Summary
- The United States, United Kingdom, and European Union announced sanctions targeting nation-state hackers, cybercriminals, and their enablers in one of the largest cyber enforcement actions to date.
- The EU designated Vitaly Nikolayevich Kovalev, also known as “Stern,” administrator of the Trickbot ransomware operations who has received more than $300 million in ransom payments.
- In a separate action, OFAC designated First VPN Service (1VPNS), its administrator Dmytro Rashevskyi, and cryptor provider, Yevgeniy Silayev, for enabling ransomware attacks.
- The EU also designated individuals and entities linked to LummaC2 infostealer malware, bullet-proof hosting provider Media Land LLC, Russian GRU Unit 29155, and pro-Russia hacktivist groups CARR and Z-Pentest.
On July 13, 2026, the United States, European Union, and United Kingdom announced sanctions targeting a broad network of nation-state hackers, cybercriminals, and their enablers. The sweeping action represents one of the most significant cyber enforcement efforts to date and underscores the critical importance of cross-border collaboration in combating ransomware and cybercrime. The infrastructure and actors targeted in this action are collectively responsible for billions of dollars in damages to businesses, critical infrastructure, and governments worldwide.
The most notable revelation comes from the EU designation of Vitaly Nikolayevich Kovalev, also known as “Stern,” the administrator of the Trickbot criminal syndicate behind some of the most notorious ransomware strains, including Conti. Kovalev was first designated by the U.S. Office of the Treasury’s Office of Foreign Assets Control (OFAC) and the U.K. Office of Financial Sanctions Implementation (OFSI) on February 9, 2023, though the EU was the first sanctioning body to include the moniker “Stern” as an identifier. Wallets associated with Stern have received more than $300 million in ransom payments, potentially making him the single most prolific ransomware operator ever identified.
Stern: the $300 million ransomware administrator
The EU designation reveals that Vitaly Nikolayevich Kovalev, a Russian national, has operated under multiple aliases, most notably “Stern.” According to the EU, Kovalev is a senior figure of the Trickbot Group, including Ryuk and Conti ransomware and its many offshoots — among the most destructive malware programs in recent history. Trickbot is a cybercriminal group that has conducted ransomware campaigns across essential services including healthcare and banking.
Although wallets associated with Stern have received over $300 million in ransom payments, this figure represents only his personal cut of the proceeds. Trickbot’s total haul over the years is substantially larger, underscoring the massive scale of the group’s operations.
As the Chainalysis Reactor graph below shows, Stern transacted with numerous ransomware strains, including Ryuk, Conti, Diavol, Karakurt, Royal, 3am, Quantum, and Bitpaymer.
Stern’s designation follows the UK and US designation of 7 and later 11 Trickbot members in 2023, bringing the total Trickbot members sanctioned to 19. Cryptocurrency payments mirror the hierarchy of the Trickbot Group and reveal the centrality Stern had for the Trickbot group, not only in terms of his earnings, but in the payments doled out to team members for infrastructure payments or payments for services in the upkeep and maintenance of their operations. The Conti Leaks reveal that Stern indeed was a “CEO-like” figure who had discretion for the syndicate’s budget, procurement, hiring, and even attack planning.
OFAC targets ransomware infrastructure providers
OFAC designated First VPN Service (1VPNS), a VPN provider whose principal clients include ransomware actors, along with its administrator Dmytro Rashevskyi and cryptor provider Yevgeniy Vladimirovich Silayev. OFAC identified cryptocurrency wallet addresses linked to both 1VPNS and Rashevskyi across several blockchains, including Bitcoin, Ethereum, Litecoin, Zcash, Dash, TRON, Dogecoin, and Solana.
This action follows a May 2026 takedown of 1VPNS’s website and infrastructure by European law enforcement authorities, with support from the FBI’s Boston Field Office.
