EU sanctions Trickbot boss ‘Stern’ over $300M in ransomware payments

- The EU sanctioned Russian national Vitaly Kovalev, known as “Stern.”
- The U.S. and UK joined the action, with OFAC also targeting VPN and cryptocurrency services that support ransomware crews.
- Trickbot and its Conti offshoot hit hospitals, banks, and more than 1,000 organizations, recording an estimated $180 million in 2021 alone.
Vitaly Nikolayevich Kovalev, the Russian national who ran the Trickbot ransomware syndicate under the alias “Stern,” has been sanctioned by the European Union.
The sanction is the result of a coordinated action with the United States and the United Kingdom that targeted a wide network of cybercriminals and the services that keep them online.
Who is Stern?
Vitaly Nikolayevich Kovalev, a 36-year-old Russian national who ran the Trickbot ransomware syndicate, has been sanctioned by the EU. This is the first time any sanctioning body has tied the “Stern” handle to Kovalev by name.
The U.S. Treasury’s Office of Foreign Assets Control and the UK’s Office of Financial Sanctions Implementation first sanctioned Kovalev in February 2023, but the listings connected him to the handles “Ben” and “Bentley.”
Germany’s federal police, the BKA, publicly named him as the man behind Stern in May 2025, and an Interpol red notice was issued after the discovery.
Kovalev occupied the role of a “CEO-like” leader of the Trickbot and Conti groups. According to the more than 300,000 internal messages a member leaked in 2022, he had authority over the group’s budget, hiring, and attack planning.
The group consisted of more than 100 members, had physical offices, and members’ salaries were paid in Bitcoin. They even offered employee-of-the-month bonuses.
His group hit more than 1,000 organizations worldwide, including Ireland’s Health Service Executive during the COVID-19 pandemic in May 2021, the jeweler Graff, and numerous other hospitals and banks across the U.S. and Europe. An estimated $180 million was acquired in 2021 alone.
Kovalev also moved funds connected to multiple ransomware strains, including Ryuk, Conti, Diavol, Karakurt, Royal, Quantum, and Bitpaymer. His wallets have taken in more than $300 million as his personal cut of ransom payments.
Thanks to the sanctions, Kovalev’s on-chain wallet addresses have been published, making it harder for him to move funds through cryptocurrency exchanges and financial services. He is believed to be in Russia, which unfortunately does not extradite its nationals to face foreign charges.
What other services did the sanction target?
OFAC also sanctioned First VPN Service (1VPNS) and its administrator, Dmytro Rashevskyi. The service reportedly allowed criminals to hide their internet traffic and true location. It had been operating since 2014 and advertised its services on cybercriminal forums, promising it did not keep logs and would not cooperate with law enforcement.
Investigators were able to connect wallet addresses to both the platform and its administrator across eight blockchains, including Bitcoin, Zcash, Dogecoin, Ethereum, Litecoin, Dash, TRON, and Solana. European authorities took down the 1VPNS website in May 2026 with help from the FBI’s Boston Field Office.
The EU also sanctioned the developers behind the LummaC2 infostealer, Maksim Voronin and Maksim Gordienko, whose platform was highly ranked among the most-used infostealers globally in 2024 and 2025 before a takedown led by the U.S. Department of Justice, Europol, and Japan’s Cybercrime Control Center that started in May 2025.
Other names that landed on the sanction list are cryptor provider, Yevgeniy Silayev, Media Land LLC, the Russian GRU’s Unit 29155, and pro-Russia hacktivist groups CARR and Z-Pentest.
If you're reading this, you’re already ahead. Stay there with our newsletter.
FAQs
Who is "Stern" and what is his real name?
"Stern" is the online alias of Vitaly Nikolayevich Kovalev, a Russian national and the administrator of the Trickbot ransomware syndicate, whom Germany's BKA publicly identified in May 2025 as the group's founder and ringleader.
How much money is linked to Stern's ransomware operation?
Wallets associated with Stern have received more than $300 million in ransom payments, though Chainalysis notes that figure represents only his personal cut and that Trickbot's total haul is substantially larger.
Who else was sanctioned alongside Kovalev?
OFAC designated First VPN Service (1VPNS), its administrator Dmytro Rashevskyi, and cryptor provider Yevgeniy Silayev, while the EU also listed the LummaC2 infostealer developers, bulletproof host Media Land LLC, Russia's GRU Unit 29155, and the hacktivist groups CARR and Z-Pentest.
Disclaimer. The information provided is not trading advice. Cryptopolitan.com holds no liability for any investments made based on the information provided on this page. We strongly recommend independent research and/or consultation with a qualified professional before making any investment decisions.

Hannah Collymore
Hannah is a writer and editor with nearly a decade of blog writing and event reporting experience in the crypto space. At Cryptopolitan, Hannah contributes to the news page, reporting and analyzing the latest developments in DeFi, RWA, crypto regulation, AI and frontier tech industries. She graduated from Arcadia university with a degree in Business Administration.
















