Skip to content
CBCyber Breaches
Search

Attacker profile

Vitaly Kovalev

Russian national publicly identified as 'Stern' — the CEO-level operator of TrickBot, Conti, and the broader Ryuk / BazarLoader cybercrime conglomerate. Sanctioned by the U.S., U.K. and EU in 2023.

Vitaly Nikolaevich Kovalev (Russian: Виталий Николаевич Ковалёв), online persona Stern, is a Russian national publicly identified as the CEO-level operator of the TrickBot / Conti / Ryuk cybercrime conglomerate — a continuous lineage of malware and ransomware operations that ran from roughly 2016 to 2022 and is assessed to have extracted more than $2.7 billion from victims across the period.

Identification

Kovalev's identification draws on three overlapping bodies of evidence:

  • Conti Leaks (February 2022) — a Ukrainian insider, in response to Conti's public support for Russia's invasion of Ukraine, leaked ~170,000 internal Jabber messages plus source code and operational documents. The messages named "Stern" repeatedly as the operation's CEO-equivalent and revealed organisational structure including a payroll of ~80 staff with defined HR, finance, and engineering functions. Researchers used the Jabber metadata, cryptocurrency wallet trails, and operational patterns to triangulate Stern to Kovalev.
  • U.S. DOJ indictment (June 2023) — Eastern District of Tennessee. Charged Kovalev with conspiracy to commit computer fraud and identity theft tied to TrickBot bank-credential theft against U.S. customers.
  • OFAC and OFSI sanctions (February 2023) — joint U.S./U.K. action designating Kovalev and six other Conti / TrickBot affiliates: Maksim Mikhailov ("Baget"), Valentin Karyagin ("Globus"), Mikhail Iskritskiy ("Tropa"), Dmitry Pleshevskiy ("Iseldor"), Ivan Vakhromeyev ("Mushroom"), and Valery Sedletski ("Strix").

Organisation

The Conti Leaks revealed an operation structured like a normal enterprise:

  • HR / hiring — formal job interviews, salary negotiations, paid time off.
  • Engineering — encryptor development, network reconnaissance tooling.
  • Operations — affiliate management, victim communications, ransom negotiation.
  • Finance — cryptocurrency ledger keeping, payroll, profit sharing.

Internal documents priced affiliate work, set negotiation guidance, and tracked KPIs (per-employee revenue targets). The leak materially advanced the field's understanding of how a major RaaS operation actually runs.

Significance

Kovalev / Stern is the most-internally-documented ransomware principal in history, courtesy of the Conti Leaks. The combination of leaked internal documents, U.S. indictment, and joint U.S./U.K. OFAC sanctions makes the case the highest-confidence attribution in the catalog for a still-active operator.

The Conti brand was effectively retired after the leak; affiliates dispersed into Black Basta, BlackCat/ALPHV, Hive, and Royal — but the underlying engineering and management capability followed the same humans, which is why the Stern designation remains operationally relevant today.

Related incidents

RansomwareContained

Conti ransomware attack on the Government of Costa Rica

Conti encrypted 27 Costa Rican government institutions including the Ministry of Finance, paralyzing tax collection and customs for months. President Chaves declared a national emergency — the first cyber-incident state of emergency in history.

Victim
Government of Costa Rica (27 institutions incl. Ministry of Finance, Customs, Social Security)
Loss
$130.0M
RansomwareContained

HSE Ireland ransomware (Conti)

Conti ransomware paralysed Ireland's Health Service Executive, forcing cancellation of outpatient appointments nationwide for weeks. Conti released the decryptor for free; recovery still cost an estimated €100M+.

Victim
Health Service Executive (HSE) of Ireland
Loss
$130.0M
Records
700.0K