Very few people could identify him. They didn’t even know his name, beyond the pseudonyms “Stern” and “Ben.” A recent international police operation has uncovered 36-year-old Vitaly Nikolayevich Kovalev, the leader of Conti, one of the largest cybercriminal networks in the world. He specializes in ransomware, a type of computer program that hijacks computers and demands payment to restore access. From Kovalev’s computers came Trickbot, a ransomware programs that is suspected to have affected up to 4% of all companies worldwide.
According to the German Federal Criminal Police Office (BKA), Conti “consisted of more than 100 members. It works in an organized and hierarchically structured manner and is project and profit oriented. The group is responsible for the infection of several hundred thousand systems in Germany and worldwide; through its illegal activities it has obtained funds in the three-digit million range.” Their victims include public agencies, companies, and individuals. In 2020, at the height of the pandemic, they attacked several U.S. hospitals and demanded ransoms of $10 million.
Thanks to an investigation by the cybersecurity analysis firm Check Point Research, which had access to internal documents provided by an alleged insider, many details about Conti have come to light. It could be said that Conti is organized like a technology company. It has a well-defined, hierarchical structure, with Kovalev at the top. Team leaders report to department heads, and there is even a human resources department responsible for hiring, paying salaries (in bitcoin), and awarding employee-of-the-month bonuses. The organization even has several physical offices.
Conti recruited personnel not only through ads on the dark web, but also by targeting candidates identified after analyzing large numbers of stolen résumés. On their payroll were programmers, IT engineers, cryptographers, system administrators, intelligence specialists, and negotiators. “Some employees don’t even realize they’re working for a cybercriminal organization,” Check Point notes.
“Not all Conti employees know that they are part of criminal activity,” CheckPoint notes. In an online job interview obtained by the cybersecurity group’s lab, the manager told the applicant that “everything is anonymous here, the main direction of the company is software for pentesters,” or testing system security with controlled attacks.
Kovalev and the other 35 alleged criminals identified in the police operation, dubbed Operation Endgame, are accused of developing Qakbot and Danabot, two of the most well-known and analyzed threats in the global cybercrime landscape. After years of investigation, agents from the U.S., the U.K., Canada, Denmark, the Netherlands, Germany, and France have identified the key figures behind these tools.
A game changer in ransomware
“Qakbot, in particular, is one of the oldest and most sophisticated banking Trojans, active since 2007, and has expanded its capabilities over time to include functions such as credential theft, email exfiltration, and ransomware distribution,” explains Mar Rivero, head of security research at Kaspersky.
Hackers from criminal groups have used Qakbot as a way to introduce highly destructive ransomware, such as Conti or REvil. “One of its biggest milestones was its participation in infection chains that affected government agencies and financial institutions in the U.S. and Europe, causing millions in losses and the paralysis of critical operations,” adds Rivero.
Qakbot was believed to have been dismantled in 2023, following another U.S.-led international law enforcement operation. But at the end of that same year, a new version of this Trojan emerged. This type of computer virus masquerades as legitimate software to gain access to target systems. The victim receives an email purportedly from their bank with a download link. Once the software is installed, it begins executing operations without the user’s knowledge. It doesn’t take long for attackers to gain access to the bank or even control the device itself. Despite ongoing law enforcement efforts, Qakbot has been evolving for 15 years.
Danabot, on the other hand, is much more recent. Active since 2018, it is promoted as Malware as a Service (MaaS), which “allows many criminals, even those without advanced knowledge, to enter the world of cybercrime, as it provides them with everything they need in exchange for very reasonable amounts of money,” explains Josep Albors, research director at ESET Spain.
Danabot is known to have been used in a successful Distributed Denial of Service (DDoS) attack against the Ukrainian Ministry of Defense shortly after the Russian invasion. “It has been used both for financial fraud and to launch attacks in support of Russian state interests. It’s a good example of how criminal infrastructure can be used for both economic gain and geopolitical objectives,” says Adam Meyers, director of threat operations at CrowdStrike.
Given their impact and ease of use, “it’s safe to say that Qakbot and Danabot have significantly transformed the cyberthreat landscape,” says Jaimie Williams, principal threat intelligence researcher at Palo Alto Networks. “They’ve enabled malicious activity to scale to levels previously unattainable by individual actors.”
A many-headed snake
The spokespersons for Operation Endgame claim to have dismantled the hacker network behind these sophisticated ransomware attacks, which included taking down 300 servers (the computers that provide services to others — the hardware that runs websites), 650 domains (unique web addresses), and seizing over €3 million ($3.5 million) in cryptocurrency.
“Both Danabot and Qakbot were Malware as a Service, meaning that taking down their infrastructure affects not only their own criminal activities, but also everyone who used these tools. They’ve now lost access to the computers they had already compromised and were controlling with these programs,” explains Geri Revay, lead security researcher at FortiGuard Labs.
But identifying those responsible is not the same as dismantling the entire operation. The world of cybercrime is especially elusive — particularly when it has state backing. Of the 36 individuals identified through Operation Endgame, 20 are subject to international arrest warrants, while the remaining 16 have been formally charged by the U.S. Department of Justice. But since the vast majority reside in Russia, there’s little chance they’ll be arrested.
“These gangs tend to operate in countries that don’t have extradition agreements and don’t cooperate with Europol, Interpol, or the FBI. Until they make a mistake, it’s very difficult to catch them,” explains Rafael López, a security engineer at Check Point Software. But such mistakes do happen. Last year, one of the ringleaders of Lockbit, another ransomware group, was arrested by the Spanish Civil Guard at the airport while traveling to Spain for a vacation.
Moscow also protects these alleged criminals because they often carry out cyber operations in defense of Russian interests, as seen with the war in Ukraine. But even if arrests are made, it’s difficult to shut down one of these groups. “Many ransomware gangs tend to re-emerge after a while. They often change names to continue operating,” notes Javier Vicente, a threat researcher at Zscaler.
Nevertheless, the leaders of the international operation that exposed the creators of Qakbot and Danabot believe that simply naming the top figures behind these groups makes their work more difficult and prevents them from freely entering and leaving Russia. “Today’s announcement of the Justice Department’s latest actions to counter the Qakbot malware scheme sends a clear message to the cybercrime community,” said Matthew R. Galeotti, head of the Justice Department’s Criminal Division, on May 22, when the operation was revealed. “We will not stop holding cybercriminals accountable, even over a course of years, and we will use every legal tool at our disposal to identify you, charge you, forfeit your ill-gotten gains, and disrupt your criminal activity.”
While the U.S. and other countries spend years tracking him and his associates, Kovalev remains an anonymous millionaire in Moscow, who runs a cybercrime empire.
Sign up for our weekly newsletter to get more English-language news coverage from EL PAÍS USA Edition