EU targets broader cybercriminal ecosystem
The EU designated a wide range of nation state cybercriminal actors and enablers:
- LummaC2 infostealer developers Maksim Evgenevich Voronin and Maksim Aleksandrovich Gordienko, whose Malware-as-a-Service platform was one of the most used infostealer tools worldwide in 2024 and 2025. LummaC2 was taken down by the United States’ Department of Justice (DOJ), Europol’s European Cybercrime Center, and Japan’s Cybercrime Control Center in a coordinated effort that began in May 2025.
- Media Land LLC, a bullet-proof hosting provider that has facilitated ransomware operations including LockBit, EvilCorp, and BlackBasta since 2016, along with its owner Alexander Alexandrovich Volosovik. Media Land LLC was sanctioned by OFAC in November 2025.
- Russian state-linked actors including members of GRU Unit 29155 and the Cyber Army of Russia Reborn (CARR), which have conducted cyber-attacks against critical infrastructure in EU member states and Ukraine. CARR was previously sanctioned by OFAC in 2024. The EU also designated Z-Pentest, a pro-Russia hacktivist group with ties to CARR that has targeted critical infrastructure in the energy and water sectors, including a Danish water utility in December 2024.
- Evgeniy Viktorovich BASHEV is identified as a member of Russian Military Intelligence Agency GRU, Unit 29155. He facilitated infrastructure and payments, and coordinated GRU’s collaboration with “external hacker networks.” Bashev facilitated the WhisperGate malware campaign targeting Ukrainian critical infrastructure, which notably sent an extortion demand in cryptocurrency.
Impact on cryptocurrency compliance
Today’s action reflects a strategic shift in combating malicious cyber activity: targeting not just the operators themselves, but the broader ecosystem of enablers that make their operations possible. VPN providers, malware-as-a-service providers, bullet-proof hosting services, cryptor developers, and other infrastructure providers are essential for extortion, defacement, DDoS, and sabotage, and increasingly in the crosshairs of law enforcement and sanctions authorities.
With Chainalysis’s solutions, organizations can monitor and detect exposure to these cybercriminal networks. We have labeled the relevant cryptocurrency addresses associated with today’s designations in our product suite to ensure our customers can proactively identify exposure and maintain global compliance standards.
FAQs
Who is Stern?
“Stern” is Vitaly Nikolayevich Kovalev, a Russian national and senior figure in the Trickbot and Conti ransomware operations.
Who did OFAC designate?
OFAC designated First VPN Service (1VPNS), its administrator Dmytro Rashevskyi, and cryptor provider Yevgeniy Silayev for enabling ransomware attacks.
What is LummaC2?
LummaC2 is a Malware-as-a-Service platform used to steal sensitive data, browser credentials, crypto wallets, and system information.
What is Media Land LLC?
Media Land LLC is a Russian bullet-proof hosting provider that has facilitated ransomware operations including LockBit, EvilCorp, and BlackBasta since 2016 by offering services that resist law enforcement takedowns.
Why is international coordination important for fighting ransomware?
Cybercriminals deliberately operate across multiple jurisdictions to evade detection and prosecution. Coordinated sanctions can help close these gaps and freeze assets across multiple financial systems simultaneously.
This website contains links to third-party sites that are not under the control of Chainalysis, Inc. or its affiliates (collectively “Chainalysis”). Access to such information does not imply association with, endorsement of, approval of, or recommendation by Chainalysis of the site or its operators, and Chainalysis is not responsible for the products, services, or other content hosted therein.
This material is for informational purposes only, and is not intended to provide legal, tax, financial, or investment advice. Recipients should consult their own advisors before making these types of decisions. Chainalysis has no responsibility or liability for any decision made or any other acts or omissions in connection with Recipient’s use of this material.
Chainalysis does not guarantee or warrant the accuracy, completeness, timeliness, suitability or validity of the information in this report and will not be responsible for any claim attributable to errors, omissions, or other inaccuracies of any part of such material.





