|
(1)
|
the following entries are added under the heading ‘A. Natural persons’:
|
|
Name
|
Identifying information
|
Reasons
|
Date of listing
|
|
‘20.
|
Vitaly Nikolayevich KOVALEV
|
Виталий Николаевич КОВАЛЕВ
Aliases: “Bentley”, “Bergen”, “Alex Konor”, “Benny”, “Ben”, “Stern”
DOB: 23.6.1988
Address: Serebristy Bulvar 34 (Serebristyy Bul’var); krp 1; flt 528; 197341; St Petersburg, Russian Federation
Nationality: Russian
Gender: male
Associated entities: TrickBot, Wizard Spider, Conti
|
Vitaly Kovalev is a senior figure in the malware programs “Trickbot” and “Conti”. He is also known by the online monikers “Bentley”, “Bergen”, “Alex Konor”, “Benny”, “Ben” and “Stern”.
Conti and Trickbot were originally created and developed by Wizard Spider. Wizard Spider has conducted ransomware campaigns in a variety of sectors, including essential services such as health and banking, has infected computers worldwide and their malware has been developed into a highly modular malware suite. Campaigns by Wizard Spider, using malware such as Conti, and TrickBot, are responsible for substantial economic damage in the European Union.
Vitaly Kovalev is therefore responsible for, and involved in, cyber-attacks with a significant effect which constitute an external threat to the Union or its Member States.
|
13.7.2026
|
|
21.
|
Alexander Alexandrovich VOLOSOVIK
|
Александр Александрович ВОЛОСОВИК
DOB: 30.1.1983
POB: USSR
Nationality: Russian
Passport number: 762988138
Gender: male
Associated entities: Yalishanda, LARVA-34, podzemniyl, Ohyeahhellno, Stas_vl, downlow
|
Alexander Volosovik is the owner of Media Land LLC. Since 2016, Bullet Proof Hosting service Media Land LLC has been facilitating a wide array of malware attacks against both the Union and globally, by offering hosting services that hide user identities and resist takedowns by law enforcement. Media Land LLC enabled large-scale ransomware operations, command-and-control services, and phishing operations that target critical infrastructure and essential services in the Member States, leading to significant financial losses. Operations facilitated by Media Land LLC include, inter alia, LockBit, EvilCorp and BlackBasta.
Therefore, Media Land LLC is involved in cyber-attacks with significant effect which constitute an external threat to the Union or its Member States. As owner of Media Land LLC, Alexander Volosovik is responsible for, and involved in, these cyber-attacks. He is also associated to Media Land LLC.
|
13.7.2026
|
|
22.
|
Denis Olegovich DEGTYARENKO
|
Денис Олегович ДЕГТЯРЕНКО
Alias: “Dena”
DOB: 9.10.1989
POB: USSR
Nationality: Russian
Gender: male
Address: 130 Lenina Avenue, Novy Gorod microdistrict, Orsk, Orenburg Region, Russian Federation
|
Denis Degtyarenko aka Dena is a Russian hacker for CARR (Cyber Army of Russia Reborn).
CARR has been responsible for cyber-attacks against services necessary for the maintenance of essential economic activities and critical state functions in the Member States, as well as against infrastructure in Ukraine and other third countries. CARR is linked to the Main Centre for Special Technologies (GTsST) within the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).
The GTsST remains active in carrying out cyber-attacks against the Union or its Member States. CARR’s targets include government agencies, financial institutions, media outlets, and critical infrastructure in the Member States and the United States. CARR has conducted distributed denial-of-service (DDoS) attacks in Ukraine and against governments and companies located in countries that have supported Ukraine.
Therefore, Denis Degtyarenko, a primary hacker for CARR, is involved in cyber-attacks with a significant effect, including attempted cyber-attacks with a potentially significant effect, which constitute an external threat to the Member States, as well as against third states. As a member of CARR, he is also associated to GTsST.
|
13.7.2026
|
|
23.
|
Yuliya Vladimirovna PANKRATOVA
|
Юлия Владимировна ПАНКРАТОВА
Alias: “YUliYA”
DOB: 6.4.1984
POB: USSR
Nationality: Russian
Gender: female
Address: 130 Lenina Avenue, Novy Gorod microdistrict, Orsk, Orenburg Region, Russian Federation
|
Yuliya Pankratova is a Russian hacker who has been working for CARR (Cyber Army of Russia Reborn) and has founded, and continues to work for Z-Pentest.
CARR has been responsible for cyber attacks against services necessary for the maintenance of essential economic activities and critical state functions in the Member States, as well as against infrastructure in Ukraine and other third countries. CARR is linked to the Main Centre for Special Technologies (GTsST) within the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). The GTsST remains active in carrying out cyber-attacks against the Union or its Member States. CARR’s targets include government agencies, financial institutions, media outlets, and critical infrastructure in Member States and the United States. CARR has conducted distributed denial-of-service (DDoS) attacks in Ukraine and against governments and companies located in countries that have supported Ukraine.
Z-Pentest is responsible for cyber-attacks with a significant effect against inter alia services necessary for the maintenance of essential activities in the Member States.
Therefore, Yuliya Pankratova, a primary hacker for CARR and for Z-Pentest, is involved in cyber-attacks with a significant effect, including attempted cyber-attacks with a potentially significant effect, which constitute an external threat to the Member States, as well as against third states. She is also associated to Z-Pentest.
|
13.7.2026
|
|
24.
|
Maksim Evgenevich VORONIN
|
Максим Евгеньевич ВОРОНИН
Alias: “Daugn0”
Nationality: allegedly Russian
Gender: male
|
Maksim Voronin aka Daugn0 is involved in the development, distribution and selling of the information stealing malware LummaC2 (aka Lumma Infostealer, Lumma Stealer).
