A Russian national who runs Evil Corp – the world’s most harmful cyber crime group that created and deployed malware causing financial losses totalling hundreds of millions of pounds in the UK alone – has been indicted in the United States following unprecedented collaboration between the National Crime Agency (NCA), the FBI and the National Cyber Security Centre.
Maksim Yakubets, aged 32, from Moscow, is charged in relation to two separate international computer hacking and bank fraud schemes spanning from May 2009 to the present.
The sophisticated, technically skilled crime group represents the most significant cyber crime threat to the UK. Yakubets employed dozens of people to run his operation from the basements of Moscow cafes. Evil Corp targeted the UK for almost a decade with multiple strains of damaging malware, which defrauded and stole money from the bank accounts of members of the public and businesses.
A dedicated team at the NCA began working with multiple partners to investigate one of the group’s core malware strains, Dridex, in 2014. These officers developed intelligence and identified evidential material over several years to support the US indictments.
Intelligence provided by the NCA has also been used to support sanctions brought by the US Treasury Department’s Office of Foreign Asset Control against Evil Corp, Yakubets and 21 associated entities. As a result of these designations, any property under US jurisdiction held by those subject to sanction has been blocked, and US persons are prohibited from engaging in transactions with them.
NCA and FBI action in 2015 briefly disabled the Dridex botnet. Within weeks, Evil Corp was able to adapt the malware and infrastructure to resume criminal activities. In the same year, another operation led to the arrest of Andrey Ghinkul, a Dridex distributor known as ‘Smilex’.
Investigations in the UK by the NCA and the Metropolitan Police Service have also targeted Yakubets’ network of money launderers who’ve funnelled profits back to Evil Corp. Eight people have been sentenced to a total of over 40 years in prison.
Yakubets, who drives a customised Lamborghini supercar with a personalised number plate that translates to ‘Thief’ and spent over £250,000 on his wedding, is now subject to a $5 million US State Department reward – the largest ever reward offered for a cyber criminal. Fellow Russian Igor Turashev, aged 38, who’s Yakubets’ administrator and controls the Dridex malware, has also been indicted for cyber crime offences.
If Yakubets, who used the online moniker ‘Aqua’, ever leaves the safety of Russia he will be arrested and extradited to the US. The work carried out by the NCA and its partners means he has now been exposed to the world and will be subject to significant international scrutiny. It also restricts his ability to operate with other criminals who will find him toxic to deal with.
Significance of the group
Lynne Owens, director general of the NCA, said: “The significance of this group of cyber criminals is hard to overstate. They have been responsible for campaigns targeting our financial structures with multiple strains of malware over the last decade. We’re unlikely to ever know the full cost, but the impact on the UK alone is assessed to run into the hundreds of millions.”
Owens continued: “These indictments demonstrate that our world-leading law enforcement, in unparalleled co-operation with our US allies, is tirelessly committed to cracking down on cyber criminality – pursuing legal action and targeting their finances no matter where criminals are based. It’s our assessment that Maksim Yakubets and Evil Corp – the cyber crime group he controls – represent the most significant cyber crime threat to the UK. While the harm caused by this group has targeted mainly financial institutions, there’s no doubt that their activity has had real world impacts, defrauding and stealing from victims in the UK and worldwide. The Lamborghini that Yakubets drives was someone’s life savings, now emptied from their bank account.”
Owens added: “We will continue to work closely with our international partners, be that in the US, Europe or elsewhere in the world, to present a united front against online criminals who threaten our prosperity and security.”
Multiple malware campaigns
Using multiple online identities, primarily that of ‘Aqua’, Yakubets was subject to UK and international investigations for his involvement in multiple malware campaigns including Dridex and Zeus variants. Aqua was also included in a 2014 US criminal complaint issued against Evgeniy Bogachev for his role in Zeus malware.
Bogachev remains on the FBI’s most wanted list with a reward of $3 million, previously the highest sum offered for a cyber criminal.
These malware strains have been considered among the world’s most prominent cyber threats, responsible for enabling fraud, stealing data and theft from businesses and individuals. In 2016, Symantec assessed that Dridex was configured to target the customers of nearly 300 different organisations in over 40 countries.
Financial malware is commonly installed through e-mails that contain infected attachments. The downloaded malware then remains hidden on a victim’s system to gather private and personal data, which is subsequently exploited to steal money and enable fraud. Through this method, Evil Corp is thought to have stolen millions of pounds directly from UK victims to fund lavish criminal lifestyles.
Paul Chichester, the National Cyber Security Centre’s director of operations, said: “This announcement is the result of a multi-year investigation with our law enforcement and international partners. Dridex has been targeting UK victims since at least 2014, compromising and stealing from large organisations, SMEs and the general public. Malware is a continuing cyber threat, but we can all reduce our risk of becoming victims of the cyber criminals by ensuring our devices are patched, that the anti-virus is turned on and up-to-date and files are backed up.”
Assistant Attorney General Brian Benczkowski of the US Justice Department’s Criminal Division observed: “Maksim Yakubets has allegedly engaged in a decade-long cyber crime spree that deployed two of the most damaging pieces of financial malware ever used and resulted in tens of millions of dollars of losses to victims worldwide. These two cases demonstrate our commitment to unmasking the perpetrators behind the world’s most egregious cyber attacks. The assistance of our international partners, in particular the National Crime Agency, was crucial to our efforts to identify Yakubets and his co-conspirators.”
FBI deputy director David Bowdich stated: “The announcement is the end result of a long-running investigation of a sophisticated organised cyber crime syndicate. The charges highlight the persistence of the FBI and our partners to vigorously pursue those who desire to profit from innocent people through deception and theft.”
Bowdich explained: “By calling out those who threaten American businesses and citizens, we expose criminals who hide behind devices and launch attacks that threaten our public safety and economic stability. The actions highlighted in this case, which represent a continuing trend of cyber criminal activity emanating from Russian actors, were particularly damaging as they targeted US entities across all sectors and walks of life.”
In conclusion, Bowdich commented: “With the assistance of private industry and our international and US Government partners, the FBI is sending a strong message that we will work together to investigate and hold all criminals accountable. Our memory is long and we will hold them accountable under the law, no matter where they attempt to hide.”