Evil Corp. – A Russian Organized Crime Group – Overview – 2024

Evil Corp. – A Russian Organized Crime Group – Overview

Evil Corp (aka Indrik Spider) a Major Russian Cybercriminal Organization

Organized Crime – A SCARS Institute Insight

Authors:
•  SCARS Institute Encyclopedia of Scams Editorial Team – Society of Citizens Against Relationship Scams Inc.
•  Portions from the UK National Crime Agency

Article Abstract

Evil Corp, also known as Indrik Spider, is a notorious Russian cybercrime organization led by Maksim Yakubets. Originating as a family-centered operation in Moscow, the group became one of the most pervasive and sophisticated cybercrime adversaries, primarily engaging in financial crimes through malware and ransomware.

Over time, Evil Corp built close ties with Russian intelligence services, conducting cyber-attacks and espionage operations on behalf of the state. Despite facing sanctions and indictments from the US and UK in 2019, Evil Corp adapted by diversifying its tactics, including deploying new ransomware strains like WastedLocker and affiliating with LockBit. Government action in 2024 further exposed and disrupted the group’s ongoing activities.

Evil Corp. - A Russian Organized Crime Group - Overview - 2024

Evil Corp (aka Indrik Spider) a Major Russian Cybercriminal Organization

Who is Evil Corp?

Evil Corp (also known as Indrik Spider) originated in Russia and is the most pervasive cybercrime group to ever have operated. Maksim Yakubets, who also goes by the online alias ‘Aqua’ and has a $5 million bounty for his arrest, was Evil Corp’s founder and led the group for the majority of its lifespan.

One of the first major financial cybercrime groups, Evil Corp. developed a series of malware and ransomware strains that have caused significant harm to numerous organizations and sectors, including healthcare, critical national infrastructure, and government.

Several law enforcement and government operations have taken place to disrupt the group since its formation, most notably in the form of sanctions and indictments in December 2019. As a result, the group has been forced to scrap its modus operandi and attempt new tactics to evade the additional scrutiny
and restrictions put on them.

Characterized by their longevity, adaptability, organizational hierarchy, and close links with the Russian state, Evil Corp. has proved a persistent threat for over a decade, and members continue to operate within the Russian Federation. However, since late-2019, their success and influence in the cybercrime ecosystem
have dwindled.

This is based on a UK National Crime Agency paper that provides a high-level overview of the group’s origins, operations, and evolution.

The Evil Corp Group

The majority of organized cybercrime groups operate predominately online, but Maksim Yakubets’ Evil Corp was a more personal affair: a family-centered operation based in Moscow, reminiscent of a traditional organized crime gang.

The Yakubets family were no strangers to financial crime: Viktor Yakubets, father of Maksim, had significant historical ties to money laundering activity. Maksim took this family business into the 21st century, branching into cybercrime and bringing his father, brother (Artem), and cousins (Kirill and Dmitry Slobodskoy) along with him.

By drawing on this family knowledge, Evil Corp became experts in laundering the proceeds of their cybercriminal activities.

Highly organized, a huge amount of resources was invested in professionalizing their business, whether that be by managing money mule networks, cryptocurrency trading, setting up front companies or employing lawyers. Although their technical capabilities were advanced, it was arguably their ability to realize the proceeds of their cybercrime that made them so successful.

At their peak, Evil Corp was a tight-knit group, operating out of physical office locations in Moscow (including Chianti Café and Scenario Café), and spending a lot of time socializing together, along with their wives and girlfriends. They even went on group holidays.

Maksim was the leader of the group, making all of the important decisions and keeping a firm grip on their activities. He was careful about exposing different group members to different areas of the business, even keeping details of his work secret from his wife.

However, he clearly placed a lot of trust in his long-term associate and second-in-command, Aleksandr Ryzhenkov. Yakubets started working with Ryzhenkov around 2013 whilst they were both still involved in The Business Club. The partnership endured, and they worked together on a number of Evil Corp’s most prolific ransomware strains.

Cyber Proxies: Evil Corp. and the Russian State

Whilst most cybercriminal activity is financially motivated, the Russian Intelligence Services have in some reported cases directed cybercriminals to conduct malicious cyber activity or used malware strains for espionage purposes. For example, in 2017, two Russian FSB officers were indicted by the US Department of Justice (DoJ) for directing criminal hackers to compromise 500 million Yahoo accounts. Another notable Russian cybercriminal, Vitaly Kovalev, who was sanctioned by the UK and US governments in 2023 for his senior role in the Trickbot cybercrime group, also had a relationship with the Russian Intelligence Services.

