International law enforcement has worked for years to disrupt the cybercriminal gang Evil Corp and its egregious global crime spree. But in a crowded field of prolific Russian cybercriminals, Evil Corp is most notable for its singular relationship with Russian intelligence.
On Tuesday, the United Kingdom’s National Crime Agency released new details about the real-world identities of alleged Evil Corp members, the group’s connection to the LockBit platform, and the gang’s ties to the Russian state. Researchers have increasingly established that there are loose, quid pro quo connections between Russian cybercriminals and the country’s government. But NCA officials emphasize that Evil Corp is an unusual example of a gang that has direct relationships with multiple Russian intelligence agencies—including Russia’s Federal Security Service, or FSB; Foreign Intelligence Service, or SVR; and military intelligence agency known as the GRU. And the NCA reports that before 2019, Evil Corp was specifically “tasked” by Russia’s intelligence services with conducting espionage operations and cyberattacks against unidentified “NATO allies.”
For more than a decade, Evil Corp has used its Dridex malware and other hacking tools to compromise thousands of bank accounts around the world and steal funds. In 2017, the group expanded into ransomware, using strains like Hades and PhoenixLocker, and then using the LockBit platform as an affiliate beginning in 2022. The group has extorted at least $300 million from victims on tops of its other spoils, and the United States Department of State is offering a $5 million reward for information leading to the arrest of the gang’s alleged leader, Maksim Yakubets.
“Evil Corp’s story is a prime example of the evolving threat posed by cybercriminals and ransomware operators,” the NCA wrote on Tuesday in a joint report with the FBI and Australian Federal Police. “In their case, the activities of the Russian state played a particularly significant role, sometimes even co-opting this cybercrime group for its own malicious cyber activity.”
Unlike many Russian cybercrime groups that have evolved a distributed leadership structure online, NCA officials say that Evil Corp is organized like a more traditional crime syndicate around Yakubets’ family and friends. His father, Viktor Yakubets, allegedly has a background in money laundering, and Maksim’s brother Artem, along with cousins Kirill and Dmitry Slobodskoy, are all allegedly involved with the group. Officials also allege that the group has operated out of physical locations, including Chianti Café and Scenario Café in Moscow.
Officials say that Maksim Yakubets has always been the primary liaison between Evil Corp and Russian intelligence. But other members, including his father-in-law, Eduard Benderskiy, also allegedly contribute to the relationships. Benderskiy is reportedly a former FSB official who worked in the mysterious ‘Vympel’ unit and, according to Bellingcat, may have been involved in a series of overseas assassinations. NCA officials say that after the US’s 2019 sanctions and indictments against Evil Corp members, Benderskiy worked to protect the gang’s senior members within Russia.
In spite of its longtime dominance, Evil Corp has had to continue evolving to keep making money. While it denies a relationship, the group seemed to have used the notorious ransomware-as-a-service platform LockBit to conduct attacks since 2022. And Yakubets’ alleged second in command, whom NCA officials named on Tuesday as Aleksandr Ryzhenkov, was apparently overseeing this work. After international law enforcement launched a major disruption of LockBit in February, the gang has been operating in a diminished capacity, according to the NCA.
“Born out of a coalescing of elite cybercriminals, Evil Corp’s sophisticated business model made them one of the most pervasive and persistent cybercrime adversaries to date,” the NCA wrote. “After being hampered by the December 2019 sanctions and indictments, the group have been forced to diversify their tactics as they attempt to continue causing harm whilst adapting to the changing cybercrime ecosystem.”