The U.S. unveiled charges and sanctions against members of a hacking entity calling itself Evil Corp that authorities said was behind some of the worst computer hacking and bank fraud schemes of the past decade.
The U.S. Justice Department, working in conjunction with U.K. authorities and the U.S. Treasury, brought conspiracy and fraud charges against members of the group that it said “has been engaged in cybercrime on an almost unimaginable scale,” using malware to steal tens of millions of dollars from accounts at banks including Bank of America Corp. and regional U.S. lenders.
The Treasury Department said it would sanction the group and its leaders for cyber-thefts at hundreds of financial institutions around the world.
The group’s leader, identified as Maksim Yakubets, was among those charged and sanctioned. He also worked for the Russian Federal Security Service intelligence agency, according to the Treasury Department. Yakubets was directed to work on projects for the Russian state as of 2017, it said.
The U.S. charged Yakubets in Nebraska and Pennsylvania, while bringing charges against an alleged co-conspirator, Igor Turashev, in Pennsylvania. They are believed to be in Russia, according to the FBI. The U.S. is offering a $5 million reward for information leading to Yakubets’s arrest or conviction, according to the State Department.
Evil Corp is “the world’s most harmful cyber crime group,” the U.K.’s National Crime Agency said in a statement, adding that its malware had caused hundreds of millions of pounds in financial losses in the U.K. alone. Its alleged leaders hardly kept a low profile, the NCA said: Yakubets drove a Lamborghini with a license plate that translates to “Thief” and spent over a quarter of a million pounds on his wedding.
The group used a malware called Dridex to harvest log-in credentials from banks and financial institutions in more than 40 countries, according to the Treasury Department.
Dridex, also known as Bugat and Cridex, often reaches victims through phishing emails, is “a multifunction malware package that automates the theft of confidential personal and financial information, such as online banking credentials, from infected computers through the use of keystroke logging and web injects,” according to the indictment.
“Our goal is to shut down Evil Corp, deter the distribution of Dridex, target the ‘money mule’ network used to transfer stolen funds, and ultimately to protect our citizens from the group’s criminal activities,” Treasury Secretary Steven Mnuchin said in a statement.
Yakubets “is not the first cybercriminal to be tied to the Russian government,” Treasury said in a statement, citing the 2017 indictment of two FSB officers and conspirators for compromising “millions” of Yahoo Holdings Inc. email accounts.
Another alleged co-conspirator in the Nebraska complaint, Yevgeny Bogachev, was sanctioned by the U.S. in 2016 and has been on the FBI’s most wanted list.
Senior Treasury officials said the U.S. action was coordinated not only with the U.K., but also in cooperation with countries and places targeted by the group including Italy, Australia, the United Arab Emirates, Canada, France, India, Hong Kong and Malaysia.
The group has been targeted by law enforcement for several years. Two Ukrainian nationals were extradited from the U.K. to the U.S. and pleaded guilty to related charges in Nebraska in 2015, the Justice Department said.
In October of 2015, U.S. prosecutors also indicted Moldovan national Andrey Ghinkul for cyber-attacks using Dridex.
Dridex is “one of the most prevalent eCrime malware families,” according to a July report by the cybersecurity firm Crowdstrike, which said it was used significantly in 2015 and 2016.
FBI Deputy Director David Bowdich said Evil Corp and other cyber-criminals are still operating, and that one reason they brought the charges forward now was to raise awareness about future attacks. “It is fair to say they are not out of business at this point,” he said.
(Updates with details throughout. A previous version of this story misspelled Andrey Ghinkul’s name.)
–With assistance from David Voreacos.