Evil Corp held a privileged position, and the relationship between the Russian state and this cybercriminal group went far beyond the typical state-criminal relationship of protection, payoffs, and racketeering. In fact, prior to 2019, Evil Corp was tasked by Russian Intelligence Services to conduct cyber-attacks and espionage operations against NATO allies.

Liaison with the intelligence services was led by Maksim Yakubets. As Evil Corp evolved, he became the group’s main contact with Russian officials, developing or seeking to develop relationships with FSB, SVR, and GRU officials. Multiple other members of the Evil Corp group have their own ties with the Russian state.

In particular, Yakubets’ father-in-law, Eduard Benderskiy, was a key enabler of Evil Corp’s state relationships.

Eduard Benderskiy is a former high-ranking official of the FSB’s secretive ‘Vympel’ unit and now owns various organizations carrying the ‘Vympel’ name. It has been reported by Bellingcat that through Vympel, Benderskiy has been involved in multiple overseas assassinations on behalf of the Russian state. Evidently, he is a highly connected individual still closely involved with the Kremlin’s activities.

Benderskiy leveraged his status and contacts to facilitate Evil Corp’s developing relationships with officials from the Russian Intelligence Services. After the US sanctions and indictments against Evil Corp members in December 2019, Benderskiy used his extensive influence to protect the group, both by providing senior members with security and by ensuring they were not pursued by internal Russian authorities.

Timeline of Evil Corp.’s Activity

2007-2011: The Early Days

    • Maksim Yakubets, leader of the Evil Corp OCG, probably began his involvement in cybercrime activity around 2007.
    • Since at least 2009, Yakubets worked with several notorious cybercriminals including Evgeniy Bogachev and Vitaliy Kovalev (involved in Dyre, Trickbot and Conti) to deploy malware.

2011-2014: The Business Club

    • A number of Russian-speaking cybercriminals, including Maksim Yakubets and Vitaliy Kovalev, came together to form The Business Club cybercrime group. Yakubets would later team up with other members, Igor Turashev and Aleksandr Ryzhenkov, in Evil Corp.
    • Aleksandr Ryzhenkov was part of an affiliate group of The Business Club which specialised in bank transfer fraud against the UK.

2014: Dridex and the Formation of Evil Corp as an OCG

    • Maksim Yakubets worked with Aleksandr Ryzhenkov and other former members of The Business Club to create Dridex malware.
    • Dridex was brought into operation in June 2014 and went on to become one of the most prolific and successful banking malware strains to date. The group set up the domain Ev17corp.biz to coordinate their operations, and Evil Corp was born.
    • Much like current Ransomware as a Service (RaaS) models, Evil Corp segmented and rented out the Dridex botnet to affiliates who could use it for their own malicious cyber operations.

2017-2018: BitPaymer – The Group Begins Using Ransomware

    • In mid-2017, Evil Corp used Dridex to start deploying ransomware. BitPaymer was used in a number of big game hunting attacks, targeting high value or high-profile organizations.

2019-2020: The Split – DoppelPaymer

    • After an acrimonious split between Maksim Yakubets and another key Evil Corp member, Igor Turashev (beginning in mid-2019 but exacerbated by the December 2019 disruption), the group divided, and Turashev led the development of DoppelPaymer ransomware. DoppelPaymer was first observed in mid-2019 and continued infecting organizations throughout 2020.
    • Since 2023, Igor Turashev is wanted by the German authorities for his involvement in DoppelPaymer ransomware.
    • The remaining Evil Corp group, led by Yakubets and Ryzhenkov, began developing a new ransomware that would eventually become WastedLocker.

December 2019: US/UK Disruption

    • Following operational support from the NCA, the US Treasury Office for Foreign Assets Control (OFAC) designated Evil Corp and a number of its members. The US Department of Justice also announced indictments and State Department rewards for information leading to the arrest of Maksim Yakubets and Igor Turashev.
    • The disruptions in 2019 brought significant cost and risk to the group’s operations and bred mistrust and paranoia.

2020: Obfuscation and Evasion – WastedLocker

    • Evil Corp. was forced to transform its modus operandi to further obfuscate its activities. This included no longer using Dridex and switching to the initial access tool SocGholish.
    • The individuals became more secretive, abandoning online accounts and restricting their movements.
    • Despite attempts to obfuscate their activities, Evil Corp was attributed to the WastedLocker ransomware strain, which they started deploying in mid-2020.

