German Police Unmask Ransomware Gang Leader Behind TrickBot and Conti
In a significant development tied to global anti-cybercrime efforts, Germany’s Federal Criminal Police Office (BKA) has officially named Vitaly Nikolaevich Kovalev as the mastermind behind two of the most notorious cybercriminal operations in recent years—TrickBot and Conti ransomware.
Kovalev, a 36-year-old Russian national, is now the subject of an Interpol red notice, following charges in Germany for leading a criminal organization. His identity was revealed during Operation Endgame, a coordinated international effort to disrupt malware networks and apprehend key cybercriminal figures.
The Man Behind the Aliases: Stern, Bentley, Bergen, Ben
While Kovalev has long been suspected of playing a senior role in TrickBot, this is the first time he has been directly accused of founding and leading the group. Operating under aliases such as “Stern,” “Bentley,” “Bergen,” “Alex Konor,” and “Ben,” he allegedly directed attacks, approved operations, and even coordinated legal defense efforts for arrested gang members.
According to leaked chat logs and internal documents—part of the massive ContiLeaks and TrickLeaks incidents—Kovalev was consistently in charge. Gang members sought his go-ahead before launching attacks or making major decisions. The leaks, shared publicly on platforms like Twitter, helped unmask not only group members but also their infrastructure, operations, and communications.
“The subject is suspected of having been the founder of the ‘Trickbot’ group, also known as ‘Wizard Spider,’”
— German BKA, official statement.
How the Gangs Operated and Spread Their Malware
Both the Conti ransomware group and TrickBot gang operated with a highly organized and hierarchical structure. At their peak, German authorities estimate the TrickBot group had over 100 members.
They used an arsenal of malware, including:
- TrickBot
- BazarLoader
- SystemBC
- IcedID
- Ryuk
- Diavol
- Conti ransomware
These tools were deployed in targeted attacks that infected hundreds of thousands of systems worldwide, including hospitals, government agencies, businesses, and private users.
The German BKA stated the group’s operations were project- and profit-driven, resulting in financial damages in the hundreds of millions of euros.
“The group is responsible for the infection of several hundred thousand systems in Germany and worldwide,” the BKA said in its official release.
“Through its illegal activities it has obtained funds in the three-digit million range.”
Legacy of Conti and the Rise of New Ransomware Gangs
After the leaks compromised their anonymity, the Conti gang officially shut down, but many members simply rebranded or joined other ransomware-as-a-service (RaaS) groups. These successor gangs include:
- Royal
- Black Basta
- BlackCat
- AvosLocker
- Karakurt
- LockBit
- Silent Ransom
- DagonLocker
- ZEON
These groups continue to leverage the experience and tactics developed under TrickBot and Conti, posing an ongoing threat to enterprise security globally.
Vitaly Kovalev: Wanted But Still at Large
While German authorities now have formal charges against Kovalev, his current location remains unknown. He is believed to be residing in Russia. German police are asking the public and international partners for any information about his online presence, aliases, or communication channels.
This development marks one of the most direct naming and shaming efforts targeting ransomware leadership. It also underscores the growing ability of law enforcement agencies to dismantle and expose complex cybercrime networks that previously operated with impunity.
