In a landmark development in the global fight against cybercrime, Germany’s Federal Criminal Police Office (Bundeskriminalamt, or BKA) has publicly identified the elusive leader of the notorious Trickbot and Conti ransomware groups. The man behind the alias “Stern” has been unmasked as 36-year-old Russian national Vitaly Nikolaevich Kovalev. This marks a critical breakthrough in international law enforcement efforts against organized cybercriminal networks.
From ‘Stern’ to Kovalev: A Ransomware Kingpin Revealed
Kovalev, already sanctioned and indicted by the United States and United Kingdom in early 2023, has long operated under various pseudonyms including “Bentley,” “Bergen,” “Alex Konor,” and “Ben.” However, this is the first official confirmation linking him to “Stern,” the alias associated with strategic leadership across Trickbot and Conti ransomware operations.
German authorities confirmed the attribution through Operation Endgame, a coordinated multinational campaign aimed at disrupting global cybercrime infrastructure. The identification of Kovalev is a significant milestone for the operation, which involved contributions from Europol, the FBI, and several European law enforcement agencies.
Inside the Trickbot-Conti Syndicate
Trickbot and Conti have been among the most destructive cybercriminal organizations of the past decade. Initially developed as a banking trojan, Trickbot evolved into a modular malware platform, later enabling the deployment of ransomware and data exfiltration tools.
Under Kovalev’s leadership, the group spread various malware strains, including:
- Trickbot
- Ryuk
- BazarLoader
- IcedID
- SystemBC
- Conti
- Diavol
These tools were instrumental in orchestrating ransomware attacks on hospitals, governments, banks, and critical infrastructure worldwide. At the peak of its operations, Conti alone extorted hundreds of millions of dollars from victims. The FBI labeled it one of the most dangerous ransomware gangs globally.
Leaked Chats That Exposed the Inner Circle
Kovalev’s identity as “Stern” was uncovered through leaked internal communications, specifically the now-infamous ContiLeaks and TrickLeaks. These leaks, released by insiders and hacktivists during geopolitical tensions around Russia’s invasion of Ukraine, offered rare insight into the groups’ internal structures, personnel, and decision-making hierarchy.
Investigators pieced together Kovalev’s role based on patterns of behavior, command structures, and messages revealing “Stern” as the final approver of major cyber operations and personnel decisions. His leadership was both strategic and operational – directing attacks, managing teams, and enforcing internal discipline.
Why This Matters
The exposure of Vitaly Kovalev as the mastermind behind Trickbot and Conti underscores several key trends:
- The growing effectiveness of cybercriminal leaks as investigative tools
- The success of international cooperation in identifying threat actors, even across jurisdictions
- The critical importance of attribution in disrupting criminal trust networks and future operations
Although Trickbot and Conti as organizations have officially disbanded, their code, tactics, and personnel have splintered into new ransomware operations. The naming of Kovalev sends a message to these successor groups: anonymity is no longer a guarantee of safety.
Final Thoughts
The unmasking of “Stern” marks a symbolic victory in the fight against cybercrime. While Kovalev may remain physically out of reach, his exposure dismantles a layer of secrecy that has long protected major ransomware operators.
As global law enforcement tightens its grip and intelligence sharing deepens, the once shadowy world of cybercrime is finding fewer places to hide.