2020-2021: Hades, Phoenix Locker, PayloadBIN and Macaw

    • Evil Corp continued to adapt and change their ransomware strains. They developed and deployed further ransomware strains Hades, Phoenix Locker, PayloadBIN, and Macaw, all of which shared a similar codebase.
    • One of the notable attacks using Phoenix Locker resulted in a $40 million ransomware payment, the largest ever recorded at the time.
      2022-2024: Diversification and Affiliation to LockBit
    • Whilst many original members are suspected to have gone on to other activity, some remaining Evil Corp members and affiliates have been involved in deploying other ransomware strains since 2022, including LockBit, continuing to employ SocGholish as an initial access tool.
    • The NCA has determined that Aleksandr Ryzhenkov, Yakubets’ right-hand man, is a LockBit affiliate and has been involved in LockBit ransomware attacks against numerous organizations.
    • LockBit ransomware was disrupted by an NCA-led international law enforcement takedown in February 2024 under Operation Cronos.
    • Other members of the group continue to operate within the Russian Federation. For example, in December 2022, Igor Turashev and his company came third in a hackathon organized by the Wagner group.

Recent Action

Further Evil Corp. cybercriminals exposed following NCA investigation, one unmasked as LockBit affiliate, as UK, US, and Australia unveil sanctions.

16 members of Evil Corp, once believed to be the most significant cybercrime threat in the world have been sanctioned in the UK with their links to the Russian state and other ransomware groups, including LockBit, exposed. Sanctions have also been imposed by Australia and the US.

An extensive investigation by the NCA has helped map out the history and reach of Evil Corp’s criminality; from a family-centered financial crime group in Moscow that branched out into cybercrime, going on to extort at least $300 million from victims globally.

Today, the head of Evil Corp, Maksim Yakubets, and eight of those sanctioned by the US in 2019 have also been sanctioned in the UK by the Foreign, Commonwealth and Development Office, along with an additional seven individuals whose links and support for the group have not previously been exposed.

This includes Aleksandr Ryzhenkov, Yakubets’ right-hand man who has also been identified as a LockBit affiliate as part of Operation Cronos – the ongoing NCA-led international disruption of the group.

Conclusion

Evil Corp’s story is a prime example of the evolving threat posed by cybercriminals and ransomware operators. In their case, the activities of the Russian state played a particularly significant role, sometimes even co-opting this cybercrime group for its own malicious cyber activity. Born out of a coalescing of elite cybercriminals, Evil Corp.’s sophisticated business model made them one of the most pervasive and persistent cybercrime adversaries to date. After
being hampered by the December 2019 sanctions and indictments, the group has been forced to diversify its tactics as it attempted to continue causing harm whilst adapting to the changing cybercrime ecosystem. In 2024, further action taken against Evil Corp by the United Kingdom, United States, and Australian governments proves their attempts have not gone unnoticed and will not go unchallenged.

Evil Corp. - A Russian Organized Crime Group - Overview - 2024 1

Please Leave Us Your Comment
Also, tell us of any topics we might have missed.

Leave a Reply

Your comments help the SCARS Institute better understand all scam victim/survivor experiences and improve our services and processes. Thank you

Your email address will not be published. Required fields are marked *

Thank you for your comment. You may receive an email to follow up. We never share your data with marketers.

Recent Reader Comments

Important Information for New Scam Victims

If you are looking for local trauma counselors please visit counseling.AgainstScams.org or join SCARS for our counseling/therapy benefit: membership.AgainstScams.org

If you need to speak with someone now, you can dial 988 or find phone numbers for crisis hotlines all around the world here: www.opencounseling.com/suicide-hotlines

A Question of Trust

At the SCARS Institute, we invite you to do your own research on the topics we speak about and publish, Our team investigates the subject being discussed, especially when it comes to understanding the scam victims-survivors experience. You can do Google searches but in many cases, you will have to wade through scientific papers and studies. However, remember that biases and perspectives matter and influence the outcome. Regardless, we encourage you to explore these topics as thoroughly as you can for your own awareness.

SCARS Resources:

Other Cyber Resources

-/ 30 /-

What do you think about this?
Please share your thoughts in a comment below!

Legal Disclaimer:

The content provided on this platform regarding psychological topics is intended solely for educational and entertainment purposes. The publisher makes no representations or warranties regarding the accuracy or completeness of the information presented. The content is designed to raise awareness about various psychological subjects, and readers are strongly encouraged to conduct their own research and verify information independently.

The information presented does not constitute professional advice, diagnosis, or treatment of any psychological disorder or disease. It is not a substitute for professional medical or mental health advice, diagnosis, or treatment. Readers are advised to seek the guidance of a licensed medical professional for any questions or concerns related to their mental health.

