International law enforcement agencies have been working for years to disrupt the cybercriminal gang known as Evil Corp and its extensive global crime spree. In a field crowded with prolific Russian cybercriminals, Evil Corp stands out due to its unique relationship with Russian intelligence services.
On Tuesday, the United Kingdom’s National Crime Agency (NCA) released new information regarding the real-world identities of alleged Evil Corp members, the group’s connection to the LockBit platform, and its ties to the Russian state. Researchers have increasingly found that there are loose, quid pro quo connections between Russian cybercriminals and the Russian government. However, NCA officials highlight that Evil Corp is a rare example of a gang with direct relationships with multiple Russian intelligence agencies, including the Federal Security Service (FSB), the Foreign Intelligence Service (SVR), and the military intelligence agency GRU. The NCA reports that prior to 2019, Evil Corp was specifically “tasked” by Russian intelligence services to conduct espionage operations and cyberattacks against unidentified “NATO allies.”
For over a decade, Evil Corp has employed its Dridex malware and other hacking tools to compromise thousands of bank accounts globally and steal funds. In 2017, the group expanded into ransomware, utilizing strains such as Hades and PhoenixLocker, and later began using the LockBit platform as an affiliate in 2022. The group has extorted at least $300 million from victims in addition to its other illicit gains. The United States Department of State is offering a $5 million reward for information leading to the arrest of the gang’s alleged leader, Maksim Yakubets.
In a joint report with the FBI and Australian Federal Police, the NCA noted, “Evil Corp’s story is a prime example of the evolving threat posed by cybercriminals and ransomware operators. In their case, the activities of the Russian state played a particularly significant role, sometimes even co-opting this cybercrime group for its own malicious cyber activity.”
Unlike many Russian cybercrime groups that have developed a distributed leadership structure online, the NCA states that Evil Corp is organized like a traditional crime syndicate around Yakubets’ family and friends. His father, Viktor Yakubets, is allegedly involved in money laundering, and other family members, including his brother Artem and cousins Kirill and Dmitry Slobodskoy, are also allegedly part of the group. Authorities claim that the group has operated out of physical locations in Moscow, including Chianti Café and Scenario Café.
Maksim Yakubets is reported to be the primary liaison between Evil Corp and Russian intelligence agencies. Other members, including his father-in-law Eduard Benderskiy, also allegedly contribute to these relationships. Benderskiy is reportedly a former FSB official who worked in the ‘Vympel’ unit and, according to Bellingcat, may have been involved in a series of overseas assassinations. After the US’s 2019 sanctions and indictments against Evil Corp members, Benderskiy is said to have worked to protect the gang’s senior members within Russia.
Despite its longtime dominance in cybercrime, Evil Corp has had to evolve to maintain its financial gains. While the group denies any relationship with LockBit, it appears to have used the ransomware-as-a-service platform to conduct attacks since 2022. The NCA identified Aleksandr Ryzhenkov as Yakubets’ alleged second-in-command overseeing these operations. Following a significant international law enforcement disruption of LockBit in February, the NCA reports that the gang’s operations have been diminished.
The NCA concluded in its report, “Born out of a coalescing of elite cybercriminals, Evil Corp’s sophisticated business model made them one of the most pervasive and persistent cybercrime adversaries to date. After being hampered by the December 2019 sanctions and indictments, the group has been forced to diversify their tactics as they attempt to continue causing harm while adapting to the changing cybercrime ecosystem.”