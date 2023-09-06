Wired: hacker group Trickbot is headed by Russian Maxim Galochkin

Journalists from the reputable American publication Wired, with the help of many prominent information security experts, spent a year and a half studying a major data leak from the bowels of the Trickbot hacker group, which in the West is traditionally associated with Russia and even directly with the Kremlin. As a result of the investigation, they called the name of the leader of the cybercriminals. They, according to the publication, became 41-year-old Maxim Galochkin from Abakan, who allegedly hides under the nickname Bentley.

I have big plans. I want to be rich, I want to be a millionaire. Having got a lot of money, I will get everything that I aspired to Maxim GalochkinAccording to Wired, the alleged leader of the hacker group Trickbot

Exposure made possible due to a major leak

The Wired investigation began in March 2022, shortly after Trickleaks published on the social network Twitter (now – X) correspondence from internal online chats of several dozen Trickbot members. In total, they turned out to be about a quarter of a million messages, as well as homemade dossiers on hackers. They showed their real names, photos, social media accounts, passport numbers, phone numbers, cities, or even exact residential addresses.

In addition, in the records kept 2.5 thousand IP addresses of group members and 500 cryptocurrency wallets belonging to them. The number of hackers included in Trickbot was estimated to range from 100 to 400 people.

“Given the amount of information that was accessed, the leak is either someone who is well enough infiltrated into the group, or a researcher who found a way to penetrate the Trickbot infrastructure,” suggested Cyjax cyber threat analyst Joe Reeden.

Trickbot members exposed due to data breach orchestrated by unknown people Photo: Arthur Edelmans / Unsplash

The Trickleaks leak was noticed by experts in the field of information security and law enforcement agencies in Western countries. But in Russia, the incident as a whole went unnoticed, in large part due to the special military operation that began a few weeks before the leak.

How was the hacker identified?

The Wired hacker was identified due to the fact that in a video on one of the YouTube channels dedicated to cryptocurrencies, the author of the video showed a logged in account in the Jabber secure messenger. It was these login and account that several years earlier appeared in the leaked correspondence of Bentley.

Thus, realizing that the head of Trickbot is the author of the video, the researchers began to analyze the data of this YouTube account. In particular, they studied who, when and in what accounts used similar logins or even passwords. This complex chain led experts to Galochkin, a resident of the Russian Abakan, who previously bore the name Maxim Sipkin.

100-400 Human can enter Trickbot

Independent experts with very big names in the Western world of information security agreed with these conclusions. In particular, the president of Hold Security, Alex Holden, who devoted several years of his life to investigating members of Trickbot, as well as the CEO of Cybernite Intelligence, Radoje Vasovich, and the chief researcher of Nisos, Vincas Ciziunas.

The researchers also managed to get a photo of the hacker, which he posted on GitHub and Gravatar. Wired describes the Russian as a well-built man with thick dark brown eyebrows and a dark brown beard. According to journalists, he has long gray hair, and in the actual picture he is posing on a mountainside, dressed in jeans and a white T-shirt, with a hiking backpack over his shoulders.

Hacker sympathized with the opposition and told his wife about his work

Despite the generally accepted principles of relationships among cybercriminals with colleagues in the craft, the hacker often disclosed personal information in correspondence, writes Wired. In particular, he said that he had some difficulties in relations with his wife when he told her exactly what he was doing.

I told her that we were fucking arrogant American corporation jerks. Most importantly, we do not persecute ordinary hard workers and the poor Maxim GalochkinAccording to Wired, the alleged leader of the hacker group Trickbot

Before changing his last name, the Russian, according to Nisos, sympathized with the Russian opposition movement Solidarity. It is alleged that he “was elected to the political council of the regional branch of the movement and spoke about the problems of corruption and censorship in Russia, calling for a return to democracy and an investigation into the activities of officials.”

At the same time, Wired believes that in the leaked correspondence there are some references to the fact that Trickbot has connections, if not directly with the Kremlin, then at least with individual employees of law enforcement agencies. For example, when several alleged members of the group were tried in the United States in 2021, one of the high-ranking Trickbot employees wrote that the FSB was neutral or even positive about the defendants, while “the chief [хакеров] there are connections.”