The publisher disclaims any responsibility for actions taken or not taken based on the content provided. The treatment of psychological issues is a serious matter, and readers should consult with qualified professionals to address their specific circumstances. The content on this platform is not intended to create, and receipt of it does not constitute, a therapist-client relationship.

Interpretation and Definitions

Definitions

For the purposes of this Disclaimer:

  • Company (referred to as either “the Company”, “We”, “Us” or “Our” in this Disclaimer) refers to Society of Citizens Against Relationship Scams Inc. (registered d.b.a. “SCARS”,) 9561 Fountainbleau Blvd., Suit 602, Miami FL 33172.
  • Service refers to the Website.
  • You means the individual accessing this website, or the company, or other legal entity on behalf of which such individual is accessing or using the Service, as applicable.
  • Website refers to RomanceScamsNOW.com, accessible from https://romancescamsnow.com

Website Disclaimer

The information contained on this website is for general information purposes only.

The Company assumes no responsibility for errors or omissions in the contents of the Service.

In no event shall the Company be liable for any special, direct, indirect, consequential, or incidental damages or any damages whatsoever, whether in an action of contract, negligence or other tort, arising out of or in connection with the use of the Service or the contents of the Service. The Company reserves the right to make additions, deletions, or modifications to the contents on the Service at any time without prior notice.

The Company does not warrant this website in any way.

External Links Disclaimer

This website may contain links to external websites that are not provided or maintained by or in any way affiliated with the Company.

Please note that the Company does not guarantee the accuracy, relevance, timeliness, or completeness of any information on these external websites.

Errors and Omissions Disclaimer

The information given by SCARS is for general guidance on matters of interest only. Even if the Company takes every precaution to ensure that the content of this website is both current and accurate, errors can occur. Plus, given the changing nature of laws, rules, and regulations, there may be delays, omissions, or inaccuracies in the information contained on this website.

SCARS is not responsible for any errors or omissions, or for the results obtained from the use of this information.

Fair Use Disclaimer

SCARS may use copyrighted material that has not always been specifically authorized by the copyright owner. The Company is making such material available for criticism, comment, news reporting, teaching, scholarship, or research.

The Company believes this constitutes a “fair use” of any such copyrighted material as provided for in section 107 of the United States Copyright law.

If You wish to use copyrighted material from this website for your own purposes that go beyond fair use, You must obtain permission from the copyright owner.

Views Expressed Disclaimer

The Service may contain views and opinions which are those of the authors and do not necessarily reflect the official policy or position of any other author, agency, organization, employer, or company, including SCARS.

Comments published by users are their sole responsibility and the users will take full responsibility, liability, and blame for any libel or litigation that results from something written in or as a direct result of something written in a comment. The Company is not liable for any comment published by users and reserves the right to delete any comment for any reason whatsoever.

No Responsibility Disclaimer

The information on the Service is provided with the understanding that the Company is not herein engaged in rendering legal, accounting, tax, medical or mental health, or other professional advice and services. As such, it should not be used as a substitute for consultation with professional accounting, tax, legal, medical or mental health, or other competent advisers.

In no event shall the Company, its team, board of directors, volunteers, or its suppliers be liable for any special, incidental, indirect, or consequential damages whatsoever arising out of or in connection with your access or use or inability to access or use the Service.

“Use at Your Own Risk” Disclaimer

All information on this website is provided “as is”, with no guarantee of completeness, accuracy, timeliness or of the results obtained from the use of this information, and without warranty of any kind, express or implied, including, but not limited to warranties of performance, merchantability, and fitness for a particular purpose.

SCARS will not be liable to You or anyone else for any decision made or action taken in reliance on the information given by the Service or for any consequential, special, or similar damages, even if advised of the possibility of such damages.

Contact Us

If you have any questions about this Disclaimer, You can contact Us:

  • By email: contact@AgainstScams.org

PLEASE NOTE: Psychology Clarification

The following specific modalities within the practice of psychology are restricted to psychologists appropriately trained in the use of such modalities:

  • Diagnosis: The diagnosis of mental, emotional, or brain disorders and related behaviors.
  • Psychoanalysis: Psychoanalysis is a type of therapy that focuses on helping individuals to understand and resolve unconscious conflicts.
  • Hypnosis: Hypnosis is a state of trance in which individuals are more susceptible to suggestion. It can be used to treat a variety of conditions, including anxiety, depression, and pain.
  • Biofeedback: Biofeedback is a type of therapy that teaches individuals to control their bodily functions, such as heart rate and blood pressure. It can be used to treat a variety of conditions, including stress, anxiety, and pain.
  • Behavioral analysis: Behavioral analysis is a type of therapy that focuses on changing individuals’ behaviors. It is often used to treat conditions such as autism and ADHD.
    Neuropsychology: Neuropsychology is a type of psychology that focuses on the relationship between the brain and behavior. It is often used to assess and treat cognitive impairments caused by brain injuries or diseases.

