A Russian national was charged in an indictment unsealed today in connection with a series of computer system intrusions that occurred in 2009 and 2010.
Vitaly Kovalev, aka “Bentley,” “Bergen,” and “Alex Konor,” is charged with conspiracy to commit bank fraud and eight counts of bank fraud and he was identified as a senior figure within the Trickbot Group, a Russia-based cybercrime gang.
According to U.S. Attorney Philip R. Sellinger and the indictment, Kovalev participated in a conspiracy to obtain unauthorized access to bank accounts held at United States-based financial institutions and transfer funds from those accounts to accounts controlled by Kovalev and his conspirators from as early as September 2010.
Kovalev and his conspirators gained unauthorized access to accounts and made unauthorized transfers of funds into other bank accounts established by, and at the direction of, Kovalev, solely for the purpose of receiving the stolen funds.
At the direction of Kovalev, the funds would then be withdrawn or transferred out of these accounts.
Kovalev and his conspirators were able to transfer without authorization nearly $1 million from the victim’s bank accounts, at least $720,000 of which was transferred overseas.
The substantive and conspiracy charges of bank fraud are punishable by a maximum sentence of 30 years in prison and a maximum fine of $1 million.
Kovalev’s bank intrusions into victim bank accounts held at various U.S.-based financial institutions occurred in 2009 and 2010, prior to his involvement in Dyre or the Trickbot Group.
Trickbot’s malicious software at one point was counted among one of the internet’s most pernicious security threats, capable of stealing financial data, spreading across networks, and dropping ransom software.
Today, the United States, in coordination with the United Kingdom, is designating seven individuals who are part of the Russia-based cybercrime gang Trickbot.
This action represents the very first sanctions of their kind for the U.K., and result from a collaborative partnership between the U.S. Department of the Treasury’s Office of Foreign Assets Control and the U.K.’s Foreign, Commonwealth, and Development Office; National Crime Agency; and His Majesty’s Treasury to disrupt Russian cybercrime and ransomware.
“Cyber criminals, particularly those based in Russia, seek to attack critical infrastructure, target U.S. businesses, and exploit the international financial system,” said Under Secretary Brian E. Nelson. “The United States is taking action today in partnership with the United Kingdom because international cooperation is key to addressing Russian cybercrime.”
Russia is a haven for cybercriminals, where groups such as Trickbot freely perpetrate malicious cyber activities against the U.S., the U.K., and allies and partners. These malicious cyber activities have targeted critical infrastructure, including hospitals and medical facilities during a global pandemic, in both the U.S. and the U.K.
Last month, Treasury’s Financial Crimes Enforcement Network (FinCEN) identified a Russia-based virtual currency exchange, Bitzlato Limited, as a “primary money laundering concern” in connection with Russian illicit finance. The United States and the United Kingdom are leaders in the global fight against cybercrime and are committed to using all available authorities and tools to defend against cyber threats.
This action follows other recent sanctions actions taken jointly by the U.S. and the U.K. including in the Russia and Burma programs, as well as last year’s multilateral action against the Kinahan Crime Group.
It also reflects the finding from the 2021 Sanctions Review that sanctions are most effective when coordinated with international partners and highlights the deepened partnership between OFAC and the UK’s Office of Financial Sanctions Implementation.
Trickbot, first identified in 2016 by security researchers, was a trojan virus that evolved from the Dyre trojan.
Dyre was an online banking trojan operated by individuals based in Moscow, Russia, that began targeting non-Russian businesses and entities in mid-2014. Dyre and Trickbot were developed and operated by a group of cybercriminals to steal financial data.
The Trickbot trojan viruses infected millions of victim computers worldwide, including those of U.S. businesses, and individual victims. It has since evolved into a highly modular malware suite that provides the Trickbot Group with the ability to conduct a variety of illegal cyber activities, including ransomware attacks.
During the height of the COVID-19 pandemic in 2020, Trickbot targeted hospitals and healthcare centers, launching a wave of ransomware attacks against hospitals across the United States.
In one of these attacks, the Trickbot Group deployed ransomware against three Minnesota medical facilities, disrupting their computer networks and telephones, and causing a diversion of ambulances.
Members of the Trickbot Group publicly gloated over the ease of targeting the medical facilities and the speed with which the ransoms were paid to the group.
Current members of the Trickbot Group are associated with Russian Intelligence Services. The Trickbot Group’s preparations in 2020 aligned them to Russian state objectives and targeting previously conducted by Russian Intelligence Services. This included targeting the U.S. government and U.S. companies.