Huge £3.7m manhunt to track down Putin's dark agent who hacked NATO allies

Key members of the world's most prolific cybercrime network were today named as "dark agents" of Vladimir Putin by law enforcement groups across the globe.

The UK National Crime Agency (NCA), US Federal Bureau of Investigation (FBI) and Australian Federal Police issue a joint publication identifying the leaders of the Evil Corp cybercrime network as assistants to the Russian security services, who launched cyber attacks on NATO members on their behalf.

The report said Evil Corp is led by Russian national cyber geek Maksim Yakubets, 37, who currently has a $5 million (£3.7m) FBI reward out for information that leads to his arrest and prosecution.

Evil Corps and Yakubets are closely tied with another international cybercrime group Lockbit, according to the NCA.

Lockbit is run by fellow Russian national Dmitry Khoroshev, 31, who has a $10m (£7.4m) FBI bounty on him.

LockBit provided ransomware-as-a-service (RaaS) to a global network of hackers or ‘affiliates’, supplying them with the tools and infrastructure to carry out attacks.

In February the NCA announced that it had infiltrated the group’s network and taken control of its services, including its leak site on the dark web, which compromised the entire criminal enterprise.

The true impact of LockBit’s criminality was previously unknown, but data obtained from their systems showed that between June 2022 and February 2024, more than 7,000 attacks were built using their services. The top five countries hit were the US, UK, France, Germany and China.

Attacks targeted over 100 hospitals and healthcare companies and at least 2,110 victims were forced into in some degree of negotiation by cyber criminals.

Yakubets and his associates have avoided arrest in Russia and have been able to enjoy lavish lifestyles there, on the spoils of their crimes, according to the NCA, due to their close association with the FSB and other Russian security services, it said.

The report states: "Evil Corp (also known as Indrik Spider) originated from Russia and are the most pervasive cybercrime

group to ever have operated.

"Maksim Yakubets, who also goes by the online alias ‘Aqua’ and has a $5 million bounty for his arrest, was Evil Corp’s founder and led the group for the majority of its lifespan.

One of the first major financial cybercrime groups, Evil Corp developed a series of malware and ransomware strains which have caused significant harm to numerous organisations and sectors, including healthcare, critical national infrastructure and government.

"Characterised by their longevity, adaptability, organisational hierarchy and close links with the Russian state, Evil Corp have proved a persistent threat for over a decade, and members continue to operate within the Russian Federation.

The report also named Yakubets' key associates, including Eduard Benderskiy, Maksims’ father-in-law, since his 2017 lavish wedding to his daughter Alyona Benderskaya, reported to have cost at least £250,000.

As a former high-ranking FSB official, investigators believe Benderskiy is a key factor in the group getting protection within Russia and in becoming criminal agents of the state.

Viktor Yakubets, Maksim’s father, is also named as a key member. In 2021, when the BBC tracked down Viktor in Russia, he denied his son had any involvement in crime.

Yet, the report said: "The Yakubets family were no strangers to financial crime. Viktor Yakubets, father of Maksim, had significant historical ties to money laundering activity.

"Maksim took this family business into the 21st century, branching into cybercrime and bringing his father, brother (Artem) and cousins (Kirill and Dmitry Slobodskoy) along with him.

"By drawing on this family knowledge, Evil Corp became experts in laundering the proceeds of their cybercriminal activities."

Aleksandr Ryzhenkov was also named in today's report as Yakubets’ right-hand man and close friend in whom he placed a lot of trust and worked closely with to develop some of the group’s most prolific ransomware strains.

The pair regularly socialise together. He has been identified as a LockBit affiliate as part of Operation Cronos - the ongoing NCA-led international disruption of the group.

Investigators analysing data obtained from the group’s own systems found he has been involved in LockBit ransomware attacks against numerous organisations.

An NCA spokesperson said: "Evil Corp officially formed as a crime group in 2014. They were responsible for the development and distribution of BitPaymer and Dridex, which they used target banks and financial institutions in over 40 countries, stealing over $100m.

