleged gang members. The cache also includes 2,500 IP addresses, 500 cryptocurrency wallets, and thousands of domains and email addresses.

Taken together, the files form one of the largest-ever data dumps from a cybercrime group. At the time of their release in early 2022, the Trickleaks files were largely overlooked by the public as global attention focused on Russia’s full-scale invasion of Ukraine and another major leak from the Conti ransomware group, which researchers say has strong ties to Trickbot.

Trickleaks did not escape the notice of global law enforcement, which has assessed the data. Its release last year came amidst a concerted effort by the United States and United Kingdom to disrupt, name, shame, and sanction Russian cybercriminals, including some Trickbot members, though not Galochkin or some other key Trickbot employees. But these government investigations are often years behind current activity and involve long-term strategic coordination.

Unmasking Bentley

For cybercriminals seeking anonymity, keeping distance from their coworkers is crucial. But when you’re spending all day messaging each other, even the most private and security-conscious people are likely to reveal some personal details. And for Galochkin, such lapses inadvertently helped reveal his true identity, researchers say.

In June 2020, for example, a Trickbot member with the handle Defender asked Bentley for an address on the instant messaging service Jabber so they could communicate outside of the group’s internal channels. Bentley sent his colleague the username volhvb@exploit.im, according to researchers from the cybersecurity firm Nisos, who investigated Bentley’s identity at WIRED’s request.

Nisos principal researcher Vincas Čižiūnas linked the Jabber contact to an email address, volhvb@gmail.com, and a YouTube account with a similar name that published videos detailing Russian crypto trading. One video posted by the YouTube account “Mrvolhvb” shows that the user is also logged in to the volhvb@exploit.im Jabber account in another window. “He uses the handle ‘volhb’ in a lot of places,” Čižiūnas says. Vitali Kremez, a longtime cybersecurity researcher who focused extensively on Conti and Trickbot, also noticed this slipup in the video. Kremez, who died at the end of last year in an apparent scuba diving accident, said in March 2022 that “Max” Galochkin was the real identity behind the Bentley handle.

Through Russian phone industry information, leaked data breach troves, and other intelligence reviewed by Nisos, the Gmail account was linked to a phone number for Galochkin. The connection helped unravel Galochkin’s offline identity. Records seen by Nisos connect Galochkin’s phone number to an address in the southern Russian city of Abakan. Further research by the company reveals that he was born in May 1982, and his tax identification number shows he previously had the legal name of Maksim Sergeevich Sipkin. Galochkin and Sipkin are linked by the same date of birth and Russian passport number, Nisos found.

Other cybersecurity researchers who have followed and monitored Trickbot agree that Galochkin is behind the Bentley handle. Alex Holden, president and chief information security officer of Hold Security and a researcher who has focused on Trickbot for years, says the data around Bentley’s identity is “extremely consistent” with his previous findings.

Similarly, Radoje Vasovic, the CEO of security firm Cybernite Intelligence, who has analyzed the Trickleaks data and conducted open source research, is confident that Galochkin is Bentley. In December 2022, German newspaper Die Zeit also published an investigation into Conti, which included identifying Bentley as “Maxim G.”

Unmasking Galochkin is significant. Bentley is one of the “key personas” operating Trickbot, Holden says, thanks in part to his experience and connections in the cybercrime world. And while there are multiple Russia-based cybercrime gangs that pose a significant global threat, Trickbot has garnered particular attention and reprisals for the severity of its crimes. In the lead-up to the 2020 United States elections, for example, US Cyber Command carried out an unusually public offensive operation meant to disrupt the Trickbot botnet. In the ensuing weeks, companies including Microsoft took legal and technical action to disrupt Trickbot’s networks as part of efforts to safeguard voting and other critical infrastructure.

Cybercriminals often escape accountability by remaining nameless and faceless. But with Galochkin, it’s possible to build up a detailed picture of his activities inside and outside of Trickbot. In a photo that appears on Galochkin’s GitHub and Gravatar profiles, a man appears well-built, with bushy dark brown eyebrows and a matching dark brown goatee. He has long gray and white hair and is posing on the side of a mountain, wearing a hiking backpack, jeans, and a white T-shirt. It is not clear when the photo was taken.

