The Name of the Man Behind the Attack on Half the World Has Been Revealed — But His Hands Are Still Unbound
We now know who has been running the TrickBot and Conti gangs all this time. What comes next?
Germany’s Federal Criminal Police Office (BKA) has, for the first time, officially revealed the real name of the individual behind the hacker groups TrickBot and Conti. According to investigators, the alias "Stern" belonged to a 36-year-old Russian citizen — identified only as K. This was announced last week as part of the ongoing global Operation Endgame, in which authorities from dozens of countries are coordinating efforts against malicious cyber infrastructure and key players in its underground economy.
German investigators claim that K. was one of the founding members of TrickBot — also known as Wizard Spider. This organization deployed a wide array of malicious tools, from the namesake banking trojan TrickBot to loaders like BazarLoader and SystemBC, trojans such as IcedID and Diavol, and ransomware including Ryuk and Conti, which caused damage to hundreds of organizations worldwide.
An Interpol Red Notice has already been issued against the hacker. He is officially charged with leading a criminal organization, although the BKA documents do not explicitly name the group. In reality, this refers to the leader of a transnational cybercriminal syndicate, which operated like a corporation: with a clear hierarchy, project-based structure, financial reporting, and strict control.
This is not the first time the man has come under the scrutiny of law enforcement. Back in February 2023, his name appeared on a list of seven Russians accused by the U.S. of ties to TrickBot and Conti. At that time, he was identified as one of the group’s managers under aliases such as Bentley, Bergen, Alex Konor, and Ben. However, he wasn’t yet seen as the leader — that only became clear after new leaks and analysis of internal communications.
The picture became much clearer following the release of leaks known as TrickLeaks and ContiLeaks. The former included personal data, accounts, and contact details of TrickBot members. The latter revealed the source code and internal conversations of the Conti group. These messages repeatedly referenced Stern, who received requests from other members for approval of attacks, recruitment decisions, and even legal aid payments for hackers arrested in the U.S.
These leaks not only exposed the inner workings of the group but effectively dismantled Conti. After the publications, many members left and splintered into new gangs — including well-known names like Royal, Black Basta, BlackCat, AvosLocker, Karakurt, LockBit, Silent Ransom, DagonLocker, and ZEON. Essentially, a single leak decentralized one of the most powerful cybercriminal organizations in history.
In a Friday statement, the BKA emphasized the scale and organizational maturity of TrickBot: at various points, the group had over 100 active members, operated using a project-based model, and was entirely profit-driven. Its infection campaigns affected hundreds of thousands of systems — in Germany and globally. Victims included hospitals, government bodies, businesses, and individuals. The group's criminal activities reportedly earned hundreds of millions of euros.
Despite years of law enforcement efforts, K.'s whereabouts remain unknown. The BKA believes he is likely still in Russia and urges citizens and cybersecurity professionals to report any information that could aid in locating him — from his online accounts to communication channels and digital traces.
Operation Endgame, of which this investigation is a part, remains one of the largest international efforts to dismantle malware infrastructure. In addition to TrickBot and Conti, it has also targeted and taken down servers and domains linked to Danabot, Smokeloader, and other major cyber threats. The investigation continues, with authorities clearly aiming to systematically dismantle the logistics of the digital underworld — starting from the top.
