Cops in Germany Claim They've ID'd the Mysterious Trickbot Ransomware Kingpin

Matt Burgess Lily Hay Newman May 30, 2025 9:22 AM The elusive boss of the Trickbot and Conti cybercriminal groups has been known only as 'Stern.' Now, German law enforcement has published his alleged identity—and it's a familiar face. Photograph:For years, members of the Russian cybercrime cartel Trickbot unleashed a relentless hacking spree on the world. The group attacked thousands of victims, including businesses, schools, and hospitals. 'Fuck clinics in the usa this week,' one member wrote in internal Trickbot messages in 2020 about a list of 428 hospitals to target. Orchestrated by an enigmatic leader using the online moniker 'Stern,' the group of around 100 cybercriminals stole hundreds of millions of dollars over the course of roughly six years.
Despite a wave of law enforcement disruptions and a damaging leak of more than 60,000 internal chat messages from Trickbot and the closely associated counterpart group Conti, the identity of Stern has remained a mystery. Last week, though, Germany's federal police agency, the Bundeskriminalamt or BKA, and local prosecutors alleged that Stern's real-world name is Vi­ta­ly Ni­ko­lae­vich Kovalev, a 36-year-old, 5'11' Russian man who cops believe is in his home country and thus shielded from potential extradition.
A recently issued Interpol red notice says that Kovalev is wanted by Germany for allegedly being the 'ringleader' of a 'criminal organisation.'
'Stern's naming is a significant event that bridges gaps in our understanding of Trickbot—one of the most notorious transnational cybercriminal groups to ever exist,' says Alexander Leslie, a threat intelligence analyst at the security firm Recorded Future. 'As Trickbot's 'big boss' and one of the most noteworthy figures in the Russian cybercriminal underground, Stern remained an elusive character, and his real name was taboo for years.'
Stern has notably seemed to be absent from multiple rounds of Western sanctions and indictments in recent years calling out alleged Trickbot and Conti members. Leslie and other researchers have long speculated to WIRED that global law enforcement may have strategically withheld Stern's alleged identity as part of ongoing investigations. Kovalev is suspected of being the 'founder' of Trickbot and allegedly used the Stern moniker, the BKA said in an online announcement.
'It has long been assumed, based on numerous indications, that 'stern' is in fact 'Kovalev',' a BKA spokesperson says in written responses to questions from WIRED. They add that, 'The investigating authorities involved in Operation Endgame were only able to identify the actor stern as 'Kovalev' during their investigation this year,' referring to a multi-year international effort to identify and disrupt cybercriminal infrastructure, known as Operation Endgame.
The BKA spokesperson also notes in written statements to WIRED that information obtained through a 2023 investigation into the Qakbot malware as well as analysis of the leaked Trickbot and Conti chats from 2022 were 'helpful' in making the attribution. They added, too, that the 'assessment is also shared by international partners.'
The German announcement is the first time that officials from any government have publicly alleged an identity for a suspect behind the Stern moniker. As part of Operation Endgame, BKA's Stern attribution inherently comes in the context of a multinational law enforcement collaboration. But unlike in other Trickbot and Conti-related attributions, other countries have not publicly concurred with BKA's Stern identification thus far. Europol, the US Department of Justice, the US Treasury, and the UK's Foreign, Commonwealth & Development Office did not immediately respond to WIRED's requests for comment.