The leaked messages also show that Galochkin’s work may have caused some tensions in his personal life. At one point, he tells a colleague that his wife came to accept the line of work he is doing. “I tell her we’re fucking with the arrogant assholes from American corporations,” one message says. “The main thing is we aren’t going after the ordinary poor people.”

In 2010, before Galochkin changed his name from Sipkin, according to Nisos, he participated in the Russian opposition political movement known as Solidarity. He was elected to the political council of a regional branch of the movement and talked about problems of corruption and censorship in Russia, calling for a return to democracy and an investigation into officials under the leadership of then-president Dmitry Medvedev.

Tricky Origins

No one knows where the Trickleaks data came from—and no one has ever claimed responsibility for the leak. “With the amount of information they had access to, it was either someone who had embedded themselves quite well, or some researcher who would have found some way to break in quite deep into their infrastructure,” says Joe Wrieden, a cyber threat intelligence analyst at Cyjax who has compiled the only major public report on Trickleaks and who analyzed Bentley’s messages for WIRED.

The intelligence dossiers posted by Trickleaks reveal a number of similarities between the alleged gang members. They’re all men. Many publicly claim they work in technology. They’re mostly based in Russia, some in big cities like Moscow and Saint Petersburg, others apparently in smaller towns. It’s claimed one member lives in Belarus. And all the alleged gang members identified in the leak are around 25 to 40 years old—potentially making them eligible for the draft for Russia’s war in Ukraine.

One person, who seemingly used the logo of Russia’s Federal Security Service (the FSB) as a profile picture on WhatsApp, posted mundane photos on Facebook and Instagram of pet dogs and himself grilling. Wrieden says whoever compiled the dossiers likely combined external information with data from the gang’s own systems, as details in the documents, such as tax numbers and employment histories, are not included in the leaked chat messages.

While it’s unclear whether all of those named in the leaks work for Trickbot, Holden says many details overlap with what he has seen previously. Some of the information has been corroborated in sanctions issued by the US and UK governments. For example, details for a Trickbot member known as Tropa that were published by Trickleaks match the web handles, name, age, and email listed in sanctions records. But there are some inconsistencies, Holden says, including instances where certain gang members are never shown chatting in the Trickleaks data even though other research indicates that they would have been in close contact.

WIRED attempted to contact 20 of the alleged Trickbot members using email addresses published in the Trickleaks files. The requests for comment include questions about whether the personal information from the leak is accurate, and whether the people have links to Trickbot. Many of the email addresses are no longer active. Others seemed to be operational, but WIRED received no reply from them.

WIRED received four responses, however. The individuals denied that they have any links to Trickbot, and most said that they didn’t know their personal information had been published online. Some said they are legitimate tech workers. One asked whether he was being targeted because he is a supporter of Russian president Vladimir Putin. Another said that he works as a bus driver. WIRED attempted to send Galochkin detailed questions on both email and WhatsApp but received no reply.

Dmitriy Pleshevskiy—who wasn’t included in the Trickleaks files but whom both the US and UK government sanctioned for being part of Trickbot under the Iseldor handle—denies being part of the group. In emails to WIRED, he says he used to use the Iseldor handle for gaming and some “programming tasks” on a freelance basis several years ago. “These tasks did not seem illegal to me, but perhaps that is where my involvement in these attacks comes in,” Pleshevskiy says.

Pleshevskiy says he filed an appeal with the US Office of Foreign Assets Control refuting his sanction and shared text of a message he claims to have sent to OFAC. “I am accused of illegal actions only on the basis of some data leaked by someone,” the message says. Pleshevskiy claims he worked for an international company that had headquarters in the UK and had to quit the job because of the sanctions. He has not heard back about his appeal. OFAC did not respond to WIRED’s requests for comment.

