Unmasking Trickbot, One of the World’s Top Cybercrime Gangs
Maksim Sergeevich Galochkin is extremely online. On his work chat, the 41-year-old messages his colleagues day and night. He moans about losing money on cryptocurrency trading, says he’s “fucking addicted” to Metallica, and agrees with a colleague that the crime thriller Hackers is a perfect weekend movie. Galochkin confides to a teammate that he prefers working in the office and finds it easier to focus there—his wife “scolds” him when he's at home. And he knows what he wants in life.
“I have big goals,” he told a coworker in September 2021. “I want to be rich. A millionaire.” His more idealistic colleague calls money “a bullshit goal.” But Galochkin has a plan. “Nah,” he replies, “money is a means to arrange what I want.”
Galochkin may seem like a typical office worker, but he’s actually in the right line of work to make big money. According to multiple cybercrime researchers, he’s a key member of the notorious Russian cybercrime syndicate Trickbot, which has launched thousands of cyberattacks in recent years, crippling businesses, hospitals, and even governments around the world. Within Trickbot, his colleagues know him by his online handles: Bentley and Manuel.
The unmasking of Galochkin comes after a monthslong WIRED investigation involving multiple cybersecurity and Russian cybercrime experts who link him to the Bentley moniker. The analysis includes detailed assessments of a massive data trove that was leaked from the ransomware gang and posted online. This investigation also sheds further light on the inner workings of the Trickbot cybercrime syndicate, connecting its key players to the wider cybercrime landscape and revealing links between these criminal gangs and the Russian government.
In March 2022, a Twitter account known as “Trickleaks” published thousands of online chat logs taken from roughly 35 members of the group. The total size of the Trickbot group is tough to gauge, but researchers estimate it has anywhere from 100 to 400 members. The anonymous leaker published 250,000 internal Trickbot messages and a series of homemade intelligence dossiers exposing the people allegedly behind the gang. The trove includes real-world names, photos, social media accounts, passport numbers, phone numbers, towns and cities of residence, and other personal details of the alleged gang members. The cache also includes 2,500 IP addresses, 500 cryptocurrency wallets, and thousands of domains and email addresses.
Taken together, the files form one of the largest-ever data dumps from a cybercrime group. At the time of their release in early 2022, the Trickleaks files were largely overlooked by the public as global attention focused on Russia’s full-scale invasion of Ukraine and another major leak from the Conti ransomware group, which researchers say has strong ties to Trickbot.
Trickleaks did not escape the notice of global law enforcement, which has assessed the data. Its release last year came amidst a concerted effort by the United States and United Kingdom to disrupt, name, shame, and sanction Russian cybercriminals, including some Trickbot members, though not Galochkin or some other key Trickbot employees. But these government investigations are often years behind current activity and involve long-term strategic coordination.
Unmasking Bentley
For cybercriminals seeking anonymity, keeping distance from their coworkers is crucial. But when you’re spending all day messaging each other, even the most private and security-conscious people are likely to reveal some personal details. And for Galochkin, such lapses inadvertently helped reveal his true identity, researchers say.
In June 2020, for example, a Trickbot member with the handle Defender asked Bentley for an address on the instant messaging service Jabber so they could communicate outside of the group’s internal channels. Bentley sent his colleague the username volhvb@exploit.im, according to researchers from the cybersecurity firm Nisos, who investigated Bentley’s identity at WIRED’s request.
wired.com |