In general, such statements are extremely typical for the Western press when it comes to describing the activities of groups associated with Russia. However, it is important to remember that Trickbot was primarily targeting financial corporations and did not perform intelligence-related tasks for anyone’s benefit.

In the West, the names of Trickbot members have already been named, but Galochkin was not among them

In February 2023, the US Department of Justice announced the names of seven alleged members of the group and imposed sanctions against them. The statement said that all of them are Russian citizens permanently residing in the country. But Galochkin was not in this seven. The text of the press release generally corresponded to the spirit of recent statements about Russia.

“Cybercriminals, especially those based in Russia, are looking to attack critical infrastructure, US businesses and the international financial system,” said Undersecretary of the Treasury for Terrorism and Financial Intelligence Brian Nelson. “The United States, in partnership with the UK, is taking action on this as we believe that international cooperation is the key to fighting Russian cybercrime.”

Russia in the West is often accused of computer crimes Photo: Thomas Peter / Reuters

The press release also claims that “Russia has become a haven for cybercriminals” where no one prevents hackers from various groups from carrying out endless attacks on the US, UK and their partners. In particular, Russian hackers are accused of attacks on critical infrastructure, as well as hospitals and other medical facilities. It is worth noting that representatives of large groups at various sites and at various times denied that they were targeting social facilities.

As for the seven Russians mentioned in the document, one of them – Vitaly Kovalev, allegedly one of the leaders of Trickbot – is called there the bearer of the nickname Bentley. Wired journalists do not believe that the Ministry of Justice made a mistake in the investigation, and explain the identical nicknames of Kovalev and Galochkin as a mere coincidence.

Kovalev himself, claims authoritative Western information security journalist Brian Krebs, back in the middle of the last decade, tried to film the film “Botnet” in Russia, dedicated to a hacker group. In one of the roles, he allegedly planned to involve a Russian student who worked dropgot caught by the American security forces, but then made a deal with the investigation.

See also Investigators opened a case because of a car explosion in Belgorod Related materials:

None of the seven people on the sanctions list gave comments to the Russian media. However, one of them did admit to Wired that he did some programming tasks on a freelance basis a few years ago, and they did not seem illegal to him.

Trickbot created one of the most dangerous banking viruses

The group came to the attention of experts in 2016, which makes it one of the longest-lived cybercriminal associations in Russia. Analysts believe that either Trickbot is closely related to another well-known association of hackers – Conti, or they generally include the same people.

Trickbot over the years has managed to deploy a botnet and an associated banking Trojan that steals personal data and financial information. Its first version appeared back in 2014 under the name Dyre. In this type of attack, the infected device itself is also later used to attack other victims, often without the knowledge of the owner.

Initially, the malware enriched its creators by stealing bundles of logins and passwords from online banking and other financial applications, including crypto wallets. This information could be used independently or sold on the dark web. Over time, the Trojan has become more complex: once it enters the network, it opened road to infecting corporate systems with other viruses. Among them, there were also ransomware programs, thanks to which cybercriminals encrypted or blocked victims’ data and demanded a ransom for decryption. At the same time, companies that succumbed to blackmail, as a rule, do not disclose information about this.

Analysts at Kaspersky Lab believe that the main goal of the botnet now is to penetrate and spread in local networks. They notethat after that “operators can use it to solve many different problems – from providing a captured site to third-party attackers to stealing confidential data.”

Trickbot hackers have added to the FBI headache over the past seven years Photo: Gerald Herbert / AP

IN THE USA claimthat Trickbot attacked civilian infrastructure facilities (primarily medical facilities) in 2020 and then allegedly began to perform tasks in the interests of the Kremlin. Curiously, shortly before this, Microsoft announced that 90 percent of the group’s infrastructure had been destroyed. In response, members of Trickbot over the next year and a half infected more than 140 thousand devices, including were computers of clients and employees of Microsoft, Amazon, PayPal, Bank of America, Wells Fargo, American Express and other large corporations.