The latest sanctions on Evil Corp came with the revelation that the Russian government had knowingly worked with the pervasive cybercriminal group.
On October 1st, the UK’s National Crime Agency (NCA), the FBI, and the Australian Federal Police released a paper on Evil Corp which named Eduard Benderskiy as “a key enabler” of the group. Evil Corp, also known as Indrik Spider, is a pervasive cybercrime group based in Russia. Their notorious Dridex malware stole more than $100 million by harvesting login credentials from banks and financial institutions from over 40 countries, including the US. This earned them their first sanction from the Treasury Department in 2019 - but the group’s malware and ransomware schemes have hurt organizations outside of the financial services, too. The critical infrastructure sector, along with the healthcare and government sectors have faced “significant harm” at the hands of the aptly named Evil Corp.
The newest series of sanctions on Evil Corp are for the individual members of the group, like Benderskiy, who is the father-in-law of the leader of Evil Corp, Maksim Viktorovich Yakubets. Benderskiy’s identification as an enabler and protector of the cybercriminal band is a revelation because of his formal connections with the Russian government. He is a former high-ranking officer of the Russian Federal Security Service (FSB) as part of the secretive ‘Vympel’ unit with strong ties to the state even after leaving the FSB. The NCA’s paper on Evil Corp explains that reportedly, “through Vympel, Benderskiy has been involved in multiple overseas assassinations on behalf of the Russian state. Evidently, he is a highly connected individual still closely involved with the Kremlin’s activities.”
One of the firms he owns helped provide security to the Russian oil company Lukoil OAO (based in Iraq) around 2017, and has been praised by the FSB, the Russian Duma, and the Russian Ministry of Foreign Affairs. After the 2019 sanctions and indictments, it’s clear how easy it would be for Benderskiy to use “his extensive influence to protect the group, both by providing senior members with security and by ensuring they were not pursued by internal Russian authorities.”
This discovery may be the strongest publicly known link between the Russian government and the secretive but vast cybercrime network based there, but the reports from law enforcement show other private ties between the two organizations. In 2019, Maksim Yakubets helped the Russian government by using the compromised computers Evil Corp hacked to get access to classified documents the FSB wanted to see. Russian intelligence has been caught working with criminal hackers before - last year, the Russia-based Trickbot cybergang was sanctioned and found to be “associated with Russian Intelligence Services.” Just two days after the Evil Corp paper was released, an investigation by the FBI and Microsoft uncovered Russian intelligence plans to spy on targets through a phishing campaign. Over 100 web domains were seized, demonstrating the extensive cyber activity of the FSB.
While the rest of the world is worried about Russia-sponsored cybercrime, Russia is also dealing with their own cybercrime problems. Near the end of September, the DoJ charged two Russian nationals (Sergey Ivanov and Timur Shakhmametov) with money laundering that facilitated cybercrime. Ivanov operated UAPS, PinPays, and PM2BTC, which allowed for financial transactions directly to criminals. Through those services, more than $1 billion worth of cryptocurrency was moved. Shakhmametov sold data from tens of millions of payment cards - making anywhere from $280 million to over $1 billion in profit, according to the DoJ.
The Secret Service was also pulled into the investigation and seized two domains connected to Cryptex, a cryptocurrency transaction site that allows for complete anonymity. The State Department offered a reward of up to $10 million for any information leading to the arrests and/or convictions of the two cybercriminals. Nearly a week later, Russia’s top law enforcement agency (the Investigative Committee of Russia) arrested 96 people connected to Cryptex and UAPS - with Ivanov and Shakhmametov among them.
The sanctions on Russia-based cybercriminals, like Evil Corp, Ivanov and Shakhmametov show just how prolific the underground cyberspace is - but they also prove that international collaboration can be a powerful tool in stopping it.