International law enforcement operation exposes the world’s most harmful cyber crime group

A Russian national who runs Evil Corp – the world’s most harmful cyber crime group that created and deployed malware causing financial losses totalling hundreds of millions of pounds in the UK alone – has been indicted in the United States following unprecedented collaboration between the NCA, the FBI and the National Cyber Security Centre.

Maksim Yakubets, aged 32, from Moscow, is charged in relation to two separate international computer hacking and bank fraud schemes, spanning from May 2009 to the present. 

• The sophisticated, technically skilled crime group represents the most significant cyber crime threat to the  UK
• Yakubets employed dozens of people to run his operation from the basements of Moscow cafes
• Evil Corp targeted the UK for almost a decade with multiple strains of damaging malware, which defrauded and stole money from the bank accounts of members of the public and businesses^[1]
• If Yakubets ever leaves the safety of Russia he will be arrested and extradited the US
• Sanctions imposed by US Treasury on 24 entities restricting access to assets and international financial systems

A dedicated team in the NCA began working with multiple partners to investigate one of the group’s core malware strains, Dridex, in 2014.

These officers developed intelligence and identified evidential material over several years to support the US indictments.

Intelligence provided by the NCA has also been used to support sanctions brought by the US Treasury Department’s Office of Foreign Asset Control (OFAC) against Evil Corp, Yakubets, Turashev and 21 associated entities. As a result of these designations, any property under US jurisdiction held by those subject to sanction has been blocked, and US persons are prohibited from engaging in transactions with them. 

NCA and FBI action in 2015 briefly disabled the Dridex botnet. Within weeks Evil Corp were able to adapt the malware and infrastructure to resume criminal activities. In the same year, another operation led to the arrest of Andrey Ghinkul, a Dridex distributor known as ‘Smilex’.

Investigations in the UK by the NCA and the Metropolitan Police have also targeted Yakubets’ network of money launderers who have funnelled profits back to Evil Corp. Eight people have been sentenced to a total of over 40 years in prison.

Yakubets, who drives a customised Lamborghini supercar with a personalised number plate that translates to ‘Thief’ and spent over a quarter of a million pounds on his wedding, is now subject to a $5 million US State Department reward – the largest ever reward offered for a cyber criminal.

Fellow Russian Igor Turashev, aged 38, who is Yakubets’ administrator and controls the Dridex malware, has also been indicted for cyber crime offences.

If Yakubets, who used the online moniker ‘Aqua’, ever leaves the safety of Russia he will be arrested and extradited to the US. The work carried out by the NCA and its partners means he has now been exposed to the world and will be subject to significant international scrutiny. It also restricts his ability to operate with other criminals who will find him toxic to deal with.

Lynne Owens, Director General of the NCA, said: “The significance of this group of cyber criminals is hard to overstate; they have been responsible for campaigns targeting our financial structures with multiple strains of malware over the last decade. We are unlikely to ever know the full cost, but the impact on the UK alone is assessed to run into the hundreds of millions.

“These indictments demonstrate that our world-leading law enforcement, in unparalleled cooperation with our US allies, is tirelessly committed to cracking down on cyber criminality – pursuing legal action and targeting their finances no matter where criminals are based.

“It is our assessment that Maksim Yakubets and Evil Corp – the cyber crime group he controls – represent the most significant cyber crime threat to the UK.

“While the harm caused by this group has targeted mainly financial institutions, there is no doubt that their activity has had real world impacts, defrauding and stealing from victims in the UK and worldwide. The Lamborghini Yakubets drives was someone’s life savings, now emptied from their bank account.

“We will continue to work closely with our international partners, be that in the US, Europe or elsewhere in the world, to present a united front against online criminals that threaten our prosperity and security.”

Using multiple online identities, primarily that of ‘Aqua’, Yakubets was subject to UK and international investigations for his involvement in multiple malware campaigns including Dridex and Zeus^[2] variants. Aqua was also included in a 2014 US criminal complaint issued against Evgeniy Bogachev for his role in Zeus malware. Bogachev remains on the FBI’s most wanted list with a reward of $3 million, previously the highest sum offered for a cyber criminal. 

These malware strains have been considered among the world’s most prominent cyber threats, responsible for enabling fraud, stealing data, and theft from businesses and individuals. In 2016, Symantec assessed that Dridex was configured to target the customers of nearly 300 different organisations in over 40 countries.

Financial malware is commonly installed through emails that contain infected attachments. The downloaded malware then remains hidden on a victim’s system to gather private and personal data, which is subsequently exploited to steal money and enable fraud. Through this method, Evil Corp is thought to have stolen millions of pounds directly from UK victims to fund their lavish criminal lifestyles.

Paul Chichester, NCSC Director Operations, said: “Today’s announcement is the result of a multi-year investigation with our law enforcement and international partners.

“Dridex has been targeting UK victims since at least 2014, compromising and stealing from large organisations, SMEs and the general public.

“Malware is a continuing cyber threat but we can all reduce our risk of becoming victims to cyber criminals by ensuring our devices are patched, anti-virus is turned on and up to date and files are backed up.”

Assistant Attorney General Brian A. Benczkowski of the US Justice Department’s Criminal Division said: “Maksim Yakubets allegedly has engaged in a decade-long cybercrime spree that deployed two of the most damaging pieces of financial malware ever used and resulted in tens of millions of dollars of losses to victims worldwide.

“These two cases demonstrate our commitment to unmasking the perpetrators behind the world’s most egregious cyberattacks.  The assistance of our international partners, in particular the National Crime Agency of the United Kingdom, was crucial to our efforts to identify Yakubets and his co-conspirators.”

FBI Deputy Director David Bowdich said: “Today's announcement involved a long running investigation of a sophisticated organized cyber-crime syndicate.

“The charges highlight the persistence of the FBI and our partners to vigorously pursue those who desire to profit from innocent people through deception and theft.

“By calling out those who threaten American businesses and citizens, we expose criminals who hide behind devices and launch attacks that threaten our public safety and economic stability. The actions highlighted today, which represent a continuing trend of cyber-criminal activity emanating from Russian actors, were particularly damaging as they targeted U.S. entities across all sectors and walks of life.

“The FBI, with the assistance of private industry and our international and U.S. government partners, is sending a strong message that we will work together to investigate and hold all criminals accountable. Our memory is long and we will hold them accountable under the law, no matter where they attempt to hide.”

Anyone with information about suspected cyber crime can contact Crimestoppers on 0800 555 111 anonymously or visit www.crimestoppers-uk.org.

Businesses or individuals can report cyber attacks to Action Fraud via their website – www.actionfraud.police.uk.

 

[1] The nature of financial trojans means that some people will never know they’ve been infected and those that have lost money are unlikely to know which malware was the cause.

[2] There have been various variations of Zeus, high end credential stealing malware