Hacker, YouTube and failed login: the story of exposing the leader of the Trickbot group

[Carding]

Maxim Galochkin leads a double life in the shadow of the Darknet and the light of YouTube.

As a result of a months-long investigation conducted by WIRED, the secrets of the Trickbot extortion group were revealed. Based on the leaked documents, the journalists were able to reveal the identity of one of the key members of the group – Maxim Sergeevich Galochkin.

41-year-old Maxim Galochkin actively communicates on the Internet, sharing his thoughts on cryptocurrency, music and cinema. At first glance, he may seem like an ordinary office worker, but in reality he is a key member of the large cybercrime syndicate Trickbot. Inside the organization, colleagues know Galochkin under the pseudonyms Bentley and Manuel.

According to Wired, Galochkin was involved in Trickbot financial transactions, subscriptions to services necessary for attacks, and obfuscation (hiding) malicious code from antivirus programs. In addition, Galochkin previously had the surname Sipkin and supported the opposition. Later, he changed his last name to Galochkin and began to engage in cybercrime.

The hacker also expressed his ambition to become a millionaire and his desire to live in the United States or Europe. In one of the correspondence with his colleagues, he boasted about his car Bentley Continental GT.

Researchers were able to determine the identity of the hacker after watching a video on a YouTube channel dedicated to cryptocurrencies. In this video, the author demonstrated his active account in the Jabber messenger. The same login was seen in the Bentley messages. After analyzing the information associated with the YouTube account, experts studied the use of similar usernames and passwords in other services. As a result, experts came to Maxim Galochkin from Abakan.

The investigation also uncovered the internal workings of the Trickbot syndicate, which made it possible to link key members of the syndicate to the broader cybercrime community and identify links to other criminal groups.

The investigation began in March 2022, when an account on the social network X called "Trickleaks" published the correspondence of approximately 35 members of the group. The information provided a unique insight into the size and structure of the Trickbot group, which researchers estimate at 100-400 people, making Trickbot one of the world's largest cybercriminal groups.

We also note that at the moment Galochkin has not been detained or charged with cybercrime. His current location is unknown.

In 2020, American law enforcement agencies, together with information security companies, disabled most of TrickBot's C&C infrastructure. Although the group lost 94% of its servers, the botnet survived and returned with new servers in a few days, and a few weeks later new attacks began. In February, after several months of downtime, the TrickBot botnet operators shut down their infrastructure .

In 2021, the US authorities charged and detained two TrickBot programmers, but the group's leadership remained intact. The grouping continued to function throughout 2021 until it became part of Conti and switched to a new code base.

 

[Carding]

The name of the founder of Trickbot has become known

The founder of the Trickbot group and the true bearer of the Bentley nickname is 41-year-old Russian Maxim Galochkin. This conclusion was reached by Wired journalists and several experts they interviewed who studied the leak of internal community chats, which occurred back in 2022.

“Galochkin may seem like a typical office worker, but in fact he chose the right profession that allows him to earn big money. According to numerous cybercrime researchers, he is a key member of the Russian Trickbot syndicate, which has launched thousands of cyberattacks in recent years, crippling businesses, hospitals and even governments around the world. Colleagues from Trickbot know him under the nicknames Bentley and Manuel,” the material says.

The publication recalled that in March 2022, a Twitter account called Trickleaks published thousands of online chat logs associated with approximately 35 members of the group. The total size of the Trickbot group is difficult to estimate, but researchers estimate it has between 100 and 400 members. An anonymous whistleblower published 250,000 internal messages and a series of homemade intelligence dossiers exposing the people believed to be behind the group.

In particular, real names, photographs, social network accounts, passport numbers, telephone numbers, cities of residence and other personal data of alleged Trickbot members were published. The cache also included 2,500 IP addresses, 500 cryptocurrency wallets, and thousands of domains and email addresses. Collectively, these files form one of the largest data dumps of a cybercrime group in history.

A detailed investigation led Wired to Galochkin, a resident of Abakan, who previously had a different name - Maxim Sipkin. These two individuals were linked thanks to the same passport number. Many eminent information security experts and investigators, including Alex Holden, agreed with these data.

“Cybercriminals often avoid accountability by remaining nameless and faceless. But thanks to Galochkin, it is possible to get a detailed picture of his activities inside and outside of Trickbot. In the photo, which appeared on Galochkin's GitHub and Gravatar profiles, the man appears well-built, with thick dark brown eyebrows and a matching dark brown goatee. He has long gray hair, he is posing on a mountainside, wearing jeans and a white T-shirt,” the researchers stated.

Certain parts of the material are also devoted to Galochkin’s family relationships, his political views, as well as possible connections with the Kremlin. At the same time, many of Galochkin’s associates in Trickbot either did not enter into dialogue with the publication or disowned ties with the hacker group.

Let us remind you that earlier the US Department of Justice revealed the identities of seven members of the Trickbot group and imposed sanctions against them. According to the American side, all of them are citizens of Russia and permanently reside in the country. Another person appeared on that list under the nickname Bentley, but Wired journalists consider this a mere coincidence. Galochkin was not mentioned in the Ministry of Justice list.