International law enforcement efforts have intensified against Evil Corp, a Russia-based cybercrime syndicate allegedly responsible for widespread financial theft and ransomware attacks.
The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC), the UK's Foreign, Commonwealth & Development Office (FCDO), and Australia's Department of Foreign Affairs and Trade (DFAT) jointly imposed sanctions on key members of the group last week. Simultaneously, the U.S. Department of Justice unsealed an indictment charging an Evil Corp member with deploying BitPaymer ransomware against victims in the United States.
Evil Corp is known for developing and distributing the Dridex malware, which has infected computers worldwide and harvested login credentials, leading to over $100 million stolen from hundreds of banks and financial institutions across more than 40 countries. The group's activities are deeply rooted in Russia's cybercrime landscape and have alleged connections to Russian state entities.
Corey Petty, a cybersecurity professional and the head of insights at digital-rights-focused investment firm Institute of Free Technology, told Decrypt that using cryptocurrency for ransom payments forms “the backbone of ransomware’s efficacy.”
“Blockchains are transparent and auditable, and once the transactions have been successfully incorporated into the chain, they are unchangeable,” he said, noting the perceived benefits of the technology.. But there’s also a potentially significant downside for criminals.
“This gives anyone the ability to track the flow of funds,” he added.
An October 3 Chainalysis report examines the overlap between Evil Corp and the cybercriminal group LockBit. On-chain data indicates that ransomware strains associated with Evil Corp and cryptocurrency clusters linked to Lockbit have used the same deposit addresses at centralized exchanges.
This suggests possible collaboration or shared infrastructure between the two groups, aligning with previous reports that Evil Corp has used LockBit to rebrand and distance itself from sanctioned entities.
The report also highlights that several members of Evil Corp are related, indicating close internal ties. Maksim Victorovich Yakubets, the leader of Evil Corp, has been noted by the U.S. Treasury Department for his alleged work with Russia's Federal Security Service (FSB) and efforts to obtain a license to handle classified information.
Other designated individuals include his father, Viktor Yakubets, and father-in-law, Eduard Benderskiy, a former FSB officer. These connections suggest potential links between the cybercrime group and Russian state agencies.
The news follows Chainalysis Chief Marketing Officer Ian Andrews recently saying that “Russia has become an international force using cryptocurrency for everything from sanctions evasion to ransomware attacks.”
“Russia is just the loudest and possibly most pervasive in this space,” added Chainalysis Director of Intelligence Solutions, Valerie Kennedy.
Law enforcement agencies across multiple countries have taken coordinated actions to disrupt Evil Corp's operations. Arrests and seizures have occurred in various nations, including the apprehension of a suspected LockBit developer by French authorities and the seizure of servers associated with LockBit's ransomware infrastructure by Spanish officers.
Edited by Andrew Hayward