Threat ActorsThe Bloodline · Part 4 of 7

The Corporation

Evil Corp was a family firm. The TrickBot and Conti syndicate was something else: departments, salaries, HR, performance reviews, and a chief executive. And at the top of the org chart sat a man who had shared a room with Yakubets and Bogachev a decade earlier.

By Reno July 3, 2026 12 min read Open Research
STERN MANGO TARGET BENTLEY CODERS · TESTERS · ADMINS · REVERSERS · OSINT · HR The Conti org chart, per the 2022 leaks · illustration

If Evil Corp is a family firm, the TrickBot and Conti syndicate is a corporation. It had departments, salaried staff, an HR function, performance management, internal training, and a chief executive. Almost everything we know about its inner workings comes from two catastrophic leaks, and that abundance of detail is exactly why this branch is the most de-anonymized in the entire ecosystem, a fact that becomes a weapon in the final part of this series. Confirmed reporting

From Dyre to TrickBot

The syndicate's malware ancestor is Dyre, a banking trojan run by a Moscow crew in 2014 and 2015. After a reported Russian raid disrupted the Dyre crew in late 2015, its operators re-emerged in 2016 with TrickBot. Both OFAC and the US Department of Justice state plainly that TrickBot evolved from Dyre: same crew, new malware, the recurring pattern of this series. The NCA documents Vitaly Kovalev's involvement "in Dyre, Trickbot and Conti," placing the Business Club veteran from Part 1 in this lineage from its banking-trojan beginning. Confirmed reporting

TrickBot became the umbrella organization that CrowdStrike tracks as Wizard Spider. Its first major ransomware arm was Ryuk, which ran from 2018 to 2020, built by the "Old Guard" who had cut their teeth on the banking trojans. Around mid-2020 Ryuk was retired and replaced by Conti, run by the same people. Keep that handoff in mind: when Conti fragmented in 2022, the fault line ran between the Ryuk Old Guard (Team 1) and the affiliate operation (Team 2), and that split is the key to reading the diaspora in Part 5. Confirmed reporting

The org chart

The 2022 Conti Leaks exposed an organizational structure that startled even seasoned researchers with its corporate normalcy. At the top sat Stern, the chief executive: he set strategy, struck affiliate deals, paid salaries, and managed most expenses. Mango (Mikhail Tsarev) was the general manager and Stern's right hand, running HR and payroll. Target (identity disputed) managed the offensive teams and the physical offices. Professor ran the technical infection process. Bentley (Maksim Galochkin) led the testers and crypter teams responsible for evading antivirus. Beneath them: salaried coders, testers, administrators, reverse engineers, OSINT staff, a recruiter pipeline, and an internal training function. Confirmed reporting

The corporate analogy is not a metaphor. Conti paid monthly salaries, ran performance reviews, funded a jailed colleague's legal defense (partly to gain insight into the US investigation), and recycled a rival's job advert to poach staff. The leverage implication runs through everything that follows: an organization this bureaucratic generates internal records, and internal records are what ultimately de-anonymized it. Confirmed reporting

Fig. 1 · The Conti corporate layer, moniker to man (per cited sources)
MonikerReal nameRoleConfidence
SternVitaly KovalevCEO / bossConfirmed (BKA)
MangoMikhail TsarevGeneral manager, HR, payrollConfirmed
BentleyMaksim GalochkinTesters / evasion leadConfirmed
Dif / DefenderAndrey ZhuykovSenior administratorConfirmed
TargetUnknownOffensive teams; physical officesCredible
ProfessorUnknown (alleged Kvitko)Technical infection processInference
Attributions per OFAC/DOJ designations (Feb and Sep 2023), BKA warrant (May 2025), and the Conti Leaks corpus. Target and Professor remain unresolved.

Stern has a name

Two attribution puzzles around this org chart are now resolved, and both matter for the spine of this series. First: Stern is Vitaly Kovalev. Germany's BKA, as part of Operation Endgame, issued a May 2025 warrant stating that Kovalev "founded the group under the pseudonyms stern and ben and acted as its leader." Because Kovalev is the Business Club veteran of Part 1, this places a colleague of Yakubets and Bogachev directly in the Conti boss's chair, welding the ecosystem's two largest pillars together at the very top. One caveat belongs in any briefing: as of the warrant, neither the US nor the UK had independently confirmed the Stern mapping in their own documents, so the claim rests on a single G7 agency. Strong, but singular. Confirmed reporting

The two pillars of modern ransomware were never rivals. They were classmates.

