Protection LayerThe Bloodline · Part 7 of 7

The Constants

Six parts of this series followed people and brands. The brands are designed to be discarded. What persists is the Money, the Metal, and the Krysha, and the record of a decade says the decisive blows against this ecosystem were never delivered from outside.

By Reno July 3, 2026 15 min read Open Research
KRYSHA MONEY METAL PEOPLE CONTI REVIL DARKSIDE ROYAL LOCKBIT MAZE Brands rot, structures persist · illustration

Every brand named in this series is dead or renamed: Zeus, Dridex, Ryuk, Conti, Black Basta, Royal, REvil, DarkSide, Maze. Most of the people are still working. That asymmetry is the whole finding. Operator brands are ephemeral; the services beneath them are not. Bulletproof hosting, laundering, and access malware are shared across the ecosystem, sold to whoever pays, and they persist through every rebrand and takedown above them. Treat those enablers as cross-cutting nodes rather than appendages of individual gangs, and the concentration points appear. Confirmed reporting

The Metal

The clearest chokepoint in the ecosystem is a hosting company. OFAC's 2025 action against Media Land tied one provider to hosting for LockBit, Black Basta, Play, BlackSuit, and Evil Corp: five operator brands on one supplier. Its representative Aleksandr Volosovik ("Yalishanda") and associates were designated alongside it. Zservers/XHost served as LockBit's primary bulletproof host; Aeza Group hosted infostealer and ransomware infrastructure. Access was similarly industrialized: Qakbot, developed by Rustam Gallyamov and fed into Conti, Black Basta and REvil, was disrupted by the FBI's Operation Duck Hunt in August 2023, with over $24 million in cryptocurrency later seized. Confirmed reporting

The lever matters as much as the target. Seizing a hoster's servers buys weeks; boxes are cheap. Sanctioning the provider attacks the parts that are hard to replace: its reputation for not folding, its operator relationships, its payment rails. And because a hoster is a shared dependency, the pressure radiates across every group that rents from it, an efficiency no action against a single rebrandable gang can match. Analyst inference

The Money

The financial layer tells a story the org charts cannot. When a group rebrands it changes its name and often its code, but it rarely changes its launderers, its OTC brokers, or its wallet habits. The FBI's assessment that DarkSide, BlackMatter, and ALPHV shared money launderers is the clearest statement of this; Chainalysis and Tetra Defense established Conti-to-Karakurt and Conti-to-Akira flows on-chain. Where the people hide behind new brands, the money keeps using the same plumbing. Confirmed reporting

The money also concentrates. A handful of services, Sergey Ivanov's UAPS/PM2BTC/Cryptex complex, the ChipMixer service, handled a disproportionate share of the ecosystem's proceeds before their designations. And it concentrates in people: Chainalysis assessed Stern (Kovalev) as among the most profitable ransomware actors ever tracked, with German reporting citing a personal wallet valued near a billion euros. A new brand with no named operators is not a dead end if its payments flow through plumbing already mapped to a prior brand. The money is frequently the first thread that survives a rebrand, and in the anonymous clusters it may be the only thread. Credible reporting

The Krysha

The baseline arrangement is the dark covenant: avoid CIS targets (the keyboard-layout exclusion in the malware is its technical signature), stay inside Russia, stay useful, and you will not be pursued. But the record of this series shows something more active than tolerance. Eduard Benderskiy, Yakubets's father-in-law and a former officer of the FSB's Vympel unit, facilitated Evil Corp's FSB, SVR, and GRU contacts and shielded the group from internal Russian scrutiny after the 2019 sanctions, per the NCA. Before 2019, the NCA states, Evil Corp was tasked by Russian intelligence to conduct attacks and espionage against NATO allies: the state using a criminal capability for its own ends. Confirmed reporting

And Oleg Nefedov, in the leaked Black Basta chats, claimed contacts of his own ("I have guys from Lubyanka and the GRU") and escaped Armenian custody with "high-level" help through a green corridor. Bogachev, Yakubets, Kovalev, Nefedov: each of the four men this series is built around is either documented or credibly reported to sit under the roof. That is not a coincidence of biography. It is the operating condition of the ecosystem's core. Credible reporting

The roof is real. But the roof has a price, and the price is what exposed them.

