- The EU, U.S., and UK jointly sanctioned crypto wallets linked to the Trickbot ransomware network.
- Alleged Trickbot leader Vitaly “Stern” Kovalev is tied to more than $300 million in ransomware payments.
- Authorities also sanctioned VPN, hosting, and malware providers accused of supporting ransomware operations.
The United States, European Union, and United Kingdom announced coordinated sanctions against a network of alleged hackers, cybercriminals, and their enablers on Monday.
According to a Chainalysis report, the EU designated Vitaly Nikolayevich Kovalev, a Russian national better known by the alias “Stern,” who authorities identify as the alleged administrator of the TrickBot cybercrime syndicate.
Authorities said wallets linked to Stern received more than $300 million in ransomware payments, making him one of the most significant ransomware operators publicly identified by law enforcement.
Stern named as the alleged mastermind
Kovalev, first sanctioned by the U.S. Treasury’s Office of Foreign Assets Control (OFAC) and the U.K.’s Office of Financial Sanctions Implementation (OFSI) in February 2023, now faces additional EU measures. The EU designation explicitly references his moniker “Stern,” marking the first time this identifier has been used by European authorities.
According to the EU, Stern is a senior leader within the TrickBot Group, which authorities say has operated ransomware strains including Conti, Ryuk, and several related variants.
The group has targeted sectors including healthcare, banking, and other critical services. Authorities said the $300 million figure represents only the funds linked to Stern’s wallets rather than the syndicate’s total proceeds.
Blockchain analysis links Stern to multiple ransomware families, including Ryuk, Conti, Diavol, Karakurt, Royal, 3am, Quantum, and Bitpaymer. Cryptocurrency transaction patterns mirror the group’s internal hierarchy, with Stern acting in a “CEO-like” capacity, managing budgets, procurement, hiring, and even attack planning, as evidenced by the Conti Leaks.
Sanctions widen beyond one individual
Beyond Stern, the sanctions hit key infrastructure providers that enable ransomware operations. The U.S. Treasury’s OFAC designated First VPN Service (1VPNS), a virtual private network provider whose customers allegedly included ransomware groups. Authorities also sanctioned 1VPNS administrator Dmytro Rashevskyi and cryptor service provider Yevgeniy Vladimirovich Silayev.
OFAC also identified cryptocurrency wallet addresses associated with the sanctioned entities across Bitcoin, Ethereum, Litecoin, Zcash, Dash, TRON, Dogecoin, and Solana.
The 1VPNS designation follows a May 2026 takedown of its infrastructure by European law enforcement, supported by the FBI’s Boston Field Office.
The EU expanded the net further, designating:
- LummaC2 infostealer developers Maksim Evgenevich Voronin and Maksim Aleksandrovich Gordienko. Their Malware-as-a-Service platform was widely used in 2024 and 2025 before a coordinated international takedown in May 2025.
- Media Land LLC, a bullet-proof hosting provider linked to groups such as LockBit, EvilCorp, and BlackBasta, along with its owner Alexander Alexandrovich Volosovik.
- Russian state-linked actors, including members of GRU Unit 29155 and the Cyber Army of Russia Reborn (CARR). The EU also targeted Z-Pentest, a pro-Russia hacktivist collective tied to CARR that has attacked energy and water infrastructure.
- Evgeniy Viktorovich Bashev of GRU Unit 29155, who facilitated infrastructure, payments, and collaboration with external hacker networks, including in the WhisperGate malware campaign against Ukraine.
According to Chainalysis, the sanctioned wallet addresses have been labeled across its compliance platforms, allowing organizations to identify potential exposure and screen transactions involving sanctioned entities.
The coordinated sanctions reflect continued efforts by Western authorities to disrupt ransomware financing and increase oversight of cryptocurrency transactions linked to cybercrime.
Part of a broader crackdown
The action comes just weeks after the U.S. Department of the Treasury announced sanctions against the Prince Group Transnational Criminal Organization, targeting a network of online scams, money laundering, and illegal finance operating across Southeast Asia. The OFAC sanctioned nine individuals and 26 entities, including leaders, investors, and front companies facilitating illicit fund movement.
In a separate global effort, INTERPOL’s Operation First Light 2026, conducted on July 9, involved law enforcement from 97 countries. The operation resulted in 5,811 arrests and the seizure of nearly $293 million in illicit fiat and digital assets, marking the largest coordinated action against borderless cyber fraud networks.
Also Read: CleanSpark Stock (CLSK) Jumps 9% After $6.6B AI Data Center Deal
