6 hours ago
2
European and North American cybercrime investigators say they have dismantled the heart of a malware operation directed by Russian criminals after a global operation involving British, Canadian, Danish, Dutch, French, German and US police.
International arrest warrants have been issued for 20 suspects, most of them living in Russia, by European investigators while indictments were unsealed in the US against 16 individuals.
Those charged include the alleged leaders of the Qakbot and Danabot malware operations, including Rustam Rafailevich Gallyamov, 48, who lives in Moscow and Aleksandr Stepanov, 39, AKA JimmBee and Artem Aleksandrovich Kalinkin, 34, AKA Onix, both of Novosibirsk, Russia, the US Department of Justice said.
Cyber-attacks aimed at destabilising governments or simple theft and blackmail are becoming increasingly pernicious. The high-street retailer Marks & Spencer is one of the most high-profile and recent victims in the UK this month.
The Europeans led by the German crime agency, Bundeskriminalamt (BKA) released public appeals in its attempts to track down 18 suspects believed to be involved in the Qakbot malware family along with a third malware known as Trickbot.
BKA and its international counterparts said the majority of the suspects were Russian citizens. The Russian national Vitalii Nikolayevich Kovalev, 36, already wanted in the US, is one of BKA’s most wanted.
He is allegedly behind Conti, considered to be the most professional and best-organised ransomware blackmail group in the world with Kovalev described as one of the “most successful blackmailers in the history of cybercrime” by German investigators.
Using the pseudonyms Stern and Ben, BKA allege he is claimed to have attacked hundreds of companies worldwide and extracted large ransom payments from them.
Kovolev, 36, from Volgorod, is believed to be living in Moscow where several firms are registered in his name. He was identified by US investigators in 2023 as having been a member of Trickbot.
Investigators now also believe he was at the helm of Conti and other blackmail groups, such as Royal and Blacksuit (founded in 2022). His own cryptowallet is said to be worth around €1bn.
Bundeskriminalamt said, along with international partners, of the 37 perpetrators they identified they had enough evidence to issue 20 arrest warrants.
The US attorney’s office in California at the same time unsealed the details of charges against 16 defendants who allegedly “developed and deployed the DanaBot malware”.
The criminal infiltrations into victims’ computers was “controlled and deployed” by a Russia-based cybercrime organisation that has infected more than 300,000 computers around the world particularly in the US, Australia, Poland, India and Italy.
It was advertised on Russian language criminal forums and also had an “espionage variant used to target military, diplomatic, government, and non-governmental organisations” the indictment states.
“For this variant, separate servers were established, such that data stolen from these victims was ultimately stored in the Russian federation”, it adds.
Also on the Europe most wanted list as a result of the German operation is a 36 year old Russian-speaking Ukrainian Roman Mikhailovich Prokop, a suspected member of Qakbot, according to BKA .
Operation Endgame was first instigated by the German authorities in 2022. BKA president Holger Münch said that Germany is in the particular focus of cybercriminals.
The BKA in particular is investigating the suspected perpetrators’ involvement in gang-related activities and commercial extortion as well as membership of an overseas-based criminal organisation.
Between 2010 and 2022 the Conti group focused specifically on US hospitals, increasing its attacks during the Covid pandemic.
US authorities had offered reward money of $10m to anyone who would lead them to its figureheads.
Most suspects are operating in Russia, some also in Dubai.
Their extradition to Europe or the US is unlikely, Münch of the BKA admitted, but their identification was significant and damaging to them, he insisted.
“With Operation Endgame 2.0, we have once again demonstrated that our strategies work – even in the supposedly anonymous darknet.”