SCARS and the members of the SCARS Team do not engage in any of the above modalities in relationship to scam victims. SCARS is not a mental healthcare provider and recognizes the importance of professionalism and separation between its work and that of the licensed practice of psychology.

SCARS is an educational provider of generalized self-help information that individuals can use for their own benefit to achieve their own goals related to emotional trauma. SCARS recommends that all scam victims see professional counselors or therapists to help them determine the suitability of any specific information or practices that may help them.

SCARS cannot diagnose or treat any individuals, nor can it state the effectiveness of any educational information that it may provide, regardless of its experience in interacting with traumatized scam victims over time. All information that SCARS provides is purely for general educational purposes to help scam victims become aware of and better understand the topics and to be able to dialog with their counselors or therapists.

It is important that all readers understand these distinctions and that they apply the information that SCARS may publish at their own risk, and should do so only after consulting a licensed psychologist or mental healthcare provider.

SCARS IS A DIGITAL PUBLISHER AND DOES NOT OFFER HEALTH OR MEDICAL ADVICE, LEGAL ADVICE, FINANCIAL ADVICE, OR SERVICES THAT SCARS IS NOT LICENSED OR REGISTERED TO PERFORM.

IF YOU’RE FACING A MEDICAL EMERGENCY, CALL YOUR LOCAL EMERGENCY SERVICES IMMEDIATELY, OR VISIT THE NEAREST EMERGENCY ROOM OR URGENT CARE CENTER. YOU SHOULD CONSULT YOUR HEALTHCARE PROVIDER BEFORE FOLLOWING ANY MEDICALLY RELATED INFORMATION PRESENTED ON OUR PAGES.

ALWAYS CONSULT A LICENSED ATTORNEY FOR ANY ADVICE REGARDING LEGAL MATTERS.

A LICENSED FINANCIAL OR TAX PROFESSIONAL SHOULD BE CONSULTED BEFORE ACTING ON ANY INFORMATION RELATING TO YOUR PERSONAL FINANCES OR TAX RELATED ISSUES AND INFORMATION.

SCARS IS NOT A PRIVATE INVESTIGATOR – WE DO NOT PROVIDE INVESTIGATIVE SERVICES FOR INDIVIDUALS OR BUSINESSES. ANY INVESTIGATIONS THAT SCARS MAY PERFORM IS NOT A SERVICE PROVIDED TO THIRD-PARTIES. INFORMATION REPORTED TO SCARS MAY BE FORWARDED TO LAW ENFORCEMENT AS SCARS SEE FIT AND APPROPRIATE.

This content and other material contained on the website, apps, newsletter, and products (“Content”), is general in nature and for informational purposes only and does not constitute medical, legal, or financial advice; the Content is not intended to be a substitute for licensed or regulated professional advice. Always consult your doctor or other qualified healthcare provider, lawyer, financial, or tax professional with any questions you may have regarding the educational information contained herein. SCARS makes no guarantees about the efficacy of information described on or in SCARS’ Content. The information contained is subject to change and is not intended to cover all possible situations or effects. SCARS does not recommend or endorse any specific professional or care provider, product, service, or other information that may be mentioned in SCARS’ websites, apps, and Content unless explicitly identified as such.

The disclaimers herein are provided on this page for ease of reference. These disclaimers supplement and are a part of SCARS’ website’s Terms of Use. 

All original content is Copyright © 1991 – 2023 Society of Citizens Against Relationship Scams Inc. (Registered D.B.A SCARS) All Rights Reserved Worldwide & Webwide. Third-party copyrights acknowledge.

U.S. State of Florida Registration Nonprofit (Not for Profit) #N20000011978 [SCARS DBA Registered #G20000137918] – Learn more at www.AgainstScams.org

View the claimed and or registered indicia, service marks, and trademarks of Society of Citizens Against Relationship Scams Inc., All Rights Reserved Worldwide

Contact the law firm for the Society of Citizens Against Relationship Scams Incorporated by email at legal@AgainstScams.org

Share This Information - Choose Your Social Media!

Leave A Comment

Your comments help the SCARS Institute better understand all scam victim/survivor experiences and improve our services and processes. Thank you


Thank you for your comment. You may receive an email to follow up. We never share your data with marketers.