Bad Company

Trickbot was formed in 2016 following disruptions to the group that ran the infamous Dyre banking trojan. In its early days, Trickbot focused on monetizing existing malware, but it soon set its sights on developing more flexible and expansive tools. Its claim to fame is an adaptable, modular malware system through which the group’s developers create new functionality and swap in upgraded components over time. With this capability in place, the malware expanded to include modules for scams against targets beyond the financial sector, including hospitals and other health care organizations. Investigators often label Trickbot part of “Wizard Spider,” an umbrella organization that also includes Conti, because of apparent personnel overlaps and operational connections.

Trickbot functions somewhat like a legitimate company, with a management structure and high-level executives, according to the leaked chats. Workers receive salaries and take vacations. Staff focus on developing ransomware, searching for victims, and launching attacks. Managers juggle workers’ goals, deadlines, and interpersonal demands. At the head of both Trickbot and Conti is Stern, a mysterious CEO-like figure who oversees operations and receives daily updates from high-ranking managers like Galochkin, researchers say. “How are you doing?” Stern asked Bentley in September 2020. Expressing frustration, Bentley said he was “overwhelmed” from dealing with the configuration and setup for the group’s encryption tools.

Some researchers WIRED spoke to for this story provided evidence connecting the Bentley handle to Galochkin. Others focused on the behavior of the Bentley persona and its role in the context of the Trickbot and Conti operations. The Trickleaks data itself includes details on Galochkin and extensive information in the leaked chat logs on the Bentley persona’s day-to-day activities.

Bentley is a technical manager within Trickbot, according to Alex Leslie, a threat intelligence analyst at the security firm Recorded Future, which studies the cybercrime group. Recorded Future does not publicly name cybercriminal actors. Bentley’s job would be to “ensure that any malware developed by Wizard Spider is able to pass antivirus checks,” Leslie says. This means developing technical mechanisms to conceal the malware even as it runs on compromised devices and equip it to “defeat most proprietary and enterprise security solutions.” Though Bentley oversees this crucial project, researchers say it is unlikely that he does much coding himself.

The actual engineering work that powers the Trickbot malware is carried out by developers who are hired for their technical skills rather than their criminal know-how. Leslie notes that these developers can be intentionally siloed from the group’s wider activities—and its purpose. One example is the developer known as Zulas, an engineer in his mid-30s. Leslie points out that in the chats and other materials, Zulas sometimes seems confused about Trickbot and appears to believe he works for a data analytics firm.

“He uses his personal and professional email addresses and Jabber handles in the chats, which likely implies to me that he either doesn’t care that he’s in a cybercriminal group or he doesn’t know he’s in the cybercriminal group,” says Leslie. Russian criminal gangs sometimes advertise technical roles on legitimate Russian-language job boards and recruitment websites, and Trickbot likely recruited Zulas in this way.

Even within a criminal organization, managers like Bentley have typical office responsibilities. About 21 people report to him, making his technical team one of the largest within Trickbot, Recorded Future’s Leslie says. Bentley coordinates with Stern about salaries, collaborates with other managers, and handles disputes within his team. “He serves as a conflict resolution manager for the entire technical department of Trickbot,” Leslie says. “His day-to-day is largely administrative.” The Trickleaks logs show Bentley has sent tens of thousands of messages to other members of the group, including more than 3,000 to Stern, according to Wrieden’s analysis.

The cryptocurrency tracing firm Chainalysis studies the movement of digital funds within the Russian cybercriminal ecosystem, including among Trickbot members. Jackie Burns Koven, head of cyber threat intelligence at Chainalysis, says that the firm has not seen cryptocurrency wallets associated with the Bentley persona receiving ransomware payments. This suggests that he is not directly involved in deploying ransomware. Chainalysis, like Recorded Future, does not publicly name cybercriminal actors

But Chainalysis researchers do see evidence that Bentley had an account with the now-defunct Hydra Russian-language dark-web marketplace and made multiple deposits that were “likely to buy tools for hacking,” according to Burns Koven. She points out that at least one of the Trickleaks chats shows Bentley being asked to purchase stolen software development tools from underground vendors. Tracing Bentley’s digital transactions also illustrates his interactions and collaborations with other Trickbot and Conti members, including Stern.