Here is the paradox that ties the series together. State adjacency protects these groups, and state adjacency exposed the two largest of them. Conti was de-anonymized because its leadership publicly declared for the invasion, provoking the insider leak. Black Basta imploded over attacking Russian banks, provoking its leak. The identification of Kovalev as Stern was pre-empted by a persona reportedly sourcing from Russian state or insider databases, and the Zolotarjovs filing alleged the organization itself tapped government databases. Proximity to the state politicizes these groups, ties them to a regime whose actions provoke insiders, and embeds them in an environment that leaks. The most damaging blows to this ecosystem have come not from Western enforcement but from the frictions of its own protection. Analyst inference

Fig. 1 · A decade of disruption, side by side (per cited sources)
ActionYearTargetEffect
Operation Tovar2014GameOver Zeus botnetBotnet dismantled; principals untouched
TrickBot disruption2020TrickBot infrastructureTemporary; group recovered
Evil Corp sanctions2019 / 2024Yakubets, family, RyzhenkovForced rebrands; no arrests
REvil / Kaseya actions2021 / 2022REvil infra, affiliates, FSB theaterAffiliates jailed; core stayed
OFAC TrickBot/Conti rounds2023Conti corporate layerMonikers mapped to names
Operation Cronos2024LockBitInfra seized; LockBitSupp unmasked
Operation Endgame2024 / 25Malware delivery layerLoaders hit; Kovalev named as Stern
Operation Checkmate2025BlackSuitInfrastructure seized
Inventory per DOJ, NCA, OFAC, Europol and BKA public disclosures. Pattern: infrastructure reachable, protected principals not.

What a decade of actions actually taught

Three honest judgments follow from the table. First, infrastructure seizure works but is temporary: botnets and leak sites get rebuilt, as TrickBot and LockBit both showed. Second, de-anonymization is real progress but not an endgame: naming Kovalev, Nefedov, Khoroshev, and Shchukin is a genuine achievement, and every one of them remains in Russia, beyond extradition. Third, and most important, the decisive blows have been self-inflicted: the Conti and Black Basta leaks did more to expose those organizations than any enforcement action, and Evil Corp's 2019 internal split did more to disrupt it than the simultaneous sanctions. External pressure worked best when it amplified existing internal fractures. Analyst inference

The fracture pattern is consistent enough to treat as a property of the system. Evil Corp split over leadership conflict. Conti fractured into teams and then leaked over a political declaration. Black Basta imploded over abuse and targeting disputes. BlackSuit split along the same Team 1 / Team 2 seam that had cracked Conti. In every case the failure point was trust: money disputes, targeting decisions, perceived informants, status conflicts. Pressure that raises mistrust works with the grain of a documented weakness, and it does not require reaching the protected principals at all. Analyst inference

US Treasury (OFAC), with UK and Australia · bulletproof hosting designations (excerpt)
Designated: Media Land, its representative Aleksandr VOLOSOVIK (“Yalishanda”) and associates
Basis: hosting and support for LockBit, Black Basta, Play, BlackSuit, Evil Corp
Coordinated: US · UK · Australia, November 2025
Signal: pressure applied to the shared enabling layer, not a single gang
Source: OFAC designation and joint UK/Australia announcements, November 2025. Public record, reproduced for analysis. One provider, five brands: the arithmetic of the enabler layer.

Where the leverage is

Synthesizing the series: the highest-leverage points are rarely the protected principals. The enabler layer (hosters, launderers) services many brands at once, reconstitutes slowly, and is reachable through sanctions: the best ratio of effort to ecosystem-wide effect. The financial plumbing outlives brands, so designating cash-out services and mapping leadership wallets degrades many operations simultaneously. The cross-ecosystem nodes (the FIN7 bridge, the LockBit hub) concentrate multiple lineages in single points. Internal trust is the ecosystem's binding constraint and its most reliably self-destructive one. And the anonymous cores of DarkSide, ALPHV, and Maze remain the highest-value unfinished work, most likely to fall to insider exposure or financial tracing rather than seizure. Analyst inference

The unifying judgment, and the reason this project exists: a brand-centric strategy chases ghosts, because the brands are designed to be discarded. A people-and-infrastructure strategy targets what actually persists. The operators. The relationships. The hosters. The launderers. The wallets. And above all of it, the roof.

Sourcing & confidence

This dispatch is adapted from the project's reference study "People, Lineage, Money, and the State" (v3), and draws on OFAC designations of Media Land, Zservers, Aeza, Cryptex and ChipMixer, the joint US/UK/Australia bulletproof hosting action (November 2025), the UK NCA Evil Corp white paper (October 2024), FBI assessments of laundering continuity, Chainalysis and Tetra Defense blockchain analysis, the DOJ Qakbot disruption (August 2023), and the leaked Conti and Black Basta chat corpora. Confidence labels follow standard analytic practice.

Confirmed · multiple independent sources, including official designation or indictment language.
Credible · single strong source or consistent industry reporting, not yet officially confirmed.
Analyst inference · the project's own assessment, drawn from the evidence above.

Series complete · The Bloodline

Start from the beginning: The Common Ancestor

Read Part 1 →
KryshaMedia LandCryptexBenderskiyEnablersLeverageProtection Layer