Feds Offer $5M Reward to Nab ‘Evil Corp’ Dridex Hacker

evil corp dridex $5 million reward

Authorities cracked down on cybercrime group Evil Corp. with sanctions and charges against its leader, known for his lavish lifestyle.

U.S. authorities are offering up $5 million for information leading to the arrest of Evil Corp. leader Maksim V. Yakubets, 32, of Russia, who goes under the moniker “aqua.” The U.S. alleges that Yakubets and his company have stolen millions of dollars from victims using the Dridex banking trojan and Zeus malware.

Separately, the U.S. Treasury Department on Thursday issued sanctions against Evil Corp, “as part of a sweeping action against one of the world’s most prolific cybercriminal organizations.”

The $5 million is the largest such reward offer for a cybercriminal to date.

“Maksim Yakubets allegedly has engaged in a decade-long cybercrime spree that deployed two of the most damaging pieces of financial malware ever used and resulted in tens of millions of dollars of losses to victims worldwide,” said Assistant Attorney General Benczkowski in a statement, Thursday. “These two cases demonstrate our commitment to unmasking the perpetrators behind the world’s most egregious cyberattacks.  The assistance of our international partners, in particular the National Crime Agency of the United Kingdom, was crucial to our efforts to identify Yakubets and his co-conspirators.”

The indictment, which also charges a second Evil Corp. member, Igor Turashev, 38, alleges Yakubets was the leader the cybercrime gang and oversaw the development and distribution of the Dridex malware and botnet.

Since its first appearance in 2012, banking trojan Dridex (also known as Bugat and Cridex) has been deployed via phishing emails and targets banking information. By 2015, the malware was one of the most prevalent financial trojans in the wild; while later versions of the malware were designed with the added function of assisting in the installation of ransomware.


The scheme involved capturing banking credentials, and causing banks to make unauthorized electronic funds transfers from unknowing victims’ bank accounts. Money mules would then receive these stolen funds into their bank accounts, and transport the funds overseas.  Multiple companies were targeted by Dridex, costing them millions of dollars; victims included two banks, a school district, a petroleum business, building materials supply company and others.

The indictment also alleges that Yakubets has also been involved with the Zeus malware since 2009, which authorities claim he used to infect thousands of business computers with malicious software that captured passwords, account numbers and other information, before using that data to log into online banking accounts to steal money from victims.

Pictures from the NCA showcase the lavish lifestyle of Evil Corp. leader Yakubets

At least 21 municipalities, banks, companies, and non-profit organizations were targeted by Zeus, with the overall attempted theft resulting in around $220 million in losses (actual losses before reimbursement from victim bank accounts totaled $70 million).

The National Crime Agency, which worked with U.S. authorities to identify the cybercrime ring, in a separate report on Thursday shed some light on the members of Evil Corp. and the lavish lifestyle of Yakubets, who drives a customized Lamborghini “supercar” with a personalized number plate that translates to “Thief.” He also spent more than a quarter of a million pounds ($330,000) on his wedding.

“While the harm caused by this group has targeted mainly financial institutions, there is no doubt that their activity has had real-world impacts, defrauding and stealing from victims in the U.K. and worldwide,” Lynne Owens, director general of the NCA, said in a statement. “The Lamborghini Yakubets drives was someone’s life savings, now emptied from their bank account.”

Separately, the Department of Homeland Security (DHS) on Thursday alerted companies about ongoing Dridex attacks targeting banking and financial companies via email spam messages.  The alert warns companies to contact law enforcement immediately to report regarding any identified activity related to Dridex malware or its derivatives.

Free Threatpost Webinar: Risk around third-party vendors is real and can lead to data disasters. We rely on third-party vendors, but that doesn’t mean forfeiting security. Join us on Dec. 18th at 2 pm EST as Threatpost looks at managing third-party relationship risks with industry experts Dr. Larry Ponemon, of Ponemon Institute; Harlan Carvey, with Digital Guardian and Flashpoint’s Lance James. Click here to register.

Suggested articles