International law enforcement agencies have worked for years to disrupt the Evil Corp cybercriminal gang and its heinous global crime spree. But in a crowded field of prolific Russian cybercriminals, Evil Corp stands out most for its unique relationship with Russian intelligence.
On Tuesday, the UK’s National Crime Agency released new details about the real-world identities of alleged Evil Corp members, the group’s connection to the LockBit platform, and the gang’s links to the Russian state. Researchers have increasingly established that there are vague and quid pro quo connections between Russian cybercriminals and the country’s government. But NCA officials emphasize that Evil Corp is an unusual example of a gang that has direct relations with multiple Russian intelligence agencies, including Russia’s Federal Security Service, or FSB; Foreign Intelligence Service, or SVR; and the military intelligence agency known as the GRU. And the NCA reports that prior to 2019, Evil Corp was specifically “tasked” by Russian intelligence services to conduct espionage operations and cyber attacks against unnamed “NATO allies.”
For more than a decade, Evil Corp has used its Dridex malware and other hacking tools to compromise thousands of bank accounts around the world and steal funds. In 2017, the group expanded into ransomware, using strains such as Hades and PhoenixLocker, and then used the LockBit platform as an affiliate starting in 2022. The group has extorted at least $300 million from victims, in addition to their other loot, and the United States The State Department offers a $5 million reward seeking information leading to the arrest of the gang’s alleged leader, Maksim Yakubets.
“The story of Evil Corp is a prime example of the evolving threat posed by cybercriminals and ransomware operators,” the NCA wrote on Tuesday in a joint report with the FBI and Australian Federal Police. “In their case, Russian state activities played a particularly significant role, sometimes even co-opting this cybercrime group for their own malicious cyber activity.”
Unlike many Russian cybercrime groups that have developed a distributed online leadership structure, NCA officials say Evil Corp is organized as a more traditional criminal syndicate around Yakubets’ family and friends. His father, Viktor Yakubets, allegedly has experience in money laundering, and Maksim’s brother Artem, along with his cousins Kirill and Dmitry Slobodskoy, are allegedly involved with the group. Officials also allege that the group has operated from physical locations, including Chianti Café and Scenario Café in Moscow.
Officials say Maksim Yakubets has always been the main liaison between Evil Corp and Russian intelligence. But other members, including his father-in-law, Eduard Benderskiy, also allegedly contribute to the relationships. Benderskiy is Reportedly a former FSB official who worked in the mysterious “Vympel” unit. and, according to Bellingcat, may have been involved in a series of murders abroad. NCA officials say that after US sanctions and indictments in 2019 against members of Evil Corp, Benderskiy worked to protect senior members of the gang inside Russia.
Despite its long-standing dominance, Evil Corp has had to continue to evolve to continue making money. While it denies a relationship, the group appeared to have used the notorious LockBit ransomware-as-a-service platform to carry out attacks since 2022. And Yakubets’ alleged second-in-command, whom NCA officials named on Tuesday as Aleksandr Ryzhenkov, was apparently monitoring this. work. After international law enforcement launched a major shutdown of LockBit in February, the gang has been operating at a reduced capacity, according to the NCA.
“Born from a merger of elite cybercriminals, Evil Corp’s sophisticated business model made them one of the most widespread and persistent cybercrime adversaries to date,” the NCA wrote. “After being hampered by sanctions and indictments in December 2019, the group has been forced to diversify its tactics as they attempt to continue causing damage while adapting to the changing cybercrime ecosystem.”