If Evil Corp is a family firm, the TrickBot and Conti syndicate is a corporation. It had departments, salaried staff, an HR function, performance management, internal training, and a chief executive. Almost everything we know about its inner workings comes from two catastrophic leaks, and that abundance of detail is exactly why this branch is the most de-anonymized in the entire ecosystem, a fact that becomes a weapon in the final part of this series. Confirmed reporting
From Dyre to TrickBot
The syndicate's malware ancestor is Dyre, a banking trojan run by a Moscow crew in 2014 and 2015. After a reported Russian raid disrupted the Dyre crew in late 2015, its operators re-emerged in 2016 with TrickBot. Both OFAC and the US Department of Justice state plainly that TrickBot evolved from Dyre: same crew, new malware, the recurring pattern of this series. The NCA documents Vitaly Kovalev's involvement "in Dyre, Trickbot and Conti," placing the Business Club veteran from Part 1 in this lineage from its banking-trojan beginning. Confirmed reporting
TrickBot became the umbrella organization that CrowdStrike tracks as Wizard Spider. Its first major ransomware arm was Ryuk, which ran from 2018 to 2020, built by the "Old Guard" who had cut their teeth on the banking trojans. Around mid-2020 Ryuk was retired and replaced by Conti, run by the same people. Keep that handoff in mind: when Conti fragmented in 2022, the fault line ran between the Ryuk Old Guard (Team 1) and the affiliate operation (Team 2), and that split is the key to reading the diaspora in Part 5. Confirmed reporting
The org chart
The 2022 Conti Leaks exposed an organizational structure that startled even seasoned researchers with its corporate normalcy. At the top sat Stern, the chief executive: he set strategy, struck affiliate deals, paid salaries, and managed most expenses. Mango (Mikhail Tsarev) was the general manager and Stern's right hand, running HR and payroll. Target (identity disputed) managed the offensive teams and the physical offices. Professor ran the technical infection process. Bentley (Maksim Galochkin) led the testers and crypter teams responsible for evading antivirus. Beneath them: salaried coders, testers, administrators, reverse engineers, OSINT staff, a recruiter pipeline, and an internal training function. Confirmed reporting
The corporate analogy is not a metaphor. Conti paid monthly salaries, ran performance reviews, funded a jailed colleague's legal defense (partly to gain insight into the US investigation), and recycled a rival's job advert to poach staff. The leverage implication runs through everything that follows: an organization this bureaucratic generates internal records, and internal records are what ultimately de-anonymized it. Confirmed reporting
| Moniker | Real name | Role | Confidence |
|---|---|---|---|
| Stern | Vitaly Kovalev | CEO / boss | Confirmed (BKA) |
| Mango | Mikhail Tsarev | General manager, HR, payroll | Confirmed |
| Bentley | Maksim Galochkin | Testers / evasion lead | Confirmed |
| Dif / Defender | Andrey Zhuykov | Senior administrator | Confirmed |
| Target | Unknown | Offensive teams; physical offices | Credible |
| Professor | Unknown (alleged Kvitko) | Technical infection process | Inference |
Stern has a name
Two attribution puzzles around this org chart are now resolved, and both matter for the spine of this series. First: Stern is Vitaly Kovalev. Germany's BKA, as part of Operation Endgame, issued a May 2025 warrant stating that Kovalev "founded the group under the pseudonyms stern and ben and acted as its leader." Because Kovalev is the Business Club veteran of Part 1, this places a colleague of Yakubets and Bogachev directly in the Conti boss's chair, welding the ecosystem's two largest pillars together at the very top. One caveat belongs in any briefing: as of the warrant, neither the US nor the UK had independently confirmed the Stern mapping in their own documents, so the claim rests on a single G7 agency. Strong, but singular. Confirmed reporting
Second: the Bentley collision. The handle appears in both the February and September 2023 OFAC rounds, attached to two different men. The resolution is sequencing, not contradiction. Kovalev used "Bentley" historically, for bank fraud in 2009 and 2010, and UK OFSI explicitly annotated his use as "historical use of the moniker." The Conti-era Bentley was Maksim Galochkin, tied to a jabber address by Nisos OSINT work and named in three federal indictments as leader of the testers. Two men, one handle, a decade apart. The US Secret Service Most Wanted listing for Kovalev reflects exactly this split: it carries his historical handle and names him a senior TrickBot figure, but stops short of the Stern attribution, which remains the BKA's alone. The collision is itself a lesson in attribution discipline. Confirmed reporting
