International operation exposes “world’s most harmful” cyber crime group

A Russian national who runs Evil Corp – the world’s most harmful cyber crime group that created and deployed malware causing financial losses totalling hundreds of millions of pounds in the UK alone – has been indicted in the United States following unprecedented collaboration between the National Crime Agency (NCA), the FBI and the National Cyber Security Centre.

Maksim Yakubets, aged 32, from Moscow, is charged in relation to two separate international computer hacking and bank fraud schemes spanning from May 2009 to the present.

The sophisticated, technically skilled crime group represents the most significant cyber crime threat to the UK. Yakubets employed dozens of people to run his operation from the basements of Moscow cafes. Evil Corp targeted the UK for almost a decade with multiple strains of damaging malware, which defrauded and stole money from the bank accounts of members of the public and businesses.

A dedicated team at the NCA began working with multiple partners to investigate one of the group’s core malware strains, Dridex, in 2014. These officers developed intelligence and identified evidential material over several years to support the US indictments.

Supporting sanctions

Intelligence provided by the NCA has also been used to support sanctions brought by the US Treasury Department’s Office of Foreign Asset Control against Evil Corp, Yakubets and 21 associated entities. As a result of these designations, any property under US jurisdiction held by those subject to sanction has been blocked, and US persons are prohibited from engaging in transactions with them.

NCA and FBI action in 2015 briefly disabled the Dridex botnet. Within weeks, Evil Corp was able to adapt the malware and infrastructure to resume criminal activities. In the same year, another operation led to the arrest of Andrey Ghinkul, a Dridex distributor known as ‘Smilex’.

Investigations in the UK by the NCA and the Metropolitan Police Service have also targeted Yakubets’ network of money launderers who’ve funnelled profits back to Evil Corp. Eight people have been sentenced to a total of over 40 years in prison.

Yakubets, who drives a customised Lamborghini supercar with a personalised number plate that translates to ‘Thief’ and spent over £250,000 on his wedding, is now subject to a $5 million US State Department reward – the largest ever reward offered for a cyber criminal. Fellow Russian Igor Turashev, aged 38, who’s Yakubets’ administrator and controls the Dridex malware, has also been indicted for cyber crime offences.

If Yakubets, who used the online moniker ‘Aqua’, ever leaves the safety of Russia he will be arrested and extradited to the US. The work carried out by the NCA and its partners means he has now been exposed to the world and will be subject to significant international scrutiny. It also restricts his ability to operate with other criminals who will find him toxic to deal with.

Significance of the group

Lynne Owens, director general of the NCA, said: “The significance of this group of cyber criminals is hard to overstate. They have been responsible for campaigns targeting our financial structures with multiple strains of malware over the last decade. We’re unlikely to ever know the full cost, but the impact on the UK alone is assessed to run into the hundreds of millions.”

Owens continued: “These indictments demonstrate that our world-leading law enforcement, in unparalleled co-operation with our US allies, is tirelessly committed to cracking down on cyber criminality – pursuing legal action and targeting their finances no matter where criminals are based. It’s our assessment that Maksim Yakubets and Evil Corp – the cyber crime group he controls – represent the most significant cyber crime threat to the UK. While the harm caused by this group has targeted mainly financial institutions, there’s no doubt that their activity has had real world impacts, defrauding and stealing from victims in the UK and worldwide. The Lamborghini that Yakubets drives was someone’s life savings, now emptied from their bank account.”

Owens added: “We will continue to work closely with our international partners, be that in the US, Europe or elsewhere in the world, to present a united front against online criminals who threaten our prosperity and security.”

Multiple malware campaigns

Using multiple online identities, primarily that of ‘Aqua’, Yakubets was subject to UK and international investigations for his involvement in multiple malware campaigns including Dridex and Zeus variants. Aqua was also included in a 2014 US criminal complaint issued against Evgeniy Bogachev for his role in Zeus malware.

Bogachev remains on the FBI’s most wanted list with a reward of $3 million, previously the highest sum offered for a cyber criminal.

These malware strains have been considered among the world’s most prominent cyber threats, responsible for enabling fraud, stealing data and theft from businesses and individuals. In 2016, Symantec assessed that Dridex was configured to target the customers of nearly 300 different organisations in over 40 countries.

Financial malware is commonly installed through e-mails that contain infected attachments. The downloaded malware then remains hidden on a victim’s system to gather private and personal data, which is subsequently exploited to steal money and enable fraud. Through this method, Evil Corp is thought to have stolen millions of pounds directly from UK victims to fund lavish criminal lifestyles.

Multi-year investigation

Paul Chichester, the National Cyber Security Centre’s director of operations, said: “This announcement is the result of a multi-year investigation with our law enforcement and international partners. Dridex has been targeting UK victims since at least 2014, compromising and stealing from large organisations, SMEs and the general public. Malware is a continuing cyber threat, but we can all reduce our risk of becoming victims of the cyber criminals by ensuring our devices are patched, that the anti-virus is turned on and up-to-date and files are backed up.”

Assistant Attorney General Brian Benczkowski of the US Justice Department’s Criminal Division observed: “Maksim Yakubets has allegedly engaged in a decade-long cyber crime spree that deployed two of the most damaging pieces of financial malware ever used and resulted in tens of millions of dollars of losses to victims worldwide. These two cases demonstrate our commitment to unmasking the perpetrators behind the world’s most egregious cyber attacks. The assistance of our international partners, in particular the National Crime Agency, was crucial to our efforts to identify Yakubets and his co-conspirators.”

FBI deputy director David Bowdich stated: “The announcement is the end result of a long-running investigation of a sophisticated organised cyber crime syndicate. The charges highlight the persistence of the FBI and our partners to vigorously pursue those who desire to profit from innocent people through deception and theft.”

Bowdich explained: “By calling out those who threaten American businesses and citizens, we expose criminals who hide behind devices and launch attacks that threaten our public safety and economic stability. The actions highlighted in this case, which represent a continuing trend of cyber criminal activity emanating from Russian actors, were particularly damaging as they targeted US entities across all sectors and walks of life.”

In conclusion, Bowdich commented: “With the assistance of private industry and our international and US Government partners, the FBI is sending a strong message that we will work together to investigate and hold all criminals accountable. Our memory is long and we will hold them accountable under the law, no matter where they attempt to hide.”

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts