Every brand named in this series is dead or renamed: Zeus, Dridex, Ryuk, Conti, Black Basta, Royal, REvil, DarkSide, Maze. Most of the people are still working. That asymmetry is the whole finding. Operator brands are ephemeral; the services beneath them are not. Bulletproof hosting, laundering, and access malware are shared across the ecosystem, sold to whoever pays, and they persist through every rebrand and takedown above them. Treat those enablers as cross-cutting nodes rather than appendages of individual gangs, and the concentration points appear. Confirmed reporting
The Metal
The clearest chokepoint in the ecosystem is a hosting company. OFAC's 2025 action against Media Land tied one provider to hosting for LockBit, Black Basta, Play, BlackSuit, and Evil Corp: five operator brands on one supplier. Its representative Aleksandr Volosovik ("Yalishanda") and associates were designated alongside it. Zservers/XHost served as LockBit's primary bulletproof host; Aeza Group hosted infostealer and ransomware infrastructure. Access was similarly industrialized: Qakbot, developed by Rustam Gallyamov and fed into Conti, Black Basta and REvil, was disrupted by the FBI's Operation Duck Hunt in August 2023, with over $24 million in cryptocurrency later seized. Confirmed reporting
The lever matters as much as the target. Seizing a hoster's servers buys weeks; boxes are cheap. Sanctioning the provider attacks the parts that are hard to replace: its reputation for not folding, its operator relationships, its payment rails. And because a hoster is a shared dependency, the pressure radiates across every group that rents from it, an efficiency no action against a single rebrandable gang can match. Analyst inference
The Money
The financial layer tells a story the org charts cannot. When a group rebrands it changes its name and often its code, but it rarely changes its launderers, its OTC brokers, or its wallet habits. The FBI's assessment that DarkSide, BlackMatter, and ALPHV shared money launderers is the clearest statement of this; Chainalysis and Tetra Defense established Conti-to-Karakurt and Conti-to-Akira flows on-chain. Where the people hide behind new brands, the money keeps using the same plumbing. Confirmed reporting
The money also concentrates. A handful of services, Sergey Ivanov's UAPS/PM2BTC/Cryptex complex, the ChipMixer service, handled a disproportionate share of the ecosystem's proceeds before their designations. And it concentrates in people: Chainalysis assessed Stern (Kovalev) as among the most profitable ransomware actors ever tracked, with German reporting citing a personal wallet valued near a billion euros. A new brand with no named operators is not a dead end if its payments flow through plumbing already mapped to a prior brand. The money is frequently the first thread that survives a rebrand, and in the anonymous clusters it may be the only thread. Credible reporting
The Krysha
The baseline arrangement is the dark covenant: avoid CIS targets (the keyboard-layout exclusion in the malware is its technical signature), stay inside Russia, stay useful, and you will not be pursued. But the record of this series shows something more active than tolerance. Eduard Benderskiy, Yakubets's father-in-law and a former officer of the FSB's Vympel unit, facilitated Evil Corp's FSB, SVR, and GRU contacts and shielded the group from internal Russian scrutiny after the 2019 sanctions, per the NCA. Before 2019, the NCA states, Evil Corp was tasked by Russian intelligence to conduct attacks and espionage against NATO allies: the state using a criminal capability for its own ends. Confirmed reporting
And Oleg Nefedov, in the leaked Black Basta chats, claimed contacts of his own ("I have guys from Lubyanka and the GRU") and escaped Armenian custody with "high-level" help through a green corridor. Bogachev, Yakubets, Kovalev, Nefedov: each of the four men this series is built around is either documented or credibly reported to sit under the roof. That is not a coincidence of biography. It is the operating condition of the ecosystem's core. Credible reporting
Here is the paradox that ties the series together. State adjacency protects these groups, and state adjacency exposed the two largest of them. Conti was de-anonymized because its leadership publicly declared for the invasion, provoking the insider leak. Black Basta imploded over attacking Russian banks, provoking its leak. The identification of Kovalev as Stern was pre-empted by a persona reportedly sourcing from Russian state or insider databases, and the Zolotarjovs filing alleged the organization itself tapped government databases. Proximity to the state politicizes these groups, ties them to a regime whose actions provoke insiders, and embeds them in an environment that leaks. The most damaging blows to this ecosystem have come not from Western enforcement but from the frictions of its own protection. Analyst inference
