Russian-Led Cybercrime Network Dismantled in Sweeping International Operation
A major international law enforcement effort has dismantled the core of a Russian-led malware and ransomware operation, with investigators from Europe and North America joining forces to strike a blow against some of the world’s most sophisticated cybercriminals.
Authorities from the UK, Canada, Denmark, the Netherlands, France, Germany, and the United States coordinated in the takedown, which has resulted in arrest warrants for 20 individuals—most believed to be residing in Russia. Meanwhile, the U.S. unsealed indictments against 16 suspects, accusing them of involvement in high-level cyber operations.
Among those charged are alleged ringleaders of the notorious Qakbot and Danabot malware networks. They include Rustam Rafailevich Gallyamov, 48, of Moscow, and two men from Novosibirsk—Aleksandr Stepanov (also known as JimmBee), 39, and Artem Aleksandrovich Kalinkin (known as Onix), 34. The U.S. Department of Justice detailed their roles in orchestrating cyberattacks ranging from theft and extortion to campaigns aimed at destabilizing institutions. One recent UK target of such activity was retail giant Marks & Spencer.
Germany’s federal police agency, the Bundeskriminalamt (BKA), spearheaded the European component of the investigation, dubbed “Operation Endgame.” They released appeals to locate 18 individuals tied to the Qakbot and Trickbot malware families, many of whom are Russian nationals.
One of the most prominent figures on BKA’s wanted list is Vitalii Nikolayevich Kovalev, 36, a Russian national linked to Conti, a ransomware group described by investigators as the most professional and structured in the world. Known online as “Stern” and “Ben,” Kovalev is alleged to have led blackmail campaigns against hundreds of companies globally, extracting vast sums in ransom. German authorities claim he is among the most prolific cyber extortionists in history.
Kovalev, originally from Volgorod and now believed to reside in Moscow, has multiple companies registered under his name. He was first identified in 2023 by U.S. authorities as a former Trickbot affiliate and is now also suspected of heading other criminal enterprises, including the ransomware groups Royal and Blacksuit, which emerged in 2022. His cryptocurrency wallet is reportedly valued at around €1 billion.
In total, BKA and its global partners identified 37 perpetrators, gathering sufficient evidence to issue 20 arrest warrants. The U.S. Attorney’s Office in California simultaneously revealed charges against 16 people accused of creating and operating the Danabot malware, which infected over 300,000 computers worldwide, with a major impact in the U.S., Australia, Poland, India, and Italy.
According to the indictment, the malware was distributed by a cybercriminal syndicate based in Russia and promoted on Russian-language forums. An espionage-focused variant of Danabot was reportedly used to target military, diplomatic, governmental, and NGO systems, with stolen data allegedly funneled to servers inside the Russian Federation.
Another high-profile suspect is Roman Mikhailovich Prokop, a 36-year-old Ukrainian national fluent in Russian, believed to be affiliated with the Qakbot group.
Operation Endgame, which began in 2022 under German leadership, reflects a growing emphasis on transnational cooperation in the fight against cybercrime. Holger Münch, president of the BKA, emphasized Germany’s status as a frequent target for cyberattacks and the need for international coordination.
Investigators are pursuing suspects not only for cyber intrusions but also for organized criminal activity and extortion. The Conti group, in particular, focused on U.S. hospitals during the COVID-19 pandemic. In response, U.S. authorities offered a $10 million bounty for information leading to its leadership.
While many suspects remain in Russia or Dubai—where extradition is unlikely—officials stress that the identification and public exposure of these figures is a meaningful setback to their operations.
“With Operation Endgame 2.0, we’ve shown once again that our strategies are effective—even within the supposedly anonymous darknet,” Münch said.
