Chainalysis has noted that authorities from the United States, United Kingdom, and European Union imposed sanctions on an extensive network of cybercriminals, state-linked hackers, and their support infrastructure. This action stands out as one of the broadest cyber enforcement operations to date, targeting entities blamed for inflicting billions of dollars in losses on businesses, critical infrastructure, and governments worldwide.
Chainalysis also pointed out that at the center of the EU’s designations is Vitaly Nikolayevich Kovalev, a Russian national better known by his online alias “Stern.”
Identified as a key administrator within the Trickbot cybercrime syndicate, Stern has reportedly received more than $300 million in cryptocurrency ransom payments through associated wallets.
As explained in a blog post by Chainalysis, this staggering personal share positions him as potentially the most prolific individual ransomware figure tracked to date.
Trickbot and its affiliates, including notorious strains like Conti and Ryuk, have long been associated with devastating attacks on healthcare providers, financial institutions, and other essential sectors.
While Stern’s identified inflows exceed $300 million, this amount reflects only his portion of the proceeds.
The group’s overall extortion activities have generated far greater sums, highlighting the industrial scale of these operations.
Blockchain analysis shows Stern’s wallets interacting with numerous ransomware variants, such as Diavol, Karakurt, Royal, 3AM, Quantum, and Bitpaymer, illustrating his central role in the ecosystem.
Kovalev was initially sanctioned by US and UK authorities in February 2023.
The recent EU listing is notable for explicitly referencing his “Stern” moniker.
These latest measures bring the total number of sanctioned Trickbot-linked individuals to 19, following earlier actions that targeted seven members in early 2023 and an additional 11 later that year.
Internal documents from the Conti leaks reportedly portray Stern in a leadership capacity, with authority over budgeting, procurement, hiring, and operational planning—akin to a CEO within the criminal enterprise.
Cryptocurrency flows further underscore this hierarchy, revealing payments for infrastructure and services that sustained the group’s activities.
Beyond individual operators, the sanctions extend to enabling services. The U.S. Treasury’s Office of Foreign Assets Control (OFAC) targeted First VPN Service (1VPNS) and its administrator Dmytro Rashevskyi, along with cryptor provider Yevgeniy Silayev.
These entities provided tools frequently used by ransomware actors across multiple blockchains.
This follows a European law enforcement operation in May 2026 that disrupted 1VPNS infrastructure.
The EU also designated developers tied to the LummaC2 infostealer malware-as-a-service platform, which gained widespread use for stealing credentials and wallet data.
Additional targets include Media Land LLC, a bulletproof hosting provider linked to multiple ransomware gangs since 2016, and various Russian state-affiliated actors from GRU Unit 29155 and pro-Russia hacktivist collectives like CARR and Z-Pentest, accused of attacks on critical infrastructure.
This coordinated push signals a strategic evolution in counter-cybercrime efforts: moving beyond frontline operators to dismantle the supporting infrastructure—VPNs, hosting services, obfuscation tools, and payment facilitators—that allows these groups to thrive.
By labeling relevant cryptocurrency addresses, blockchain analytics firms like Chainalysis enable organizations to screen for potential exposure and strengthen compliance.
International collaboration remains essential, as cybercriminals exploit jurisdictional gaps.
These sanctions freeze assets and restrict dealings across borders, aiming to disrupt cash flows and operational continuity. Chainalysis concluded that as ransomware threats continue evolving, such actions combined with advanced on-chain monitoring offer a robust framework for mitigating risks to the global digital economy.