Thursday 5 Dec 2019
A Russian national who runs Evil Corp – the world’s most harmful cyber crime group that created and deployed malware causing financial losses totalling hundreds of millions of pounds in the UK alone – has been indicted in the United States following unprecedented collaboration between the NCA, the FBI and the National Cyber Security Centre.
Maksim Yakubets, aged 32, from Moscow, is charged in relation to two separate international computer hacking and bank fraud schemes, spanning from May 2009 to the present.
A dedicated team in the NCA began working with multiple partners to investigate one of the group’s core malware strains, Dridex, in 2014.
These officers developed intelligence and identified evidential material over several years to support the US indictments.
Intelligence provided by the NCA has also been used to support sanctions brought by the US Treasury Department’s Office of Foreign Asset Control (OFAC) against Evil Corp, Yakubets, Turashev and 21 associated entities. As a result of these designations, any property under US jurisdiction held by those subject to sanction has been blocked, and US persons are prohibited from engaging in transactions with them.
NCA and FBI action in 2015 briefly disabled the Dridex botnet. Within weeks Evil Corp were able to adapt the malware and infrastructure to resume criminal activities. In the same year, another operation led to the arrest of Andrey Ghinkul, a Dridex distributor known as ‘Smilex’.
Investigations in the UK by the NCA and the Metropolitan Police have also targeted Yakubets’ network of money launderers who have funnelled profits back to Evil Corp. Eight people have been sentenced to a total of over 40 years in prison.
Yakubets, who drives a customised Lamborghini supercar with a personalised number plate that translates to ‘Thief’ and spent over a quarter of a million pounds on his wedding, is now subject to a $5 million US State Department reward – the largest ever reward offered for a cyber criminal.
Fellow Russian Igor Turashev, aged 38, who is Yakubets’ administrator and controls the Dridex malware, has also been indicted for cyber crime offences.
If Yakubets, who used the online moniker ‘Aqua’, ever leaves the safety of Russia he will be arrested and extradited to the US. The work carried out by the NCA and its partners means he has now been exposed to the world and will be subject to significant international scrutiny. It also restricts his ability to operate with other criminals who will find him toxic to deal with.
Lynne Owens, Director General of the NCA, said: “The significance of this group of cyber criminals is hard to overstate; they have been responsible for campaigns targeting our financial structures with multiple strains of malware over the last decade. We are unlikely to ever know the full cost, but the impact on the UK alone is assessed to run into the hundreds of millions.
“These indictments demonstrate that our world-leading law enforcement, in unparalleled cooperation with our US allies, is tirelessly committed to cracking down on cyber criminality – pursuing legal action and targeting their finances no matter where criminals are based.
“It is our assessment that Maksim Yakubets and Evil Corp – the cyber crime group he controls – represent the most significant cyber crime threat to the UK.
“While the harm caused by this group has targeted mainly financial institutions, there is no doubt that their activity has had real world impacts, defrauding and stealing from victims in the UK and worldwide. The Lamborghini Yakubets drives was someone’s life savings, now emptied from their bank account.
“We will continue to work closely with our international partners, be that in the US, Europe or elsewhere in the world, to present a united front against online criminals that threaten our prosperity and security.”
Using multiple online identities, primarily that of ‘Aqua’, Yakubets was subject to UK and international investigations for his involvement in multiple malware campaigns including Dridex and Zeus variants. Aqua was also included in a 2014 US criminal complaint issued against Evgeniy Bogachev for his role in Zeus malware. Bogachev remains on the FBI’s most wanted list with a reward of $3 million, previously the highest sum offered for a cyber criminal.
These malware strains have been considered among the world’s most prominent cyber threats, responsible for enabling fraud, stealing data, and theft from businesses and individuals. In 2016, Symantec assessed that Dridex was configured to target the customers of nearly 300 different organisations in over 40 countries.
Financial malware is commonly installed through emails that contain infected attachments. The downloaded malware then remains hidden on a victim’s system to gather private and personal data, which is subsequently exploited to steal money and enable fraud. Through this method, Evil Corp is thought to have stolen millions of pounds directly from UK victims to fund their lavish criminal lifestyles.
Paul Chichester, NCSC Director Operations, said: “Today’s announcement is the result of a multi-year investigation with our law enforcement and international partners.
“Dridex has been targeting UK victims since at least 2014, compromising and stealing from large organisations, SMEs and the general public.
“Malware is a continuing cyber threat but we can all reduce our risk of becoming victims to cyber criminals by ensuring our devices are patched, anti-virus is turned on and up to date and files are backed up.”
Assistant Attorney General Brian A. Benczkowski of the US Justice Department’s Criminal Division said: “Maksim Yakubets allegedly has engaged in a decade-long cybercrime spree that deployed two of the most damaging pieces of financial malware ever used and resulted in tens of millions of dollars of losses to victims worldwide.
“These two cases demonstrate our commitment to unmasking the perpetrators behind the world’s most egregious cyberattacks. The assistance of our international partners, in particular the National Crime Agency of the United Kingdom, was crucial to our efforts to identify Yakubets and his co-conspirators.”
FBI Deputy Director David Bowdich said: “Today's announcement involved a long running investigation of a sophisticated organized cyber-crime syndicate.
“The charges highlight the persistence of the FBI and our partners to vigorously pursue those who desire to profit from innocent people through deception and theft.
“By calling out those who threaten American businesses and citizens, we expose criminals who hide behind devices and launch attacks that threaten our public safety and economic stability. The actions highlighted today, which represent a continuing trend of cyber-criminal activity emanating from Russian actors, were particularly damaging as they targeted U.S. entities across all sectors and walks of life.
“The FBI, with the assistance of private industry and our international and U.S. government partners, is sending a strong message that we will work together to investigate and hold all criminals accountable. Our memory is long and we will hold them accountable under the law, no matter where they attempt to hide.”
Anyone with information about suspected cyber crime can contact Crimestoppers on 0800 555 111 anonymously or visit www.crimestoppers-uk.org.
Businesses or individuals can report cyber attacks to Action Fraud via their website – www.actionfraud.police.uk.
 The nature of financial trojans means that some people will never know they’ve been infected and those that have lost money are unlikely to know which malware was the cause.
 There have been various variations of Zeus, high end credential stealing malware
NCA Media Team
Visual material is available via these links:-
For more information about the indictments, please visit:
For detail of the US Treasury sanctions, please visit:-
In August 2015, a joint NCA and FBI investigation led to the arrest of Andrey Ghinkul, known online as “Smilex”, for spreading Dridex malware as part of Yakubets’ Evil Corp group. Despite the effectiveness of this international activity, Yakubets, and the specialists he employs as part of the group, adapted the malware to resume UK infections.