He drives a Lamborghini with a number plate that reads “Thief” – working from the basements of Moscow cafes with a team of affiliates as the leader of Evil Corp: described unequivocally this month by British and American intelligence agencies as “the most significant cyber crime threat to the UK.”
Now 32-year-old Maksim Yakubets has been named by the UK’s National Crime Agency (NCA) and FBI for the first time, following a multi-year investigation that resulted Friday 6, December in indictments against both the Ukrainian-born kingpin and his “administrator” Igor Turashev.
Lynne Owens, Director General of the NCA, said: “The significance of this group of cyber criminals is hard to overstate; they have been responsible for campaigns targeting our financial structures with multiple strains of malware over the last decade.
“We are unlikely to ever know the full cost, but the impact on the UK alone is assessed to run into the hundreds of millions.”
Now, alongside 21 associated entities, he has been charged in relation to two separate international computer hacking and bank fraud schemes, spanning from May 2009 to the present. Investigations in the UK by the NCA and the Metropolitan Police have also targeted Yakubets’ network of money launderers.
Eight people have been sentenced to a total of over 40 years in prison. Yakubets himself, meanwhile is now subject to a $5 million US State Department reward – the largest ever reward offered for a cyber criminal – and faces extradition to the US if captured outside of Russia.
Evil Corp: Behind Dridex and Zeus Malware
Using multiple online identities, primarily that of ‘Aqua’, Yakubets was subject to UK and international investigations for his involvement in multiple malware campaigns including Dridex and Zeus variants, the NCA said.
Aqua was also included in a 2014 US criminal complaint issued against Evgeniy Bogachev for his role in Zeus malware.
Bogachev remains on the FBI’s most wanted list with a reward of $3 million, previously the highest sum offered for a cyber criminal.
These malware strains have been considered among the world’s most prominent cyber threats, responsible for enabling fraud, stealing data, and theft from businesses and individuals. In 2016, Symantec assessed that Dridex was configured to target the customers of nearly 300 different organisations in over 40 countries.
Dridex: A Modular Malware Threat
Dridex is built with a modular architecture that means it can download and install additional modules after initial infection, making it relatively straightforward for its authors to add and refine its features, Symantec said.
The US Department of Homeland Security adds: “Once downloaded and active, Dridex has a wide range of capabilities, from downloading additional software to establishing a virtual network to deletion of files.
“The primary threat to financial activity is the Dridex’s ability to infiltrate browsers, detect access to online banking applications and websites, and inject malware or keylogging software, via API hooking, to steal customer login information.
“Dridex modules package, encrypt, and transmit captured information, screenshots, etc., via peer-to-peer (P2P) networks in the XML format or in binary format, as seen in newer versions. After stealing the login data, the attackers have the potential to facilitate fraudulent automated clearing house (ACH) and wire transfers, open fraudulent accounts, and potentially adapt victim accounts for other scams involving business e-mail compromise or money mule activity.”
The UK’s NCSC was also involved in intelligence gathering against the cyber criminal and Paul Chichester, NCSC Director Operations, said: “Today’s announcement is the result of a multi-year investigation with our law enforcement and international partners. Dridex has been targeting UK victims since at least 2014, compromising and stealing from large organisations, SMEs and the general public.
“Malware is a continuing cyber threat but we can all reduce our risk of becoming victims to cyber criminals by ensuring our devices are patched, anti-virus is turned on and up to date and files are backed up.”