Physical Address

304 North Cardinal St.
Dorchester Center, MA 02124

The Russian family business that cheated British taxpayers out of millions

After years of ransomware attacks to extort millions, the world’s most wanted cybercrime gang has finally been forced out of the shadows

He’s the Russian-based alleged hacker known for his flashy lifestyle. With a personalised Lamborghini, pet lion cub and baby-faced appearance, Maksim Yakubets could pass for just another wealthy playboy. But the Ukraine-born 37 year old is accused of heading up a group thought to pose the most serious cybercrime threat in the world.
Evil Corp, the gang whose name is thought to stem from the TV show Mr Robot, is said to have extorted at least $300 million from victims around the world, including in Britain, over the past decade. International efforts to disrupt their activities have been ongoing for years. But this week, the UK’s National Crime Agency (NCA) revealed new developments in its joint pursuit of the group. 
Along with the US and Australia, the UK has announced sanctions against 16 people said to be associated with Evil Corp. The NCA has also released a photograph of three close relatives it says are among the group’s key players: Maksim, his father Viktor, and his brother Artem. Dressed in colourful shirts, the men are seen posing for a family picture in front of a floral display. 
The cheerful shot seems at odds with the criminality attributed to them and their associates. According to the NCA, their group’s international targets have included those within healthcare, critical national infrastructure and government, among other sectors. 
Large British organisations are understood to have been among those hacked, as are British individuals. A type of malware the group is alleged to have developed early on, called Dridex, enabled the theft of bank details, including those of ordinary Britons. 
Over the years, UK victims are thought to have lost tens of millions of pounds in total, with some of this country’s biggest financial institutions among those hit. In total, thousands of individuals across dozens of countries have been targeted.
So how have this family and their associates allegedly managed to steal so much, for so long, from so many? 
Their story starts with Viktor Yakubets, who, according to a new paper on the group published by the NCA, had significant historical ties to money laundering activity. The Yakubetses’ so-called family business is said to have been given a modern upgrade when Maksim allegedly branched into cybercrime, a pursuit his father, brother Artem and cousins Kirill and Dmitry Slobodskoy are said to have joined him in.
“By drawing on this family knowledge, Evil Corp became experts in laundering the proceeds of their cybercriminal activities,” says the NCA paper. “Highly organised, a huge amount of resource was invested in professionalising their business, whether that be by managing money mule [individuals who ‘lend’ criminals their bank accounts so they can move money], cryptocurrency trading, setting up front companies or employing lawyers.”
The members of the group worked out of offices in Moscow, and even from cafes. They socialised together with their wives and girlfriends and went on group holidays. After allegedly forming in 2014, Evil Corp is said to have developed not only Dridex but another ransomware variant called BitPaymer, which they are accused of using to target banks and financial institutions in more than 40 countries, stealing more than $100 million. 
Gang members’ videos, released previously by the NCA, depict them flashing bundles of cash and showing off a £150,000 Lamborghini Huracán. Maksim had a customised number plate on his car, with a Russian word that translates as “thief” on it.
He is said to have made all the big decisions for the group, with a man called Aleksandr Ryzhenkov named by the NCA as his second in command. Together they are alleged to have developed various strains of ransomware, a type of malicious software that encrypts, or locks, devices or computer networks. The victim is then asked to pay a ransom in return for a key that will unlock their files. 
“Criminals can get a lot of money that way, that’s why it’s popular among [them],” says Dr Jason Nurse, a reader in cyber security at the University of Kent. “Many of these groups [of cybercriminals] have been around for such a long time, so they’ve perfected how these attacks work.”
One of the most high profile victims of a ransomware attack in recent years is the British Library, which found itself locked out of its website and digital catalogue last October and facing the prospect of having to rebuild its entire IT system if it didn’t pay a £600,000 ransom. The organisation, which didn’t pay the ransom, is still recovering. 
In the case of Evil Corp, it appears that the hackers have worked not only in their own silo but across different groups. In this week’s announcement from the NCA, Ryzhenkov’s alleged links to another prolific ransomware group, called LockBit, were also revealed. Ryzhenkov is among those sanctioned by the UK, as well as Maksim’s father Viktor and father-in-law Eduard Benderskiy, a former high-ranking official in Russia’s Federal Security Service. 
Investigators claim Ryzhenkov has been involved in LockBit ransomware attacks against numerous organisations. An international investigation into LockBit is ongoing. 
In August, this Lockbit probe saw the NCA swoop on the quiet streets of Britain. In homes on residential roads in the south of England, two middle-aged British nationals were arrested. The 46 year old man and 50 year old woman were believed to be associated with a LockBit affiliate and were detained on suspicion of computer misuse and money laundering offences. Both were reportedly released while the investigation continues, and have not been identified. 
Maksim – who goes by the online alias ‘Aqua’ – has meanwhile had a price on his head since 2019, when he was indicted in the US and sanctioned, along with several other alleged members of the group. A US $5 million bounty was offered for his arrest.
The action taken against the group five years ago is said to have succeeded in hurting them, making it harder for them to operate and extract ransom payments. However, they are believed to have responded by rebuilding and altering their modus operandi, stepping up their efforts to keep their activity hidden from law enforcement. 
The NCA says some members have had close links to the Russian state and that Evil Corp had even been tasked with carrying out cyber attacks and espionage operations against NATO allies. 
Benderskiy is alleged to have used his influence with the Russian state to protect the group. The Russian state’s activities have played “a particularly significant role” in the Evil Corp story, claims the NCA, who add that Russia has “sometimes even co-opt[ed] this cybercrime group for its own malicious cyber activity”.
But this isn’t the only reason they have been able to continue their activities for so long. With cryptocurrencies used to facilitate their transactions, groups like these can be hard for law enforcement to tackle. 
Cybercriminals “are not using traditional banking networks where things are heavily tracked and monitored,” explains Nurse. “They’re using cryptocurrencies that are harder to track and [allow more] anonymity.”
The international nature of cybercrime also poses a problem for authorities, he says. “A significant challenge has always been people in jurisdictions that don’t have extradition treaties or whose governments allow or support these types of activities. Even when we have people who are named publicly, often the reality is that unless that person leaves the country and goes somewhere else where there are extradition treaties [it’s hard to apprehend them].”
But the British arrests in the summer have not been the only ones. In the same month, French authorities arrested a suspected LockBit developer and Spanish police detained another person accused of facilitating LockBit infrastructure. In Spain, they also seized nine servers used by the group.
The British Government, for its part, is talking tough. “I am making it my personal mission to target the Kremlin with the full arsenal of sanctions at our disposal,” said Foreign Secretary David Lammy this week. “Putin has built a corrupt mafia state with himself at its centre. We must combat this at every turn, and today’s action is just the beginning.”

en_USEnglish