LummaC2 is a Malware-as-a-Service (MaaS) platform, used to steal sensitive data, browser credentials, crypto wallets, or system info, to deploy additional malware on infected devices, for cryptocurrency theft and for espionage campaigns.
Cyberattacks involving LummaC2 malware are used also by financially motivated cyber threat actors like Storm-113, Storm-1607, Storm-1674, Octo Tempest and others. LummaC2 malware has been used for cyber-attacks against critical state functions and services necessary for the maintenance of essential social and economic activities of the Members States. In 2024 and 2025, LummaC2 was one of the most used tools for stealing information worldwide.
Therefore, Maksim Voronin as developer, distributor and seller of LummaC2 is involved in and facilitates cyberattacks with a significant effect, which constitute an external threat to the Member States.
|
13.7.2026
|
|
25.
|
Maksim Aleksandrovich GORDIENKO
a.k.a. Maxim Alexandrovich GORDIENKO
|
Максим Александрович ГОРДИЕНКО
Alias: “Lummaseller”
Nationality: allegedly Russian
Gender: male
|
Maksim Gordienko aka Lummaseller is involved in the development and distribution of the information stealing malware LummaC2 (aka Lumma Infostealer, Lumma Stealer).
LummaC2 is a Malware-as-a-Service (MaaS) platform, used to steal sensitive data, browser credentials, crypto wallets or system info, to deploy additional malware on infected devices, for cryptocurrency theft and for espionage campaigns. Cyberattacks involving LummaC2 malware are used also by financially motivated cyber threat actors like Storm-113, Storm-1607, Storm-1674, Octo Tempest and others. LummaC2 malware has been used for cyber-attacks against critical state functions and services necessary for the maintenance of essential social and economic activities of the Member States. In 2024 and 2025 LummaC2 was one of the most used tools for stealing information worldwide.
Therefore, Maksim Gordienko as developer, distributor and seller of LummaC2 is involved in and facilitates cyberattacks with a significant effect, which constitute an external threat to the Member States.
|
13.7.2026
|
|
26.
|
Evgeniy Viktorovich BASHEV
|
Евгений Викторович БАШЕВ
DOB: 25.1.1980
POB: USSR
Nationality: Russian
Gender: male
Associated individuals: Denis Igorevich Denisenko, Yuriy Fedorovich Denisov, Dmitriy Yuryevich Goloshubov, Nikolay Alexandrovich Korchagin
Associated entities: GRU Unit 29155, “Impuls” LLC
|
Evgeniy Bashev is a member of Russian Military Intelligence Agency GRU, Unit 29155. Within the unit he supports and facilitates cyber-attacks with a significant effect against the Member States, inter alia via controlling the server “Aegon”, used for hacking operations. In particular, he provides technical and material support to the cyber-attacks of the GRU Unit 29155 through his company “Impuls” LLC, which facilitated operational cover, infrastructure, and payments, and managed technical assets, including servers, that are used for the cyber-attacks. He also coordinated cooperation between GRU structures and external hacker networks. The cyber-attacks he facilitated targeted critical state functions systems and services necessary for the maintenance of essential social or economic activities in the Member States, notably in the transport sector. Via the WhisperGate campaign, GRU Unit 29155 also targeted critical infrastructure of Ukraine.
Therefore, Evgeniy Bashev provides technical and material support for, or is otherwise involved in, cyber-attacks with a significant effect, including attempted cyber-attacks with a potentially significant effect, which constitute an external threat to the Member States, as well as cyber-attacks with a significant effect against a third country.
As owner and General Director, he is associated with the company “Impuls” LLC.
As a Member of GRU Unit 29155, he is also associated with that entity.
|
13.7.2026
|
|
27.
|
Roman Alexandrovich PUNTUS
|
Роман Александрович ПУНТУС
POB: Russian Federation
Nationality: Russian
Gender: male
Associated individuals: Denis Igorevich Denisenko, Yuriy Fedorovich Denisov, Dmitriy Yuryevich Goloshubov, Nikolay Alexandrovich Korchagin, Evgeniy Viktorovich Bashev
Associated entities: GRU Unit 29155
|
Roman Puntus is a member of the Russian Military Intelligence Agency GRU, Unit 29155. Within the unit, he holds a leading role in the organisation and coordination of cyber-attacks with a significant effect against the Member States. He also supports the development of the unit’s internal cyber capability, including the recruitment and supervision of personnel such as hackers and programmers. By establishing the front company “Aegeon-Impulse,” he facilitated logistical and financial aspects of cyber operations. Under his coordination, the unit conducted cyber-attacks targeting critical state functions systems and services necessary for the maintenance of essential social or economic activities in the Member States, notably in the transport sector. Via the WhisperGate campaign, GRU Unit 29155 also targeted critical infrastructure of Ukraine.
Therefore, Roman Puntus is responsible for, or is otherwise involved in, cyber-attacks with a significant effect, including attempted cyber-attacks with a potentially significant effect, which constitute an external threat to the Member States, as well as cyber-attacks with a significant effect against a third country.
As a Member of GRU Unit 29155, he is also associated with that entity.
|
13.7.2026’
|
|