![](\"https:\/\/media.wired.com\/photos\/5de959e031377600089a0ad9\/master\/pass\/Sec-E%20Photo%2024.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Brian Barrett| Date: Thu, 05 Dec 2019 20:20:15 +0000<\/strong><\/p>\n The US is charging Maksim Yakubets over two of the biggest cybertheft campaigns of the last decade, and offers a record reward for information on the case.<\/p>\n For the last decade, the hackers behind Evil Corp have led a sustained assault on the bank accounts of thousands of victims across dozens of countries. By steadily evolving malware known as Bugat, they indiscriminately siphoned tens of millions of dollars from unwitting victims. Thursday, the FBI indicted Evil Corp\u2019s alleged leader: Maksim V. Yakubets, also known as \u201caqua.\u201d<\/p>\n The indictment, which you can read in full below, details in broad strokes the playbook that Yakubets and Igor Turashev, another Russian charged in the scheme, allegedly have rolled out countless times. They\u2019d convince victims to click on a malicious link in a phishing email to download Bugat. Once installed, the malware would use a variety of techniques to steal: a keylogger to grab passwords, or creating fake banking pages to trick someone into voluntarily entering their credentials. Armed with that information, the hackers would arrange for electronic funds transfers from victim bank accounts to a network of so-called money mules<\/a>, who would then get the funds back to Evil Corp.<\/p>\n \u201cEach and every one of these intrusions was effectively a cyber-enabled bank robbery,\u201d said assistant US attorney general Brian Benczkowski at a press conference announcing the indictment Thursday. Both men are still at-large in Russia.<\/p>\n Evil Corp was apparently also in the franchise business. According to court documents, Yakubets gave a UK resident access to Bugat in exchange for $100,000 up front, plus 50 percent of all revenues, with a minimum take of $50,000 a week. Like any good franchisor, Yakubets offered technical support as needed.<\/p>\n Since at least 2011, the FBI estimates that Bugat\u2014also known as Dridex and Cridex\u2014resulted in losses of $100 million or more across hundreds of banks. What makes the Evil Corp campaign so impressive isn\u2019t just the scale, but how adaptable it has proved to be. Law enforcement has pursued them for years, even successfully prosecuting Dridex sysadmin Andrey Ghinkul<\/a>. US law enforcement disabled some of the conspiracy\u2019s sub-botnets in 2016 by sinkholing them<\/a>. The FBI indicted a related Belarus-based money mule network that same year. And still, Evil Corp persisted.<\/p>\n \u201cThe Dridex malware conspiracy was a constantly evolving and adapting criminal enterprise that had a level of sophistication and scope of threat that we rarely see,\u201d US attorney Scott Brady said at Thursday\u2019s press conference. Over the years, Brady said, Evil Corp has switched from a centralized command-and-control center to peer-to-peer botnets to make their activities harder to trace, used more sophisticated so-called web injects to trick users into entering sensitive information, and ditched international wire transfers for the relative anonymity of ransomware tied to cryptocurrency payments.<\/p>\n \u201cThis is why this has been the most widespread and destructive malware and banking trojans in the world over the last decade,\u201d Brady said.<\/p>\n In all, Yakubets and Turashev have been indicted on 10 Bugat-related counts, covering conspiracy, computer hacking, wire fraud, and bank fraud. But the Yakubets story goes further still. Which is maybe why the US government has taken the rare step of offering $5 million for information leading to his arrest.<\/p>\n Since 2006, few malware campaigns have caused as much international consternation as Zeus<\/a>, a trojan horse that became the favored malware of organized crime. Both the original Zeus and its later variants, Jabber Zeus and GameOver Zeus, had a roughly similar modus operandi to Bugat: steal banking credentials, transfer the money. A separate criminal complaint also unsealed Thursday alleges that Yakubets has been involved almost since the beginning.<\/p>\n Zeus attacks netted $70 million from US targets, a diverse list that includes banks, a luggage store, and the Franciscan Sisters of Chicago. It hit 21 municipalities, banks, and nonprofit organizations in 11 states over its decade-long reign. The specific role Yakubets played, according to the criminal complaint, was to provide \u201cmoney mules and their associated banking credentials in order to facilitate the movement of money which was withdrawn from victim accounts by fraudulent means.\u201d<\/p>\n Law enforcement connected Yakubets to both Bugat and Zeus thanks in part to his \u201caqua\u201d moniker, which allegedly showed up in chat transcripts from the Zeus crew that detail bank transfer data and discuss ongoing operations. The FBI was also aided, perhaps surprisingly, by the Russian government, which has been notoriously protective of its hackers<\/a>, both state-sponsored and otherwise.<\/p>\n \u201cIt was helpful in the investigation\u2014to a point,\u201d said FBI deputy director David Bowdich at Thursday\u2019s press conference.<\/p>\n The FBI also first asked for that assistance in 2010. But in a separate announcement Thursday of sanctions against Evil Corp and its enablers, spanning 17 individuals and seven entities in all, the US Treasury Department alleged<\/a> that Yakubets later signed on with Russia\u2019s FSB intelligence agency. \u201cIn addition to his leadership role within Evil Corp, Yakubets has also provided direct assistance to the Russian government,\u201d the agency\u2019s statement reads. \u201cAs of 2017, Yakubets was working for the Russian FSB, one of Russia\u2019s leading intelligence organizations.\u201d<\/p>\n It\u2019s unclear exactly what role Yakubets is accused of playing with the FSB, but the allegations include \u201cacquiring confidential documents through cyber-enabled means and conducting cyber-enabled operations.\u201d<\/p>\n The indictment, criminal complaint, and sanctions announcement collectively paint Yakubets as something of a cybercrime Zelig. \u201cYakubets has allegedly been involved in cybercrime on an almost unimaginable scale for over a decade,\u201d said the DOJ\u2019s Benczkowski.<\/p>\n Indictments like this always invite the same question: What will it actually accomplish? Yakubets is safely ensconced in Russia, after all. The odds of actually bringing him to trial seem vanishingly slim.<\/p>\n Then again it\u2019s not impossible. Take Ghinkul as an example, or Roman Seleznev, a Russian hacker arrested in 2016 in the Maldives and sentenced<\/a> to 27 years in prison the following year. A successful arrest also isn\u2019t the only potential positive outcome.<\/p>\n \u201cHaving your name, your face, or your description on a wanted poster makes moving around freely much more difficult,\u201d the FBI\u2019s Bowdich said at Thursday\u2019s press conference. \u201cSimply naming them in an indictment accomplishes a great deal. State sponsors and other clients prize hackers for their anonymity, deniability, and their stealth. Calling these actors out publicly through these indictments strips away that anonymity.\u201d<\/p>\n