"The group were in a privileged position, with some members having close links to the Russian state. Benderskiy was a key enabler of their relationship with the Russian Intelligence Services who, prior to 2019, tasked Evil Corp to conduct cyber attacks and espionage operations against NATO allies."

While most cybercriminal activity is financially motivated, the Russian Intelligence Services have in some reported cases directed cybercriminals to conduct malicious cyber activity, or used malware strains for espionage purposes.

In 2017, two Russian FSB officers were indicted by the US Department of Justice (DoJ) for directing criminal hackers to compromise 500 million Yahoo accounts.

Another notable Russian cybercriminal, Vitaly Kovalev, who was sanctioned by the UK and US governments in 2023 for his

senior role in the Trickbot cybercrime group, also had a relationship with the Russian Intelligence Services.

But, the report said that Evil Corp's relationship with the Russian security services was in another league thanks to Benderskiy.

It said: "Evil Corp held a privileged position, and the relationship between the Russian state and this cybercriminal group went far beyond the typical state-criminal relationship of protection, payoffs and racketeering.

In fact, prior to 2019, Evil Corp were tasked by Russian Intelligence Services to conduct cyber-attacks and espionage operations against NATO allies.

"Liaison with the intelligence services was led by Maksim Yakubets. As Evil Corp evolved, he became the group’s main contact with Russian officials, developing or seeking to develop relationships with FSB, SVR and GRU officials.

Multiple other members of the Evil Corp group have their own ties with the Russian state. In particular, Yakubets’ father-in-law, Eduard Benderskiy, was a key enabler of Evil Corp’s state relationships.

"Benderskiy is a former high ranking official of the FSB’s secretive ‘Vympel’ unit and now owns various organisations carrying the ‘Vympel’ name. It has been reported by Bellingcat that through Vympel, Benderskiy has been involved in multiple overseas assassinations on behalf of the Russian state.

"Evidently, he is a highly connected individual still closely involved with the Kremlin’s activities.

"Benderskiy leveraged his status and contacts to facilitate Evil Corp developing relationships with officials from the Russian Intelligence Services. After the US sanctions and indictments against Evil Corp members in December 2019, Benderskiy used his extensive influence to protect the group, both by providing senior members with security and by ensuring they were not pursued by internal Russian authorities."

Despite the protection, international law enforcers, have been able to disrupt the activities of both Evil Corp and Lockbit, with arrests of lesser players across the globe and sanctions affecting how they operate.

The NCA said since a series of disruptions in 2019, "their success and influence in the cybercrime ecosystem had dwindled."

Several law enforcement and government operations have taken place to disrupt the group since its formation, most notably in the form of sanctions and indictments in December 2019. As a result, the group have been forced to scrap their modus operandi, and attempt new tactics to evade the additional scrutiny and restrictions put on them.

The NCA spokesperson added: "After the US sanctions and indictments in December 2019, Benderskiy used his extensive influence with the Russian state to protect the group, both by providing senior members with security and by ensuring they were not pursued by Russian internal authorities.

"However, the 2019 activity caused considerable disruption to Evil Corp, damaging their brand and ability to operate, including making it harder for them to elicit ransom payments from victims.

"It caused them to have to rebuild, change tactics and take increased measures to hide their activity from law enforcement, with many members going underground, abandoning online accounts and restricting their movements.

"They continued to adapt and some members went on to develop further malware and ransomware strains, most notably WastedLocker, Hades, PhoenixLocker, PayloadBIN and Macaw. Their focus narrowed, switching from volume attacks to targeting high-earning organisations.

"Other members moved away from using their own technical tools, instead using ransomware strains developed by other crime groups, such as LockBit.

"The NCA is continuing to track illicit activity conducted by various former members of Evil Corp, including their involvement in ransomware attacks."

The international investigation into LockBit and Evil Corp remains ongoing and this week their original leak site, which remains under the control of the NCA, went live once more.

It details further action taken by the Cronos Taskforce, including NCA arrests in August of two people believed to be associated with a LockBit affiliate, on suspicion of Computer Misuse Act and money laundering offences.

In the same month, French authorities secured the arrest of a suspected LockBit developer, and Spanish police detained one of the main facilitators of LockBit infrastructure, as well as seizing nine servers used by the group.