Second: the Bentley collision. The handle appears in both the February and September 2023 OFAC rounds, attached to two different men. The resolution is sequencing, not contradiction. Kovalev used "Bentley" historically, for bank fraud in 2009 and 2010, and UK OFSI explicitly annotated his use as "historical use of the moniker." The Conti-era Bentley was Maksim Galochkin, tied to a jabber address by Nisos OSINT work and named in three federal indictments as leader of the testers. Two men, one handle, a decade apart. The US Secret Service Most Wanted listing for Kovalev reflects exactly this split: it carries his historical handle and names him a senior TrickBot figure, but stops short of the Stern attribution, which remains the BKA's alone. The collision is itself a lesson in attribution discipline. Confirmed reporting

The own goal

In late February 2022, days after Russia invaded Ukraine, Conti's leadership posted a message pledging full support for the Russian government. A Ukrainian insider with access to the group's infrastructure answered by leaking the gang's internal Jabber and Rocket.Chat archives, tens of thousands of messages, under the banner ContiLeaks. It is the single richest open-source intelligence windfall in ransomware history; nearly everything in the org chart above derives from it. Confirmed reporting

The cause matters as much as the content. Conti's de-anonymization was triggered by its own political alignment with the Russian state. The adjacency that protected the group is the same adjacency that, when it forced a public loyalty declaration, produced the insider revolt that exposed it. File that paradox; Part 7 builds on it. Analyst inference

When the corporation touched the physical world

Two Conti attacks define its real-world impact. In May 2021, Conti crippled Ireland's Health Service Executive, the national health system, forcing hospitals back to paper for weeks and cancelling appointments across the country; the Irish government refused to pay, and recovery costs ran into the hundreds of millions. In April and May 2022, during its own dissolution, Conti launched a sustained assault on the government of Costa Rica, hitting the finance ministry and other institutions so severely that the president declared a national state of emergency, the first time any country had done so in response to a ransomware attack. Confirmed reporting

The Costa Rica campaign is widely read as Conti using a spectacular final operation to project strength even as it shut the brand down: strategic theater, consistent with the rebrand-not-retire pattern that runs through this whole lineage. Credible reporting

Bundeskriminalamt / Operation Endgame · arrest warrant disclosure (excerpt)
Subject: Vitaly Nikolaevich KOVALEV
Finding: "founded the group under the pseudonyms stern and ben and acted as its leader"
Group: Conti / TrickBot syndicate
Context: Operation Endgame, May 2025; EU Most Wanted listing
Status: at large, Russian Federation
Source: BKA public warrant disclosure and Europol EU Most Wanted, May 2025. Public record, reproduced for analysis.

Hit hard, still standing

The syndicate has been targeted more often than any other in this series. In October 2020, a coalition including US Cyber Command and Microsoft attempted to disrupt the TrickBot botnet ahead of the US election; Conti leadership, in messages later leaked, dismissed it as "sabotage" and recovered. The February and September 2023 OFAC and DOJ rounds named the corporate layer, Galochkin, Tsarev, Zhuykov and others, mapping monikers to real people. Operation Endgame, from 2024 onward, dismantled the malware-delivery infrastructure (TrickBot, IcedID, SmokeLoader and others) and produced the EU Most Wanted listings that named Kovalev as Stern. Confirmed reporting

Step back and the pattern mirrors Evil Corp exactly. Infrastructure and identities have been hit hard. The principals remain in Russia. And the decisive blow against Conti was, once again, an insider leak rather than an arrest. The corporation was never out-policed. It was betrayed from inside, by the political loyalty its protection demanded. Analyst inference

Part 5 follows what happened when the corporation dissolved: the diaspora, the cartel that replaced the company, and the man named Nefedov who walked out of custody in Armenia and back into the trade.

Sourcing & confidence

This dispatch is adapted from the project's reference study "People, Lineage, Money, and the State" (v3), and draws on OFAC and DOJ designation and indictment rounds (February and September 2023), the BKA warrant and Europol EU Most Wanted listings issued under Operation Endgame (May 2025), the ContiLeaks corpus, CrowdStrike reporting on Wizard Spider, and contemporaneous reporting on the HSE Ireland and Costa Rica attacks. Confidence labels follow standard analytic practice.

Confirmed · multiple independent sources, including official designation or indictment language.
Credible · single strong source or consistent industry reporting, not yet officially confirmed.
Analyst inference · the project's own assessment, drawn from the evidence above.

Continue · The Bloodline, Part 5 of 7

The Diaspora: how a corporation becomes a cartel

Read Part 5 →
ContiTrickBotWizard SpiderKovalevSternContiLeaksThreat Actors