The US Department of the Treasury’s Office of Foreign Assets Control (OFAC) is sanctioning individuals and entities affiliated with Evil Corp, a cybercriminal operation based in Russia.
OFAC is taking the action in partnership with the United Kingdom’s Foreign, Commonwealth & Development Office (FCDO) and Australia’s Department of Foreign Affairs and Trade (DFAT).
According to OFAC, seven individuals and two entities associated with Evil Corp, include founder Maksim Viktorovich Yakubets and over a dozen Evil Corp members, facilitators, and affiliated companies.
Evil Corp is described as a criminal entity that developed and distributes the Dridex malware. Evil Corp is said to have used the Dridex malware to infect computers and harvest login credentials from hundreds of banks and other financial institutions in over 40 countries, resulting in more than $100 million in theft losses and damage suffered by US and international financial institutions and their customers.
In a concurrent action with OFAC’s sanctions designations, the US Department of Justice has indicted Maksim and Evil Corp administrator Igor Turashev on criminal charges related to computer hacking and bank fraud schemes, and the US Department of State’s Transnational Organized Crime Rewards Program issued a reward for information of up to $5 million leading to the capture and/or conviction of Maksim.
Additionally, the DOJ has unsealed an indictment charging one Evil Corp member, Aleksandr Ryzhenkov, in connection with his use of BitPaymer ransomware targeting victims in the United States.
OFAC has published the list of Evil Corp members and affiliates
Eduard Benderskiy (Benderskiy), a former Spetnaz officer of the Russian Federal Security Service (FSB), which is designated under numerous OFAC sanctions authorities, current Russian businessman, and the father-in-law of Evil Corp’s leader Maksim Viktorovich Yakubets (Maksim), has been a key enabler of Evil Corp’s relationship with the Russian state. Benderskiy leveraged his status and contacts to facilitate Evil Corp’s developing relationships with officials of the Russian intelligence services. After the December 2019 sanctions and indictments against Evil Corp and Maksim, Benderskiy used his extensive influence to protect the group.
While he has no official position in the Russian government, Benderskiy portrays himself as an aide to the Russian Duma. Around 2017, one of Benderskiy’s private security firms was involved in providing security for Iraq-based facilities operated by the Russian oil company Lukoil OAO. This same private security firm has been lauded by the FSB, the Russian Ministry of Foreign Affairs, the Russian Duma, and other Russian government bodies.
From at least 2016, Maksim had business interactions with Aleksandr Tikhonov (Tikhonov), former commander of the FSB Special purpose Center, Russian government leaders, including OFAC-designated persons Dmitry Kozak (Kozak) and Gleb Khor, and leaders of prominent Russian banks like OFAC-designated person Herman Gref (Gref), the Chief Executive Officer of Sberbank. In 2019, Benderskiy used his connections to facilitate a business deal that included Maksim and Kozak, which they believed would earn tens of millions of dollars per month. In the same year, Benderskiy hosted a meeting with Maksim and Gref to discuss business contracts with NIK.
After the December 2019 sanctions and indictments against Evil Corp and Maksim, Maksim sought out Benderskiy’s guidance. Benderskiy used his extensive influence to protect the group, including his son-in-law, both by providing senior members with security and by ensuring they were not pursued by Russian internal authorities.
OFAC designated Benderskiy pursuant to E.O. 14024 for being owned or controlled, or having acted or purported to act for or on behalf of, directly or indirectly, the Government of the Russian Federation, and pursuant to E.O. 13694, as amended, for having materially assisted, sponsored, or provided financial, material, or technological support, or goods or services in support of, Maksim, a person whose property and interests in property are blocked pursuant to E.O. 13694, as amended.
Benderskiy is the general director, founder, and 100 percent owner of the Russia-based business and management consulting companies Vympel-Assistance LLC and Solar-Invest LLC. OFAC designated Vympel-Assistance LLC and Solar-Invest LLC pursuant to E.O. 14024 and E.O. 13694, as amended, for being owned or controlled, or having acted or purported to act for or on behalf of, directly or indirectly, Benderskiy, a person whose property and interests in property are blocked pursuant to E.O. 14024 and E.O. 13694, as amended.
Viktor Grigoryevich Yakubets (Viktor) is Maksim’s father and a member of Evil Corp. In 2020, Viktor likely procured technical equipment in furtherance of Evil Corp’s operations. OFAC designated Viktor pursuant to E.O. 13694, as amended, for having materially assisted, sponsored, or provided financial, material, or technological support, or goods or services in support of, Evil Corp, a person whose property and interests in property are blocked pursuant to E.O. 13694, as amended.
Maksim has been careful about exposing different group members to different areas of business, however, he placed a lot of trust in his long-term associate and second-in-command, Aleksandr Viktorovich Ryzhenkov(Aleksandr Ryzhenkov). Maksim started working with Aleksandr Ryzhenkov around 2013 while they were both still involved in the “Business Club” group. Their partnership endured, and they worked together on the development of a number of Evil Corp’s most prolific ransomware strains. In 2016, Aleksandr Ryzhenkov, who is associated with the online moniker “Guester” (a pseudonym he has used while conducting operations on behalf of Evil Corp), sought to acquire internet bots in an Evil Corp operation targeting Switzerland-based targets. Since at least mid-2017, Aleksandr Ryzhenkov served as an interlocutor for Maksim with most of the Evil Corp members and oversaw operations of the cybercriminal group. In mid- 2017, Aleksandr Ryzhenkov targeted a New York-based bank. Following the December 2019 sanctions and indictment, Maksim and Aleksandr Ryzhenkov returned to operations targeting U.S.-based victims. In 2020, Aleksandr Ryzhenkov worked with Maksim to develop “Dridex 2.0.”
Sergey Viktorovich Ryzhenkov (Sergey Ryzhenkov), Aleksey Yevgenevich Shchetinin (Shchetinin), Beyat Enverovich Ramazanov (Ramazanov), and Vadim Gennadievich Pogodin (Pogodin) are members of Evil Corp who have provided general support to the cybercriminal group’s activities and operations.
In 2019, Sergey Ryzhenkov, the brother of Aleksandr Ryzhenkov, helped to move Evil Corp operations to a new office. In 2020, after Evil Corp’s sanctions designation and indictment, Sergey Ryzhenkov helped Aleksandr Ryzhenkov and Maksim develop “Dridex 2.0” malware. In 2017 through at least 2018, Shchetinin worked with several other Evil Corp members, including Denis Igorevich Gusev, Dmitriy Konstantinovich Smirnov, and Aleksei Bashlikov, to purchase and exchange millions of dollars’ worth of virtual and fiat currencies. In early 2020, Pogodin played a crucial role in an Evil Corp ransomware attack, and in mid-2020, he contributed to an Evil Corp ransomware attack on a U.S. company.
OFAC designated Aleksandr Ryzhenkov, Sergey Ryzhenkov, Shchetinin, Ramazanov, and Pogodin pursuant to E.O. 13694, as amended, for having materially assisted, sponsored, or provided financial, material, or technological support, or goods or services in support of, Evil Corp, a person whose property and interests in property are blocked pursuant to E.O. 13694, as amended.