Federal investigators have charged a 32-year-old Russian national for running “Evil Corp,” a massive cybercrime ring that used phishing emails and malware to break into bank accounts across the globe.
On Thursday, the Justice Department unsealed an indictment against Moscow resident Maksim Yakubets for a “decade-long cybercrime spree” that involved distributing two infamous malware strains: Dridex and Zeus. Both are capable of secretly infecting computers to steal login credentials for bank accounts.
Allegedly, Yakubets’s hacking schemes date back to May 2009, first with the Zeus malware strain. He’s since developed a cybercrime empire through Evil Corp, which develops and distributes Dridex with the help of dozens of hired accomplices based out of Moscow. To rake in more cash, Yakubets and his team have also been using the Dridex malware to deliver ransomware to victims’ computers.
But perhaps the most startling allegation is that Yakubets has also been aiding the Russian government. According to the Treasury Department, he’s been working with the Kremlin’s spy agency, the Federal Security Service, since 2017. “Yakubets was tasked to work on projects for the Russian state, to include acquiring confidential documents through cyber-enabled means and conducting cyber-enabled operations on its behalf,” the department claimed without going into specifics.
The complaint against Yakubets claims the Zeus malware resulted in the theft of $220 million. Meanwhile, the Dridex strain raked in at least $100 million.
Members of Evil Corp are living a lavish lifestyle, funded by the life savings of their victims.
If Maksim Yakubets, who used the online identity of ‘Aqua’, ever leaves the safety of Russia he will be arrested and extradited to the US. pic.twitter.com/BdoaxZrFBK
— National Crime Agency (NCA) (@NCA_UK) December 5, 2019
Since 2016, the group harvested customer login credentials from 300 banks and financial institutions in more than 40 countries. Thousands of business computers were also infected with the malware strains, which arrived via phishing emails.
Both Zeus and Dridex can operate by hijacking browser sessions to display fake online banking pages that can secretly collect any information typed into them. This allowed Yakubet’s crime ring to nab passwords, one-time PIN codes, and the answers to security questions on online bank accounts.
One example of Yakubet’s exploits include sending a phishing email to an employee at a Pennsylvania school district back in 2011, which resulted in his operation looting a $1 million from a district bank account and wiring the funds to a bank in Ukraine. To launder the funds, his operation has relied on hired money mules.
Although Yakubets remains at large, today’s charges are meant to serve as a warning; if he ever leaves Russia, international law enforcement say they’ll attempt to nab him and extradite him back to the US for trial. The FBI is also offering a $5 million reward for any information that’ll led to Yakubets’ capture. “This represents the largest such reward offer for a cyber criminal to date,” the Justice Department said.
In addition, the Treasury Department has also imposed new sanctions on 17 individuals and seven groups for their suspected involvement with Evil Corp in hacking into computers, managing the Dridex malware, and laundering the stolen money. Federal officials have also charged one of Yakubet’s accomplices, Russian national Igor Turashev, for helping to run Dridex malware’s operations, and have placed him on the FBI’s wanted list.
“The FBI, with the assistance of private industry and our international and US government partners, is sending a strong message that we will work together to investigate and hold all criminals accountable,” said FBI deputy director David Bowdich in today’s announcement. “Our memory is long and we will hold them accountable under the law, no matter where they attempt to hide.”
Federal investigators appear to have been aware of Yakubets’s activities since 2009 when they seized a server his operation had used to transfer the stolen login credentials the Zeus malware had collected. The server contained chat logs involving a user with the handle “aqua,” and the email address [email protected] Back in 2010, US law enforcement transmitted a “mutual legal assistance request” to Russian authorities regarding the email address. The request turned up the name “Maksim Yakubets.”
The FBI’s complaint against Yakubets goes on to show the agency has been tracking visa applications Yakubets’ ex-wife and child have made to the US over the past decade.
According to the UK’s National Crime Agency, Yakubets has been living a lavish life. He apparently drives a customized Lamborghini sportscar with a number plate that translates into the word “Thief.” He also spent around $300,000 on his wedding. However, the agency said calling out Yakubets is intended to deter other cybercriminals from working with him to avoid attracting attention.