The Daily Lives of Russian Cybercriminals: Uncovering “Trickbot”
By Natasha Wood, MALD 2024 Candidate, The Fletcher School
On October 25, 2023, investigative journalist at “Wired,” Lily Hay Newman sat down with Fletcher Professor Josephine Wolff to talk about her investigation into the Russian cybercriminal organization Trickbot. The event was jointly organized by the Tufts Cybersecurity and Public Policy Program and the Hitachi Center for Technology & International Affairs at The Fletcher School.
In March 2022, a Twitter account called “Trickleaks” leaked streams of chat logs generated by around 35 members of Trickbot. Newman said that while it was not clear what motivated the leak, it may have come from a disgruntled member of Trickbot, or a double agent (referred to as a grey hat hacker) embedded inside the organization.
Newman’s biggest discovery in the leak was successfully uncovering the identity of Maksim Galochkin, a key member of Trickbot who goes by the moniker “Bentley.” Galochkin had previously worked with other cybercriminal groups such as Conti, which research indicates has strong ties to Trickbot.
Less sensational but equally interesting were the insights the Trickbot leak provided on the day-to-day operations of a major Russian cybercriminal organization. The uncovered chat logs, which Newman equated to “Trickbot slack,” paint a picture of Trickbot as a professional organization that, in a few ways, looks like any other company. Colleagues network with each other and share techniques and best practices, someone manages HR, and employees request vacation time off.
In many other ways, of course, Trickbot looks nothing like a conventional company. Newman acknowledged that there is often confusion around the level of collaboration between Russian cybercrime operations and the Russian government. Newman clarified that Trickbot is financially motivated, and isn’t an arm of the Kremlin. However, in exchange for granting organizations like Trickbot freedom to operate and immunity from foreign investigations, the Russian government may call in favors.
This collaboration is likely playing out in the Russia-Ukraine war, Newman noted. Russian cybercriminal organizations such as Trickbot may have had pre-existing information about or illicit access to Ukrainian companies or government infrastructure. If provided to the Kremlin, that data could feasibly support multiple parts of Russia’s full-scale war in Ukraine, including attacks on the Ukrainian power grid.
The ensuing Q&A session focused, among other topics, on the question of why Russia has developed such an advanced and effective system of cybercriminal organizations. Newman reminded the audience that necessity is the mother of invention and that the rise of Trickbot and other networks reflects a desire to make money by exploiting the global economy. The combination of enormous investments in technology and innovation during the Cold War, severe and rampant scarcity in the 1990s, persistent socioeconomic inequality, IT democratization, and disregard for the rule of law on the federal level has feasibly meant that organizations like Trickbot have flourished in Russia.