The own goal
In late February 2022, days after Russia invaded Ukraine, Conti's leadership posted a message pledging full support for the Russian government. A Ukrainian insider with access to the group's infrastructure answered by leaking the gang's internal Jabber and Rocket.Chat archives, tens of thousands of messages, under the banner ContiLeaks. It is the single richest open-source intelligence windfall in ransomware history; nearly everything in the org chart above derives from it. Confirmed reporting
The cause matters as much as the content. Conti's de-anonymization was triggered by its own political alignment with the Russian state. The adjacency that protected the group is the same adjacency that, when it forced a public loyalty declaration, produced the insider revolt that exposed it. File that paradox; Part 7 builds on it. Analyst inference
When the corporation touched the physical world
Two Conti attacks define its real-world impact. In May 2021, Conti crippled Ireland's Health Service Executive, the national health system, forcing hospitals back to paper for weeks and cancelling appointments across the country; the Irish government refused to pay, and recovery costs ran into the hundreds of millions. In April and May 2022, during its own dissolution, Conti launched a sustained assault on the government of Costa Rica, hitting the finance ministry and other institutions so severely that the president declared a national state of emergency, the first time any country had done so in response to a ransomware attack. Confirmed reporting
The Costa Rica campaign is widely read as Conti using a spectacular final operation to project strength even as it shut the brand down: strategic theater, consistent with the rebrand-not-retire pattern that runs through this whole lineage. Credible reporting
Finding: "founded the group under the pseudonyms stern and ben and acted as its leader"
Group: Conti / TrickBot syndicate
Context: Operation Endgame, May 2025; EU Most Wanted listing
Status: at large, Russian Federation
Hit hard, still standing
The syndicate has been targeted more often than any other in this series. In October 2020, a coalition including US Cyber Command and Microsoft attempted to disrupt the TrickBot botnet ahead of the US election; Conti leadership, in messages later leaked, dismissed it as "sabotage" and recovered. The February and September 2023 OFAC and DOJ rounds named the corporate layer, Galochkin, Tsarev, Zhuykov and others, mapping monikers to real people. Operation Endgame, from 2024 onward, dismantled the malware-delivery infrastructure (TrickBot, IcedID, SmokeLoader and others) and produced the EU Most Wanted listings that named Kovalev as Stern. Confirmed reporting
Step back and the pattern mirrors Evil Corp exactly. Infrastructure and identities have been hit hard. The principals remain in Russia. And the decisive blow against Conti was, once again, an insider leak rather than an arrest. The corporation was never out-policed. It was betrayed from inside, by the political loyalty its protection demanded. Analyst inference
Part 5 follows what happened when the corporation dissolved: the diaspora, the cartel that replaced the company, and the man named Nefedov who walked out of custody in Armenia and back into the trade.
Sourcing & confidence
This dispatch is adapted from the project's reference study "People, Lineage, Money, and the State" (v3), and draws on OFAC and DOJ designation and indictment rounds (February and September 2023), the BKA warrant and Europol EU Most Wanted listings issued under Operation Endgame (May 2025), the ContiLeaks corpus, CrowdStrike reporting on Wizard Spider, and contemporaneous reporting on the HSE Ireland and Costa Rica attacks. Confidence labels follow standard analytic practice.
Confirmed · multiple independent sources, including official designation or indictment language.
Credible · single strong source or consistent industry reporting, not yet officially confirmed.
Analyst inference · the project's own assessment, drawn from the evidence above.
- US Treasury (OFAC), United States and United Kingdom sanction members of Russia-based TrickBot gang (Feb 9, 2023).
- The Record, Operation Endgame: ransomware infrastructure dismantled, Stern named (May 2025).
- US Secret Service, Most Wanted: Vitalii Kovalev.
- UK NCA, Evil Corp: Behind the Screens (Oct 1, 2024).