European and North American cybercrime investigators said they had dismantled the core of a malware operation run by Russian criminals, following a global operation involving British, Canadian, Danish, Dutch, French, German and American police.
European investigators have issued international arrest warrants for 20 suspects, mostly from Russia, while an indictment against 16 individuals has been unsealed in the US, writes The Guardian.
The defendants include the alleged leaders of the "Qakbot" and "Danabot" malware operations, including Rustam Rafaylevich Galyamov, 48, of Moscow, Alexander Stepanov, 39, known as JimmBee, and Artem Aleksandrovich Kalinkin, 34, known as Onix, both of Novosibirsk, Russia, the U.S. Department of Justice said.
Cyberattacks aimed at destabilizing governments or at theft and blackmail are becoming increasingly dangerous. British department store chain Marks & Spencer is one of the most striking and recent examples of victims this month in the United Kingdom.
Europeans, led by the German criminal agency Bundeskriminalamt (BKA), have issued public appeals in an attempt to find 18 suspects involved in the Qakbot malware family, as well as a third known Trickbot.
The BKA and its international partners have said that most of the suspects are Russian nationals. Among the BKA's most wanted is Russian citizen Vitaly Nikolayevich Kovalev (36), who is already on the US wanted list, according to the Guardian.
He is alleged to be behind the "Conti" group, considered the most professional and well-organized cyber-blackmail group in the world. German investigators have described him as one of the "most successful blackmailers in the history of cybercrime."
Using the pseudonyms Stern and Ben, the BKA claims to have attacked hundreds of companies around the world and extorted large sums of money.
Kovalev (36), from Volgograd, who is believed to be living in Moscow, allegedly has several companies registered in his name. US investigators identified him in 2023 as a member of the "Trickbot" group.
He is now believed to have headed the "Conti" group, as well as other extortion groups such as "Royal" and "Blacksuit" (founded in 2022). His crypto wallet is said to be worth around €XNUMX billion.
The BKA announced that, together with international partners, it has enough evidence to issue 20 arrest warrants out of a total of 37 identified perpetrators.
The U.S. Attorney's Office in California simultaneously unsealed details of indictments against 16 defendants for the development and use of the Danabot malware.
The criminal intrusions into the victims' computers were "controlled and carried out" by a cybercriminal organization based in Russia, which infected more than 300.000 computers worldwide, particularly in the US, Australia, Poland, India and Italy.
The software was advertised on Russian-language criminal forums, and also had a spyware version targeting military, diplomatic, government and non-governmental organizations, the indictment states.
"For this version, separate servers were set up, so the stolen data was stored on the territory of the Russian Federation."
Also on the European most wanted list, as a result of the German operation, is a 36-year-old Russian-speaking Ukrainian, Roman Mikhailovich Prokop, suspected of membership in the Qakbot group, according to the BKA.
Operation "Endgame" was launched by German authorities in 2022. BKA President Holger Minsch said that Germany is particularly targeted by cybercriminals.
The BKA is investigating the suspects' alleged involvement in criminal gang activities and commercial blackmail, as well as membership in a criminal organization based abroad.
Between 2010 and 2022, the Conti group specifically targeted American hospitals, increasing attacks during the COVID pandemic. US authorities offered a $10 million reward for information leading to the group's leaders.
Most of the suspects operate from Russia, some from Dubai. Their extradition to Europe or the US is unlikely, Minsch said, but their identification is significant and damaging to them.
"With Operation Endgame 2.0, we have once again shown that our strategies work – even in the supposedly anonymous darknet."
Bonus video:
