Copied


EU Sanctions 'Stern,' Trickbot Ransomware Leader Tied to $300M

Zach Anderson   Jul 15, 2026 23:30 0 Min Read


On July 14, 2026, the European Union announced sanctions against Vitaly Nikolayevich Kovalev, better known by his alias “Stern,” following a coordinated effort with the United States and the United Kingdom. Stern, identified as a senior administrator of the Trickbot and Conti ransomware operations, is alleged to have received over $300 million in ransom payments via cryptocurrency wallets linked to his activities. The sanctions mark a critical escalation in international efforts to dismantle cybercrime networks.

The Trickbot group, which Stern reportedly led, evolved into one of the most prolific ransomware syndicates globally, targeting healthcare, financial systems, and critical infrastructure. The group is accused of deploying strains like Ryuk, Conti, and BazarLoader, which collectively caused billions of dollars in damages worldwide. Stern’s role, according to leaked internal communications from the “Conti Leaks,” positioned him as a CEO-like figure overseeing strategic decisions, payroll, and the distribution of ransomware proceeds.

First identified as Vitaly Kovalev by Germany’s Federal Criminal Police (BKA) in 2025, Stern has been in the crosshairs of global authorities for years. The EU’s action builds on prior sanctions by the U.S. and U.K. in 2023, which targeted 19 Trickbot members. However, this is the first formal designation linking the alias “Stern” to Kovalev, underscoring his central role in the group’s operations.

The sanctions extend beyond Trickbot’s leadership. The U.S. Treasury's Office of Foreign Assets Control (OFAC) simultaneously targeted First VPN Service (1VPNS), a VPN provider allegedly used by ransomware operators, and other infrastructure providers like Media Land LLC, a hosting service tied to ransomware operations since 2016. The coordinated effort emphasizes a growing strategy to disrupt not just the cybercriminals themselves but the ecosystem enabling their attacks.

For the cryptocurrency sector, the sanctions signal heightened scrutiny of blockchain transactions linked to ransomware. Chainalysis reports that wallets associated with Stern transacted across multiple ransomware strains, including Ryuk, Conti, and Quantum. Compliance tools like blockchain analytics are now key to identifying exposure and preventing funds from flowing to sanctioned entities.

The timing of the sanctions is notable. Bitcoin, often scrutinized as a preferred medium for ransomware payments, recently traded at $64,871, up nearly 50% year-to-date. As authorities tighten enforcement, exchanges and custodians will face increasing pressure to monitor wallets linked to illicit activity. Stern’s designation and the associated wallet addresses flagged by Chainalysis will likely serve as a litmus test for the industry's compliance capabilities.

While the EU’s move disrupts Trickbot’s operations, the broader effectiveness of sanctions will depend on sustained international collaboration. Cybercriminals often operate across multiple jurisdictions, exploiting regulatory gaps. By freezing assets and blocking infrastructure access, authorities aim to dismantle both the operators and their enablers. Whether this action significantly curtails ransomware activity remains to be seen, but it sets a precedent for future cross-border enforcement.


Read More