Several cybersecurity researchers who have tracked Trickbot extensively tell WIRED they were unaware of the announcement. An anonymous account on the social media platform X recently claimed that Kovalev used the Stern handle and published alleged details about him. WIRED messaged multiple accounts that supposedly belong to Kovalev, according to the X account and a database of hacked and leaked records compiled by District 4 Labs but received no response.
Meanwhile, Kovalev's name and face may already be surprisingly familiar to those who have been following recent Trickbot revelations. This is because Kovalev was jointly sanctioned by the United States and United Kingdom in early 2023 for his alleged involvement as a senior member in Trickbot. He was also charged in the US at the time with hacking linked to bank fraud allegedly committed in 2010. The US added him to its most wanted list. In all of this activity, though, the US and UK linked Kovalev to the online handles 'ben' and 'Bentley.' The 2023 sanctions did not mention a connection to the Stern handle. And, in fact, Kovalev's 2023 indictment was mainly noteworthy because his use of 'Bentley' as a handle was determined to be 'historic' and distinct from that of another key Trickbot member who also went by 'Bentley.'
The Trickbot ransomware group first emerged around 2016, after its members moved from the Dyre malware that was disrupted by Russian authorities. Over the course of its lifespan, the Trickbot group—which used its namesake malware, alongside other ransomware variants such as Ryuk, IcedID, and Diavol—increasingly overlapped in operations and personnel with the Conti gang. In early 2022, Conti published a statement backing Russia's full-scale invasion of Ukraine, and a cybersecurity researcher who had infiltrated the groups leaked more than 60,000 messages from Trickbot and Conti members, revealing a huge trove of information about their day-to-day operations and structure.
Stern acted like a 'CEO' of the Trickbot and Conti groups and ran them like a legitimate company, leaked chat messages analyzed by WIRED and security researchers show.
'Trickbot set the mold for the modern 'as-a-service' cybercriminal business model that was adopted by countless groups that followed,' Recorded Future's Leslie says. 'While there were certainly organized groups that preceded Trickbot, Stern oversaw a period of Russian cybercrime that was characterized by a high level of professionalization. This trend continues today, is reproduced worldwide, and is visible in most active groups on the dark web.'
Stern's eminence within Russian cybercrime has been widely documented. The cryptocurrency tracing firm Chainalysis does not publicly name cybercriminal actors and declined to comment on BKA's identification, but the company emphasized that the Stern persona alone is one of the all-time most profitable ransomware actors it tracks.
'The investigation revealed that stern generated significant revenues from illegal activities, in particular in connection with ransomware,' the BKA spokesperson tells WIRED.
Stern 'surrounds himself with very technical people, many of which he claims to have sometimes decades of experience, and he's willing to delegate substantial tasks to these experienced people whom he trusts,' says Keith Jarvis, a senior security researcher at cybersecurity firm Sophos' Counter Threat Unit. 'I think he's always probably lived in that organizational role.'
Increasing evidence in recent years has indicated that Stern has at least some loose connections to Russia's intelligence apparatus, including its main security agency, the Federal Security Service (FSB). The Stern handle mentioned setting up an office for 'government topics' in July 2020, while researchers have seen other members of the Trickbot group say that Stern is likely the 'the link between us and the ranks/head of department type at FSB.'
Stern's consistent presence was a significant contributor to Trickbot and Conti's effectiveness—as was the entity's ability to maintain strong operational security and remain hidden.
As Sophos' Jarvis put it, 'I have no thoughts on the attribution as I've never heard a compelling story about Stern's identity from anyone prior to this announcement.'

