OrganisationRU

Trickbot

Russian-speaking cybercrime group behind banking malware and ransomware delivery infrastructure; member identified in Operation Zero network.

Last refreshed: 17 April 2026 · Appears in 1 active topic

Key Question

How is the Trickbot gang connected to a 2026 zero-day exploit sanctions action?

Timeline for Trickbot

#117 Apr

Mentioned in: OFAC turns IP law on Operation Zero

Cybersecurity: Threats and Defences

View full timeline →

Follow Cybersecurity: Threats and Defences →

Common Questions

What happened to the Trickbot group?: Trickbot's infrastructure was disrupted multiple times through 2021–2023 and several operators were sanctioned or prosecuted. A member, Oleg Kucherov, appeared in OFAC's April 2026 Operation Zero sanctions action for involvement in a zero-day exploit brokerage network.Source: OFAC / DOJ
Is Trickbot still active in 2026?: Trickbot's original banking-malware operations have largely been dismantled, but associated individuals remain active in adjacent criminal networks. Oleg Kucherov's designation in the 2026 Operation Zero action is the most recent confirmed activity link.Source: OFAC

Background

A member of the Trickbot cybercrime group, Oleg Kucherov, was identified and designated by OFAC in April 2026 as part of the Operation Zero exploit broker network sanctions. Kucherov's presence in the network illustrates how Russian cybercrime infrastructure, originally built for banking fraud, feeds into the broader ecosystem of state-adjacent offensive tooling brokerage.

Trickbot was first identified in 2016 as a banking Trojan derived from the Dyre malware family. It evolved into a modular platform used to deliver ransomware (notably Ryuk and Conti) and facilitate account takeover at scale. The US and UK governments attributed Trickbot to a network of Russian-speaking cybercriminals, and several Trickbot operators were sanctioned or prosecuted through 2021 to 2023. Despite multiple law-enforcement actions against Trickbot's infrastructure, associated individuals remain active in adjacent criminal networks.

The Kucherov designation in the Operation Zero action shows continuity between the Trickbot criminal ecosystem and the contemporary exploit-broker market. For law enforcement agencies, it reinforces the pattern of Russian cybercrime operators moving up the value chain from commodity malware to higher-margin zero-day brokerage.

How the World Sees Them

Ransomware ecosystem

Trickbot's original banking-malware infrastructure provided the delivery and monetisation rails that later ransomware groups built on.

Russian intelligence

Western governments assess Trickbot as tolerated by Russian authorities; the Kucherov designation adds a public legal record to that relationship.

US / UK law enforcement

Trickbot operators continue appearing in high-value enforcement actions despite prior infrastructure takedowns; persistent individual actors outlast dismantled infrastructure.