Investigative fallout from a large Trickbot breach
In a deep-dive that spanned more than a year, reporters tracked a major data breach tied to the Trickbot cybercrime network. The operation, often linked by Western observers to Russian actors and even the Kremlin, uncovered a figure identified as the purported leader of the group. The investigation points to Maxim Galochkin, a 41-year-old from Abakan who is also known by the alias Bentley.
The long-form probe began in March 2022 after an anonymous whistleblower released a trove of internal Trickbot chats on a social platform now called X. The leak included hundreds of thousands of messages and revealed hackers’ personal data, including real names, photos, social media handles, passport numbers, phone numbers, and full residential addresses.
The records also logged 2,500 IP addresses associated with group members and details on roughly 500 cryptocurrency wallets. Estimates place Trickbot’s active roster at between 100 and 400 participants.
The breakthrough in identifying the alleged ringleader came from a widely viewed cryptocurrency-focused YouTube channel. The creator of a video displayed a login to the Jabber secure messaging service that had previously surfaced in the Bentley correspondence. By correlating this login and cross-referencing other accounts with similar credentials, researchers traced the identity to Maxim Galochkin of Abakan, formerly using the name Maxim Sipkin.
Independent information security experts who have long analyzed Trickbot corroborated the findings. Notable figures in the field, including the president of Hold Security, the CEO of Cybernite Intelligence, and a principal investigator at Nisos, have contributed to ongoing examinations of the Trickbot network and its members over several years.
The investigation also retrieved images associated with the hacker that had been posted to GitHub and Gravatar. Descriptions from the reporting portray Galochkin as a physically imposing individual with thick dark brown eyebrows and a short dark brown beard, alongside gray hair that falls to the shoulders in certain photos. In one appearance, he is shown outdoors on a mountainside, wearing jeans and a white shirt with a hiking pack slung over the shoulders.
Additional context from the reporting highlights a broader pattern of cybercriminals leveraging public and semi-public platforms to stage, discuss, and coordinate their activities, often blending online personas with real-world locations. The ongoing work aims to map how individuals in Trickbot operate, how information travels within the network, and how investigators and private researchers piece together fragmented data points to form a clearer picture of leadership and structure.
Public interest remains strong as authorities and researchers scrutinize Trickbot’s operational methods. The project underscores how leaked data, cross-border collaboration, and open-source intelligence can illuminate the intricate web of relationships that sustain modern cybercrime. The pursuit of accountability continues as researchers, cybersecurity firms, and policymakers weigh the implications for digital security, law enforcement, and international cooperation.
Experts emphasize that the tale is not solely about a single figure but about a sprawling ecosystem that coordinates illicit activity across borders. The story reflects a wider trend in which private and investigative teams analyze compromised chat logs, code repositories, and user-generated data to understand criminal networks and their leadership dynamics. As the landscape evolves, so too does the need for robust defenses, transparent investigations, and careful handling of sensitive information to protect both victims and potential whistleblowers. The evolving narrative around Trickbot remains a focal point for those tracking cyber threats and the resilient safeguards that can mitigate such breaches.
Notes from the ongoing coverage stress the importance of verifying identities in dynamic online environments where aliases and multiple accounts are common. The research community continues to adapt methodologies to improve accuracy while balancing privacy considerations in high-stakes investigations.
Citations: The detailed reporting on this breach and its leadership lines comes from investigative journalism that relied on leaked communications, cross-referenced account data, and expert commentary from established cybersecurity researchers. (Citation: Wired investigation)