Try Our AI Features

Explore what Daily8 AI can do for you:

Learn with AIFact CheckingText to SpeechAI Summary

Related Articles

Yahoo

2 hours ago

• Yahoo

Nvidia RTX 5050 GPU leaks suggest a generational leap at a budget price

When you buy through links on our articles, Future and its syndication partners may earn a commission. The RTX 5050 Mobile is Nvidia's upcoming entry-level GPU for laptops. Based on new leaks, this GPU looks far more capable than its 'budget' tier would suggest. Though Nvidia hasn't officially announced its specs, the chip has already appeared in product pages from Acer, HP, and Lenovo, with models like the Acer Nitro 5, HP Victus 16, and Lenovo Legion 5i all slated to include it. The RTX 5050 Mobile is built on the new Blackwell architecture, marking a clean break from the RTX 4050 Mobile's Ada Lovelace foundation. While the RTX 5050 shares the same CUDA ("Compute Unified Device Architecture") core count as its predecessor (2,560), everything else -- from the memory configuration to the clock speeds -- suggests this new chip represents a generational leap in capability. And this generational jump is available for an affordable price. The specs were accidentally leaked by the German IT company Kiebel (via momomo_us). Those specs point to two distinct RTX 5050 Mobile variants. Most laptops will ship with an 8GB GDDR6 configuration running at up to 100W TGP. However, a second version reportedly pairs the same core GPU with 8GB of faster GDDR7 memory. This version appears in a handful of higher-end laptops, including the Asus ROG Strix G16 and Lenovo Legion 5 Pro engineering builds. It may allow for improved bandwidth and power efficiency in demanding workloads, but for now, take all that with a pinch of salt. According to the leaked specs, which surfaced in a retailer listing, the RTX 5050 is expected to include 20 RT cores, 80 Tensor cores, 8GB of GDDR6 memory on a 128-bit bus, and clock speeds up to 2.52GHz. Power draw ranges from 60W to 100W, depending on the chassis. It also gains access to Nvidia's latest Max-Q 4.0 power optimization stack. That's the same efficiency-boosting tech used in the higher-end 5070 and 5090 mobile chips. The 50-class tier has traditionally been where Nvidia cuts corners, often stripping memory, limiting bus widths, and dialing down RT performance. That made previous 'entry-level' GPUs like the RTX 3050 or 4050 tough sells, especially for gamers looking to push modern titles with ray tracing enabled or DLSS turned on. But the RTX 5050 changes that equation. Thanks to Blackwell's improved power management and architectural upgrades, Nvidia is delivering more performance in the same power envelope, or less. It's a smarter GPU, not just a faster one. Thanks to Blackwell's improved power management and architectural upgrades, Nvidia is delivering more performance in the same power envelope, or less. Early analysis suggests the 5050 offers a ~45% uplift over the 4050 in raw FP32 compute power, aided by its wider memory bus (128-bit vs 96-bit), higher clock speeds, and more VRAM. With 8GB of GDDR6, it avoids the memory bottlenecks that hampered the 6GB RTX 4050 in some games and creative apps. More importantly, Blackwell's efficiency translates into real-world advantages. Frame generation, DLSS 4, ray-traced lighting, and AI-assisted game logic all benefit from the updated Tensor cores and 4th-gen RT units, even in a chip this size. While we don't have official benchmarks yet, we know enough to put the RTX 5050 Mobile in context. It's faster than the RTX 4050 Mobile in nearly every metric that matters. It runs cooler, clocks higher, and offers significantly better bandwidth. Thanks to DLSS 4 and increased memory headroom, games that struggled to hold 60 fps at 1080p on the 4050, especially with ray tracing enabled, should fare far better on the 5050. In some cases, it could even approach RTX 4060 Mobile performance levels, especially in thin-and-light laptops where the 4060 is power-constrained. When configured at 100W in larger machines like the Legion 5 or Nitro 18, the 5050 may even outperform a 4060 running at 65W. GPU Architecture Cores Memory Bus TGP RTX 4050 Mobile Ada Lovelace 2560 6GB GDDR6 96-bit 35–65W RTX 5050 G6 Mobile Blackwell 2560 8GB GDDR6 128-bit 60–100W RTX 4060 G7 Mobile Blackwell 2560 8GB GDDR7 128-bit 80–115W RTX 4060 Mobile Ada Lovelace 3072 8GB GDDR6 128-bit 60–115W That's not to say it's a 4060 killer — it isn't. The 4060 still has more CUDA cores (3,072 vs. 2,560) and a higher theoretical ceiling. However, the gap is much smaller than the model numbers imply. And in real-world gaming at 1080p, especially with DLSS and frame generation, the 5050 could close that gap further. This is where the RTX 5050 gets interesting. OEMs aren't treating this like a bargain-bin GPU. Acer, HP, and Lenovo have all listed RTX 5050 configurations in laptops that span midrange to premium territory. That includes gaming-focused machines like the Nitro 5, Legion 5i, and Victus 16, but also prosumer ultrabooks like the LG Gram Pro 16 and IdeaPad Pro 5. These systems will mostly use the standard GDDR6 version, but we expect higher-tier designs to quietly adopt the GDDR7 variant as a performance differentiator. Acer's Nitro line-up confirms multiple RTX 5050 configurations, with some using a 60W TGP and others going as high as 100W. That's a critical detail. The 5050's performance will vary significantly depending on how much power it's allowed to draw. A 60W version will struggle to match a 4060. A 100W version might trade blows with it. Expect pricing in the $1,199 to $1,499 range at launch, though GDDR7-equipped models could push closer to the $1,600–$1,700 mark depending on CPU and chassis pairing. The RTX 5050 Mobile isn't a cut-down afterthought. It's not a recycled 4050. It's a thoughtfully tuned, architecture-first evolution that delivers next-gen features in laptops that won't require a second mortgage. Thanks to Blackwell's efficiency gains and smarter feature integration, Nvidia has finally given the 50-class a reason to exist beyond marketing. The RTX 5050 offers legitimate 1080p gaming chops, full ray tracing and DLSS 4 support, and enough VRAM to future-proof budget laptops. And with the GDDR7 variant waiting in the wings, this might be the most dynamic 50-class release Nvidia has ever shipped. Buyers will still need to shop carefully. Not every RTX 5050 laptop will unlock its full potential, and some may be priced too close to 5060 models for comfort. But in the right system, the RTX 5050 Mobile could be the best value GPU of 2025. The Nvidia GPU you actually want could launch next month AMD's Ryzen Z2 Extreme just brought AI to handhelds — should the competition be worried? I used the Asus ROG Strix G16 for a week, and it may be the best value in gaming laptops right now