| Action | Year | Target | Effect |
|---|---|---|---|
| Operation Tovar | 2014 | GameOver Zeus botnet | Botnet dismantled; principals untouched |
| TrickBot disruption | 2020 | TrickBot infrastructure | Temporary; group recovered |
| Evil Corp sanctions | 2019 / 2024 | Yakubets, family, Ryzhenkov | Forced rebrands; no arrests |
| REvil / Kaseya actions | 2021 / 2022 | REvil infra, affiliates, FSB theater | Affiliates jailed; core stayed |
| OFAC TrickBot/Conti rounds | 2023 | Conti corporate layer | Monikers mapped to names |
| Operation Cronos | 2024 | LockBit | Infra seized; LockBitSupp unmasked |
| Operation Endgame | 2024 / 25 | Malware delivery layer | Loaders hit; Kovalev named as Stern |
| Operation Checkmate | 2025 | BlackSuit | Infrastructure seized |
What a decade of actions actually taught
Three honest judgments follow from the table. First, infrastructure seizure works but is temporary: botnets and leak sites get rebuilt, as TrickBot and LockBit both showed. Second, de-anonymization is real progress but not an endgame: naming Kovalev, Nefedov, Khoroshev, and Shchukin is a genuine achievement, and every one of them remains in Russia, beyond extradition. Third, and most important, the decisive blows have been self-inflicted: the Conti and Black Basta leaks did more to expose those organizations than any enforcement action, and Evil Corp's 2019 internal split did more to disrupt it than the simultaneous sanctions. External pressure worked best when it amplified existing internal fractures. Analyst inference
The fracture pattern is consistent enough to treat as a property of the system. Evil Corp split over leadership conflict. Conti fractured into teams and then leaked over a political declaration. Black Basta imploded over abuse and targeting disputes. BlackSuit split along the same Team 1 / Team 2 seam that had cracked Conti. In every case the failure point was trust: money disputes, targeting decisions, perceived informants, status conflicts. Pressure that raises mistrust works with the grain of a documented weakness, and it does not require reaching the protected principals at all. Analyst inference
Basis: hosting and support for LockBit, Black Basta, Play, BlackSuit, Evil Corp
Coordinated: US · UK · Australia, November 2025
Signal: pressure applied to the shared enabling layer, not a single gang
Where the leverage is
Synthesizing the series: the highest-leverage points are rarely the protected principals. The enabler layer (hosters, launderers) services many brands at once, reconstitutes slowly, and is reachable through sanctions: the best ratio of effort to ecosystem-wide effect. The financial plumbing outlives brands, so designating cash-out services and mapping leadership wallets degrades many operations simultaneously. The cross-ecosystem nodes (the FIN7 bridge, the LockBit hub) concentrate multiple lineages in single points. Internal trust is the ecosystem's binding constraint and its most reliably self-destructive one. And the anonymous cores of DarkSide, ALPHV, and Maze remain the highest-value unfinished work, most likely to fall to insider exposure or financial tracing rather than seizure. Analyst inference
The unifying judgment, and the reason this project exists: a brand-centric strategy chases ghosts, because the brands are designed to be discarded. A people-and-infrastructure strategy targets what actually persists. The operators. The relationships. The hosters. The launderers. The wallets. And above all of it, the roof.
Sourcing & confidence
This dispatch is adapted from the project's reference study "People, Lineage, Money, and the State" (v3), and draws on OFAC designations of Media Land, Zservers, Aeza, Cryptex and ChipMixer, the joint US/UK/Australia bulletproof hosting action (November 2025), the UK NCA Evil Corp white paper (October 2024), FBI assessments of laundering continuity, Chainalysis and Tetra Defense blockchain analysis, the DOJ Qakbot disruption (August 2023), and the leaked Conti and Black Basta chat corpora. Confidence labels follow standard analytic practice.
Confirmed · multiple independent sources, including official designation or indictment language.
Credible · single strong source or consistent industry reporting, not yet officially confirmed.
Analyst inference · the project's own assessment, drawn from the evidence above.
- UK Government, UK smashes Russian cybercrime networks (Nov 2025).
- Chainalysis, OFAC targets Russian cybercrime infrastructure (Nov 2025).
- UK NCA, Evil Corp: Behind the Screens (Oct 1, 2024).
- US DOJ, Qakbot disrupted in Operation Duck Hunt (Aug 2023).