As Bentley, researchers say, Galochkin is seemingly successful in his work for the cybercriminal gang, which has extorted hundreds of millions of dollars in recent years. Public records also link him to four Russian businesses where he served as a founder or company director. All sold computers and other communications equipment, but the Nisos researchers found that none of the companies are still functioning. Vasovic says one appears to have been doing “digital transformation” for local Russian government services. The Federal Bailiff Service of Russia website has indicated that Galochkin, under his former name of Sipkin, had an outstanding debt of 547,545 rubles (roughly $6,700) linked to a bank loan.

Kremlin Ties

The Trickbot and Conti leaks have shaken up the ransomware industry. In June 2022, after attacking Costa Rica, members of the Conti ransomware group disbanded. And in February of this year, the UK and US governments sanctioned seven people for their alleged involvement with Trickbot.

One of those sanctioned was Vitaly Nikolayevich Kovalev who, confusingly, uses the online handles “Ben” as well as “Bentley.” Alongside the sanctions, the US unsealed a 2012 indictment accusing Kovalev of conducting bank fraud between 2009 and 2010. Multiple sources tell WIRED that Kovalev’s use of the Bentley handle isn’t connected to what they believe to be Galochkin’s use of the same moniker.

Though cybercrime groups like Trickbot aim to be efficient and professionalized, two individuals using the same handle, even years apart, illustrates the disorder and fluidity within these organizations. And as gangs in Russia’s cybercriminal world clash or disband to evade international law enforcement, new combinations of the same familiar faces often emerge under the banner of a new group.

Tracing the real identities and relationships of Trickbot members also underscores the gang’s prominence within Russia’s flourishing cybercrime scene. “We know that ransomware actors value their anonymity, so exposing their identities via sanctions designations affects their reputation and relationships within the cybercriminal ecosystem,” says Will Lyne, head of cyber intelligence at the UK’s National Crime Agency, the country’s equivalent to the FBI. Lyne says the sanctions against Trickbot members puts them under more scrutiny and blocks them from accessing UK, US, and global financial systems.

The FBI declined to comment on Trickleaks or recent Trickbot activity. A US Cybersecurity and Infrastructure Security Agency official, who would only speak to WIRED on the condition of anonymity, says it has been alerting “international partners” about Trickbot malware since August 2021 and has sent out 55 alerts in the past year.

“Over the past 12 to 18 months, we have seen a shift in power within the cybercriminal ecosystem from the ransomware operators, who control the malware behind the schemes, and the affiliates,” Lyne says. “This has resulted in some affiliates working much more loosely with multiple ransomware variants simultaneously.”

Microsoft’s corporate vice president of customer security and trust, Tom Burt, wrote of Trickbot in October 2020 that “research suggests they serve both nation-states and criminal networks.”

Digital crime syndicates operate globally, and particular types of scams often evolve in different regions as a result of lax enforcement that criminals use to their advantage. In Russia, the Kremlin has broadly allowed ransomware actors and other cybercriminal groups to operate with impunity—as long as they don’t victimize Russian targets. As the global law enforcement community has scrambled to address high-profile ransomware attacks, the question of how deeply Russian cybercriminal groups are tied to their government has taken on increased significance.

In January 2022, amid a series of particularly ruthless attacks on US and UK targets, Russian law enforcement arrested more than a dozen alleged members of the ransomware gang REvil, though the suspects were reportedly only charged with credit card forgery. This enforcement action was an isolated event and seemed to further underscore that the Russian government has a vested interest in managing optics and ultimately protecting its criminal hackers.

Speaking about Russia’s war against Ukraine at the RSA security conference in San Francisco in April, US National Security Agency cybersecurity director Rob Joyce said that criminal and “hacktivist” attackers are a “natural resource” for the Kremlin. He added that Russian intelligence “is able to maintain relationships and use all the coercive power of the Russian government” and that such a relationship was “pretty disturbing.”