Yahoo

2 hours ago

• Yahoo

Rippling spy says men have been following him, and his wife is afraid

If becoming a spy sounds like an exciting way to live like a le Carré character, let this newest affidavit from confessed Rippling spy Keith O'Brien serve as a warning. On Friday, an Irish judge granted O'Brien a restraining order against several men who have not yet been identified, according to the court order seen by TechCrunch. O'Brien testified that multiple men — two in a gray Skoda Superb on one occasion, and more often, a short-haired, heavy-set man in a black SUV, sometimes accompanied by a large dog — had repeatedly followed his car and watched his home. O'Brien's story has captured the imagination of the tech industry after his colorful confession in April, in which he alleged that he was a spy for Deel. He said he was paid €5,000 a month to steal Rippling's internal data on everything from products to customers. Rippling caught him by setting up a honeypot Slack channel. On the day he was caught, O'Brien pretended to flush his phone down the corporate toilet and later smashed it, dropping pieces down the drain at his mother-in-law's house, according to his affidavit. Now he's the star witness for Rippling in its lawsuit against Deel. Rippling is even picking up the tab for his legal and related expenses, its lawyers testified. Deel is also countersuing Rippling, claiming it was spied on too, by a Rippling employee impersonating a customer. The two HR tech companies have been bitter rivals for years after Deel — once a Rippling customer — began offering competing products. In the latest part of the saga, O'Brien testified that he tried to lose the black SUV following his car by making sudden turns and taking roundabout ways to get home, only to see it reappear in his rearview mirror. He hired a security consulting company and feared that someone was placing tracking devices on his car. O'Brien claims all of these incidents have created 'emotional and psychological' damage for himself and his wife. 'We have been experiencing anxiety at home and in public. It has affected our sleep and our concentration,' O'Brien said in his latest affidavit. They are fearful for the safety of their four children. He and his lawyer speculated that this was intended as harassment related to his role as star witness. However, O'Brien's lawyer also admitted in court that they had no evidence tying the men to Deel. Deel also denied knowing anything about the man in the black SUV. According to the Irish publication Business Post, when granting the injunction, the judge apparently said, 'As if they are in a 1970s cops and robbers' TV show. Whatever happens in the dueling court cases, O'Brien has made himself the rope in a bitter tug of war between these two well-funded HR startups. And from what he says in his testimony, it sounds painful. Error in retrieving data Sign in to access your portfolio Error in retrieving data Error in retrieving data Error in retrieving data Error in retrieving data

Yahoo

2 hours ago

• Yahoo

Iranian missiles intercepted over Jerusalem

Iranian missiles were intercepted over Jerusalem in the early hours of Saturday. A week into their war, Israel and Iran have exchanged more strikes, while diplomatic efforts led by the Europeans took place in Geneva.