For the last decade, the hackers behind Evil Corp have led a sustained assault on the bank accounts of thousands of victims across dozens of countries. By steadily evolving malware known as Bugat, they indiscriminately siphoned tens of millions of dollars from unwitting victims. Thursday, the FBI indicted Evil Corp’s alleged leader: Maksim V. Yakubets, also known as “aqua.”
The indictment, which you can read in full below, details in broad strokes the playbook that Yakubets and Igor Turashev, another Russian charged in the scheme, allegedly have rolled out countless times. They’d convince victims to click on a malicious link in a phishing email to download Bugat. Once installed, the malware would use a variety of techniques to steal: a keylogger to grab passwords, or creating fake banking pages to trick someone into voluntarily entering their credentials. Armed with that information, the hackers would arrange for electronic funds transfers from victim bank accounts to a network of so-called money mules, who would then get the funds back to Evil Corp.
“Each and every one of these intrusions was effectively a cyber-enabled bank robbery,” said assistant US attorney general Brian Benczkowski at a press conference announcing the indictment Thursday. Both men are still at-large in Russia.
Evil Corp was apparently also in the franchise business. According to court documents, Yakubets gave a UK resident access to Bugat in exchange for $100,000 up front, plus 50 percent of all revenues, with a minimum take of $50,000 a week. Like any good franchisor, Yakubets offered technical support as needed.
Since at least 2011, the FBI estimates that Bugat—also known as Dridex and Cridex—resulted in losses of $100 million or more across hundreds of banks. What makes the Evil Corp campaign so impressive isn’t just the scale, but how adaptable it has proved to be. Law enforcement has pursued them for years, even successfully prosecuting Dridex sysadmin Andrey Ghinkul. US law enforcement disabled some of the conspiracy’s sub-botnets in 2016 by sinkholing them. The FBI indicted a related Belarus-based money mule network that same year. And still, Evil Corp persisted.
“The Dridex malware conspiracy was a constantly evolving and adapting criminal enterprise that had a level of sophistication and scope of threat that we rarely see,” US attorney Scott Brady said at Thursday’s press conference. Over the years, Brady said, Evil Corp has switched from a centralized command-and-control center to peer-to-peer botnets to make their activities harder to trace, used more sophisticated so-called web injects to trick users into entering sensitive information, and ditched international wire transfers for the relative anonymity of ransomware tied to cryptocurrency payments.
“This is why this has been the most widespread and destructive malware and banking trojans in the world over the last decade,” Brady said.
In all, Yakubets and Turashev have been indicted on 10 Bugat-related counts, covering conspiracy, computer hacking, wire fraud, and bank fraud. But the Yakubets story goes further still. Which is maybe why the US government has taken the rare step of offering $5 million for information leading to his arrest.
Since 2006, few malware campaigns have caused as much international consternation as Zeus, a trojan horse that became the favored malware of organized crime. Both the original Zeus and its later variants, Jabber Zeus and GameOver Zeus, had a roughly similar modus operandi to Bugat: steal banking credentials, transfer the money. A separate criminal complaint also unsealed Thursday alleges that Yakubets has been involved almost since the beginning.
Zeus attacks netted $70 million from US targets, a diverse list that includes banks, a luggage store, and the Franciscan Sisters of Chicago. It hit 21 municipalities, banks, and nonprofit organizations in 11 states over its decade-long reign. The specific role Yakubets played, according to the criminal complaint, was to provide “money mules and their associated banking credentials in order to facilitate the movement of money which was withdrawn from victim accounts by fraudulent means.”
Law enforcement connected Yakubets to both Bugat and Zeus thanks in part to his “aqua” moniker, which allegedly showed up in chat transcripts from the Zeus crew that detail bank transfer data and discuss ongoing operations. The FBI was also aided, perhaps surprisingly, by the Russian government, which has been notoriously protective of its hackers, both state-sponsored and otherwise.
“It was helpful in the investigation—to a point,” said FBI deputy director David Bowdich at Thursday’s press conference.
The FBI also first asked for that assistance in 2010. But in a separate announcement Thursday of sanctions against Evil Corp and its enablers, spanning 17 individuals and seven entities in all, the US Treasury Department alleged that Yakubets later signed on with Russia’s FSB intelligence agency. “In addition to his leadership role within Evil Corp, Yakubets has also provided direct assistance to the Russian government,” the agency’s statement reads. “As of 2017, Yakubets was working for the Russian FSB, one of Russia’s leading intelligence organizations.”
It’s unclear exactly what role Yakubets is accused of playing with the FSB, but the allegations include “acquiring confidential documents through cyber-enabled means and conducting cyber-enabled operations.”
The indictment, criminal complaint, and sanctions announcement collectively paint Yakubets as something of a cybercrime Zelig. “Yakubets has allegedly been involved in cybercrime on an almost unimaginable scale for over a decade,” said the DOJ’s Benczkowski.
Indictments like this always invite the same question: What will it actually accomplish? Yakubets is safely ensconced in Russia, after all. The odds of actually bringing him to trial seem vanishingly slim.
Then again it’s not impossible. Take Ghinkul as an example, or Roman Seleznev, a Russian hacker arrested in 2016 in the Maldives and sentenced to 27 years in prison the following year. A successful arrest also isn’t the only potential positive outcome.
“Having your name, your face, or your description on a wanted poster makes moving around freely much more difficult,” the FBI’s Bowdich said at Thursday’s press conference. “Simply naming them in an indictment accomplishes a great deal. State sponsors and other clients prize hackers for their anonymity, deniability, and their stealth. Calling these actors out publicly through these indictments strips away that anonymity.”
And then there’s the matter of the $5 million. Offering a reward for leads like this has some precedent; there’s a $3 million bounty still extant for information relating to alleged Zeus mastermind Evgeniy Bogachev.
“You put into the equation that someone, whether or not it’s the Russian government, might decide the money is worth turning them over,” says David J. Hickton, founding director of the University of Pittsburgh Institute of Cyber Law Policy and Security, who also prosecuted the Ghinkul case.
Putting that $5 million forward can also invite certain trade-offs, says former White House homeland security adviser Tom Bossert.
“This bounty can’t hurt and could easily help by testing the honor of fellow thieves. I think it might well generate a lead,” Bossert says. “The two downsides will be the increased work of sifting through false tips and the potential for one day having to pay the bounty to an unsavory character, who might use the proceeds for bad. The cost-benefit trade-offs in this case make it worth trying.”
For now, Yakubets remains at large, and presumably still active; the DOJ cited Bugat attacks as recent as March 19. But shining a spotlight on his various alleged schemes can only make them harder to pull off in the future, whether or not he ever sees the inside of a courtroom.
Additional reporting by Andy Greenberg.
- Everybody loves Rey, a Star Wars story
- The tech-obsessed, hyper-experimental restaurant of the future
- 25 amazing gift ideas under $25
- Drawing with drones over the salt flats of Bolivia
- Here's the evidence that links Russia’s most brazen cyberattacks
- 👁 A safer way to protect your data; plus, the latest news on AI
- 🎧 Things not sounding right? Check out our favorite wireless headphones, soundbars, and Bluetooth speakers