As the war in Ukraine drags on, Russia’s inability to break through has become both embarrassing and destabilizing for Putin’s regime. But researchers say that the more geopolitically isolated Russia becomes, the more likely it is that the relationship between cybercriminals and Russian intelligence services will endure and even deepen.

“The Russian criminal problem isn’t going anywhere. In fact, now it’s probably closer with the security services than it’s ever been,” says John Hultquist, Google Cloud’s chief analyst for Mandiant Intelligence. “They’re actually carrying out attacks and doing things that benefit the security services, so the security services have every interest in protecting them.”

Analysts have repeatedly concluded that cybercriminals working in Russia have connections to the Kremlin. And these connections have become increasingly clear. When the UK and US sanctioned Trickbot and Conti members in February, both countries said members were associated with “Russian intelligence services.” They added that it was “likely” some of their actions were directed by the Russian government and that the criminals choose at least some of their victims based on “targeting previously conducted by Russian intelligence services.”

Chat logs included in the Trickleaks data offer rare insight into the nature of these connections. In 2021, two alleged Trickbot members, Alla Witte and Vladimir Dunaev, appeared in US courts charged with cybercrime offenses. In November 2021, according to Nisos’ analysis, the Trickleaks chats show members were worried about their safety and panicked when their own cryptocurrency wallets were no longer accessible. But someone using the handle Silver—allegedly a senior Trickbot member—offered reassurance. While the Russian Ministry of Internal Affairs was “against” them, they said, the intelligence agencies were “for us or neutral.” They added: “The boss has the right connections.”

The same month, the Manuel handle, which is linked to Galochkin, said he believed Trickbot leader Stern had been involved in cybercrime “since 2000,” according to the Nisos analysis. Another member, known as Angelo, responded that Stern was “the link between us and the ranks/head of department type at FSB.” The previous Conti leaks also indicated some links to Russia’s intelligence and security services.

Business as Usual

Despite a concerted global effort to disrupt Russian cybercriminal activity through sanctions and indictments, gangs like Trickbot continue to thrive. “Less has changed than meets the eye,” says Ole Villadsen, a senior analyst at IBM’s X-Force security group. He notes that many Trickbot and Conti members are still active, continue to communicate among themselves, and are using shared infrastructure to launch attacks. The group’s factions “continue to collaborate behind the scenes,” Villadsen says.

Chainalysis’ Burns Koven says the firm sees the same long-standing relationships reflected in its cryptocurrency wallet data. “Since the Conti diaspora, we can still see the interconnectivity financially between the old guard,” she says. “There are still some symbiotic relationships.”

Deterring cybercrime is difficult across different jurisdictions and under an array of geopolitical conditions. But even with limited leverage in Russia—where there is little chance for Western law enforcement to arrest individuals, much less extradite them—efforts to name and shame cybercriminals can have an impact. Holden, the longtime Trickbot researcher, says Trickbot members have had mixed reaction to being unmasked. “Some of them have retired, some of them changed their nicknames—some of them basically didn’t care because the community was not impacted significantly,” Holden says. But, he adds, exposing people’s identities can mean they “become unwelcome” in their communities.

Vasovic, the Cybernite Intelligence CEO, says when the Trickleaks account first began posting on Twitter, he also published pictures of Galochkin to expose his identity. Along with other cybersecurity researchers calling out ransomware criminals, Vasovic received threats of violence and online harassment following his disclosures. Emails and private chat messages he shared with WIRED appear to show an unknown person, who claimed to work for multiple unnamed cybercrime groups, threatening not just Vasovic but also his family.

“They try to strike fear. And if it works, it works. And if it doesn’t, it doesn’t,” Vasovic says. In fact, the person making the threats claimed to Vasovic that they had already been indicted and could no longer take their wife and daughter on holiday overseas. The person also claimed that at one point they had been interrogated by Russian investigators for two hours about Trickbot specifically, before being let go. Yet the person still seemed to feel secure that they could threaten Vasovic from within Russia’s borders with impunity. “Nobody will be sent to America,” they bragged. “No risk over here.”

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *