- Joined
- May 15, 2016
- Messages
- 10,255
- Likes
- 2,620
- Points
- 1,730
On December 5, the United States officially charged Evil Corp., a Russian hacker group. She is called the “most harmful in the world”: the damage from Evil Corp attacks against banks is estimated at hundreds of millions of dollars. The US Justice Ministry considers the organizer of the group to be Maxim Yakubets - he remains at large and in March 2019 he was actively involved in hacking activities. The correspondent of the Meduza investigation department, Lilia Yapparova, found out that Evil Corp consists of relatives of officials and security forces - and tells how the hacker Maxim Yakubets, close to the Russian special services, lives for whose head an award of five million dollars has been awarded.
In July 2009, hacker groups, of which Maxim Yakubets was a member, began to prevail against colleagues. “Well, congratulations! ********* [go crazy] you can write about you in the news, ”one of the group’s chat messages sounded (later the FBI opened it). Shortly before this, The Washington Post published an article on "cybercriminals from Ukraine who stole 415 thousand dollars from the treasury of the Bullitt County of Kentucky." Hackers, rather, were shocked by this publication: they did not expect that world fame would come to them - although some of them were flattered by this glory. However, 22-year-old Maxim Yakubets - under the nickname aqua - reacted as harshly as possible: “They described the whole scheme! The bastards. <...> Really infuriates. "
Ten years later, Yakubets himself led a hacker group called Evil Corp, began to steal with the help of a new banking trojan - and travel around Moscow in the Lamborghini Huracan supercar. Muscovites in their phone books call Yakubets "Mr. Prosecutor"; The United States is ready to pay five million dollars for information that will lead to the arrest of a Russian - this is the biggest reward that has ever been awarded for helping to capture a cybercriminal. In the US Department of Justice, the actions of Yakubts were called "so daring and sophisticated that, if they were not real, it would be difficult to even imagine them."
In addition to stealing bank data, Yakubets was also engaged in hacks commissioned by Russian special services. The US Treasury claims that since 2017, the hacker worked for the FSB; one of his tasks was to gain access to unnamed “confidential documents”. The Russian Ministry of Foreign Affairs called these statements a "propaganda attack." Meduza found out that the Americans are most likely right, and the hacker group is not just cooperating with special services - it literally consists of relatives of Russian officials and security officials.
Only for show
The composition of Evil Corp, according to US authorities, includes 17 people from six countries. The group formed around 2011, two years after the publication in the The Washington Post about its predecessor, which included Maxim Yakubets. Evil Corp, the Russian security forces, is known as people who can be contacted, for example, about freeing money from blocked bank accounts. “They rolled out the price tag completely horseback,” says an FSB veteran personally familiar with hackers. - My acquaintances of the Peruvians, who mine diamonds in South America, were then slammed for financing the cartel. They paid tribute to the cartel to work on its territory, and the Americans blocked their accounts for it. "The Peruvians turned to me - I just know them for a long time - and I found them these Ukrainians to pull out the frozen money."
For the first time, Yakubets collided with the Russian security forces back in 2010 - in the status of the accused in the American case of the hacker group Jabber Zeus Crew, which infected computers around the world with the Zeus Trojan to steal money from electronic wallets and bank accounts. Russia then helped in the investigation of the FBI, and Yakubets was able to identify almost immediately: the hacker was so careless that he used the same email address through which he ordered the delivery of the baby carriage to the house. The FBI agent involved in this case, in his testimony before a Nebraska court, pointed out that Jakubets should be charged under two articles of the US criminal code: “attempted crime” and “banking fraud”. The maximum sentence for the second is up to 30 years in prison.
When they came to the Yakubets’s Moscow apartment on November 24, 2010, he was at home. The materials of the American prosecution feature the woman who was present in the same apartment - the first wife of Yakubts (they had a son in 2009). The Russian authorities, according to the American indictment in the Yakubets case, handed over the information found during the search to the American side - however, nothing was said about the detention or any other investigative actions against Yakubets by the Russian security officials.
After this meeting, a hacker’s relationship with security officials could develop according to only one scenario, say Meduza’s interlocutors. The first clashes between cyber fraudsters and intelligence agencies almost never end in prison, two FSB Meduza interlocutors and a communications veteran say. “If during the initial communication it turns out that they are completely frostbitten, then they don’t live for such a long time, and everyone else begins to cooperate,” says a FSB veteran who worked with hackers. “They plant it really rarely and just for show,” says Karen Ghazaryan, Director General of the Internet Research Institute.
The FSB has been forcing cyber fraudsters to cooperate since the late 1990s, a veteran of the special services notes - such a course was taken when the special services realized the profitability of a new type of high-tech crime. “As soon as the first rootless student of a technological university brought his Ferrari to the streets of Moscow, the office began to do this. They wanted to put this matter under control, to saddle the business, as they say, - recalls the interlocutor of Medusa. - When we found them, we set out to work for individual heads of units. Since then, all these guys have been in the service. ”
Even the most uncontrollable cyber-specialists could not avoid cooperation with special services at one time, an interlocutor close to hackers says. “There was one hacker who was completely frostbitten: a biker, without a finger on one arm, once even killed a pedophile - he scored it with a stool right in the bar, and sat for it,” the interlocutor recalls. - But when they rented an apartment with their comrades and began to work from there, the faces were quickly calculated and covered. Naturally, nobody began to plant anyone - they simply forced to work for themselves. ”
Maxim Yakubets is not the first Russian cybercriminal to be accused of collaborating with the Russian authorities abroad. The top manager of Kaspersky Lab Ruslan Stoyanov, who is serving time for treason, said that hackers are rewarded with “patronage” for fulfilling government tasks; Stoyanov called this format of cooperation “immunity from retaliation for the theft of money <...> in exchange for intelligence”.
In 2017, Evil Corp leader Maxim Yakubets also had personal reasons to start helping the FSB - he became a relative of an influential security official.
"Secret" of particular importance
In the summer of 2016, Evil Corp's attacks subsided for a while: the last surge in phishing emails occurred on August 15 and 16. Maxim Yakubets spent the remainder of the month in the Crimea, at the peninsula's most expensive resort. For a week at Mriya Resort & SPA, a hacker paid more than a million rubles. This hotel on the Yalta coast from a height resembles a lotus flower, stretched with petals to the Black Sea; President Vladimir Putin praised Sberbank CEO German Gref for a complex built with the money of the institution.
The Jakubian at Mriya did not stop alone. According to the information about the flights that Meduza had at its disposal, Alena Benderskaya often flies to Russian resorts with a hacker: in 2017, she and the members of Evil Corp spent the January holidays in Sochi; in the summer of that year, Benderskaya and Yakubets visited Baikal. The room in the Baikal Residence lodge hotel in the booking documents was described as follows: "Complementary for just married." Meduza does not know whether the marriage of Yakubets and Benderskaya is officially registered - but they held a large-scale wedding ceremony, as Radio Liberty discovered. The information that in the summer of 2017 the head of Evil Corp played a wedding was also shared by British security officials.
After the wedding ceremony, all open or semi-open information not only about Maxim Yakubets, but also about the rest of the group, ceased to be updated. For example, data about their crossing the state border disappears. This may be due to the identity of the alleged bride. Alena Eduardovna Benderskaya’s full namesake is in the leadership or co-owner of seven legal entities, three of which, according to SPARK-Interfax, are associated with the president of the Vympel charity foundation, the former FSB special forces soldier Eduard Bendersky. “Former employee, but still very influential, very. He has a lot of oil industry and businesses. And PMCs are in the Middle East, ”says an FSB veteran familiar with Bender.
On Instagram, Benderskaya signed up for the Lamborghini Club Russia account; she celebrated her birthday "in the style of Dolce & Gabbana", as the guests of the festival said. In social networks Benderskaya, a regular at Moscow parties, is asked to post joint photos with other participants in the club life of Moscow. “How could a guy traveling around Moscow on Lamborghini meet the daughter of a security official? - argues close to the FSB interlocutor of Medusa. “Yes, it's just that this whole party is youth, where an unrealistic amount of money is spent, it is very narrow - and it is clear that the children of the generals are spinning in it.”
In the wedding year, Yakubets began to draw closer to the FSB, and since April 2018, the hacker was in the process of obtaining a service license to work with information constituting a state secret, says the US Ministry of Finance. “A hacker needs a Secret to look for incriminating evidence against our officials stored abroad,” said an interlocutor close to the FSB. “Evil Corp's main goals were London financial institutions. And in London, our money is full. Obviously, if they were figuring [hacker attacks] on various funds, then they could dig a lot of things on ours too, ”says Karen Ghazaryan.
Granting access to state secrets was supposed to finally determine the hacker’s relationship with the FSB - and turn Yakubets into a freelance employee, said a veteran of the intelligence agency. But despite Evil Corp’s connection with the security forces, the group did not become untouchable - one of the FSB units may be interested in prosecuting hackers already in Russia, Meduza’s interlocutors say. “The“ K ”[FSB Economic Security Service] now needs to raise a new general, as if they were already interested,” says a FSB veteran familiar with the situation.
In the spring of 2019, the FSB's economic security service did indeed have room for growing new personnel. In April, the head of one of the “K” management departments, Kirill Cherkalin, was detained on suspicion of a bribe. Management "K" is engaged in counter-intelligence support of the credit and financial sector; Cherkalin’s department oversaw the Russian banking business, and Cherkalin himself participated in meetings of the interagency commission on countering money laundering.
The Evil Corp case fits perfectly into the management’s work profile, says Karen Ghazaryan. After all, the charges brought against the Russians concern not only hacks, but also the legalization of stolen money, and the US sanction list includes not only exploit developers, but also “cashing out” funds, as well as construction and trading companies registered with hackers. Now, it is they, the interlocutors of Medusa suggest, who can become the target for the FSB economic security service.
The FSB and Eduard Bendersky did not respond to requests from Medusa. To Alena Benderskaya failed to get through. Relatives of Maxim Yakubets did not respond to messages sent to them on social networks.
The behavior of extravagant millionaires
Evil Corp’s hacker group includes not only the son-in-law of the security official, but also the son of an official. Nine years ago, a man with the nickname 77strel tried to become a car blogger: a young man was laying out a video with racing on a Porsche, interspersed with rollers, where they tried to wake a homeless man sleeping at a bus stop. In 2019, one of the old videos quoted CBS on the Evil Corp storyline, showing the hacker's face; in social networks, this person calls himself “Vitya Klochkov”, “Serega Usmanov”, or “Andrey Plotnitsky” (under this name the cyber fraudster was on the sanctions list). Plotnitsky soon deleted all the photos from VKontakte, but using the face recognition service he managed to find the one where he was standing in the same car repair shop with Evil Corp member Kirill Slobodsky and a car belonging to another member of the group Dmitry Smirnov.
A man with six pseudonyms - Andrei Plotnitsky, aka Strel, "Expected" or Andrei Kovalsky - turned out to be the son of the former mayor of Khimki, Vladimir Strelchenko. From the name of his father, the hacker left himself only a nickname for instagram - Strel; Strelchenko himself called Plotnitsky his son. The hacker did not respond to a request to speak transmitted through a lawyer who worked with him; In response to a message on social networks, he closed his VKontakte page.
Plotnitsky was the most public member of Evil Corp: for example, when one of the members of a hacker group was detained for racing in sports cars, Plotnitsky complained on his Instagram that the police were doing the wrong thing: “Judges, cops, officials, lawlessness around - and they [got to the bottom] races! ”The race, in which hackers then participated, was held at a speed of 280 km / h - Lamborghini groups“ erased rubber on the smoothly paved highways of Olympic Sochi ”, as they wrote in social networks. With their yellow Lamborghini and ultramarine Audi R8, Evil Corp participants took a lot of pictures in Sochi, which became Evil Corp's favorite resort destination; According to the security official personally acquainted with them, they have not traveled abroad for many years, fearing persecution.
As the British National Anti-Crime Agency wrote in a recent press release, Evil Corp conducted its operations “from the cellars of Moscow cafes.” One of them, "Medusa" was found from a photograph published by the British security forces.
The Chianti Cafe on Tatarskaya Street in Moscow, before which Maxim Yakubets once used to park Lamborghini, has since closed; on the door hangs an ad “Please do not pull the door handle!” - but the handle itself is uprooted. However, the Medusa correspondent didn’t even have to knock to talk with the current owners of the premises - a woman who rose from the basement explained that the cafe had been sold for a long time. “See, no people at Lamborghini. There is a charity fund here now, ”she clarified, but failed to recall either the name of the fund or the name of its founder. At SPARK-Interfax, Medusa did not find charitable foundations registered at this address.
Most likely, the choice of a cafe on Tatarskaya Street is explained by the fact that Maxim Yakubets and Alena Benderskaya live on the neighboring Bakhrushin Street, their neighbor told Meduza. “And these cars of them stood there for several years - everyone knows them,” the source recalls.
British security officials consider the life style of Evil Corp “the behavior of extravagant millionaires”: an Audi group once stopped a six-lane highway for several minutes, having drifted right in the middle of the carriageway in the center of Moscow; Evil Corp member Denis Gusev and one of the "cashing out" posted photos on social networks where they hold a live lion cub in their hands. In social networks, cyber fraudsters called themselves “the Most High” and “Oligarchovich”; even the password that Maxim Yakubets invented for his email was “become a millionaire”. Hackers showed self-irony only when choosing registration plates for their luxury cars: in the numbers of four of them the word "thief" is read. Denis Gusev did not answer the questions of Medusa sent to him through social networks.
Luxury sports cars are not the first generation of Russian hackers' weakness, says an FSB veteran who fought with the very first Russian cyber fraudsters. “Young talented guys had to be cut through - this was followed by the office. Caught in the same way as from ancient times they catch a man who, formally without a ruble in his pocket, suddenly goes to Ferrari. The same youth was: they immediately bought the coolest thing that could be done, and to track such people in the student community did not represent any difficulty at all, because we always had enough informers, thank God. Personally, I had no problems. In 2002, I had to work with one such kid, a student at the Moscow Institute of Physics and Technology: he had a Lamborghini - it seems to be gray-steel. ”
As Medusa found out, almost all cars associated with the group at different times were recorded only on one of its members - Dmitry Smirnov. “Smirnov’s recorded cars of millions per 100 [rubles],” says the interlocutor of Medusa. In total, in the Evil Corp fleet, according to Medusa sources, there are three Lamborghini Huracan, Cadillac Escalade, Chevrolet Camaro, three Mercedes Benz of different models, Volkswagen Amarok, one covered with a pattern of skulls and brass knuckles Nissan GT-R - and one classic Zhiguli . These are not all hacker machines: the ultramarine Audi is owned by Andrey Plotnitsky, and another gray Lamborghini, which was parked along with the Evil Corp sports cars in Sochi, was once at the disposal of Pavel Driver - this is how the GetContact app identifies the phone connected to the car. Medusa managed to get through to Paul and ask him about the owner of the car. “A man is engaged in grain: here he buys and sells to Iran, contracts worth millions of dollars. No cybercriminal, says the driver. “And Lamborghini is his childhood dream.”
Andrey Plotnitsky (Kovalsky) against two Evil Corp-owned sports cars from left to right: Kirill Slobodskoy, Dmitry Smirnov and Denis Gusev
An interlocutor of Medusa, familiar with the working methods of cybercriminals, suggests that luxury cars could be used by hackers as currency: “Most of the cars were distributed to people by proxy - Harley Davidson motorcycle, for example, was given to a man who, apparently, simply worked they have a driver. Sometimes in the same way the equipment is issued just as a reward - I came across this when studying fraudulent crypto projects. ”
FSB and DOBRO
The team of Maxim Yakubets is not the only hacker group associated with the FSB. Cooperation with special services gives cybercriminals many advantages, Meduza’s interlocutors say: compared to Evil Corp, for example, the personal fortunes of hackers from the Lurk group, who are also accused of attacks on banks, are more than modest. As the former lawyer of one of the defendants Sergei Polyakov told Meduza, “it seemed that they hadn’t stolen so much”: “the old mercenaries and 20 million rubles were seized from the“ cashmen ”, and three more were seized [during searches] in Tula. My client, a hacker who allegedly stole a billion, is now giving the latter for the services of a lawyer; they cope only because the wife works and the mother is a French teacher. ”
Aleksandr Safonov, a Lurk participant in the pre-trial detention center, with whom the correspondent of Meduza communicated by correspondence, admitted that Lurk really was in many ways an ineffective “bunch of amateurs.” But shortly before the detentions, Lurk hackers had a couple of hacks along with a much more advanced team of specialists.
Now even the nicknames of these people do not appear in the case file of the Lurk group, Safonov claims. “They cracked dozens of jars. Its developers, its own set of tools are “manual hackers” of our special services! The FSB was recruited under the threat of a prison, and small-scale hired labor was also under the control of the FSB, but less. Some of the key ones are generally in uniform. Hacks were carried out by order of the curators and shared the percentage of thefts with special services. And they were allowed to steal everywhere, except for the Russian government feeders - Sberbank, VTB, etc. And everywhere around the world. ”
“I suspect that with the person who organized all this, we read the same textbooks and went to the same library,” Meduza’s interlocutor among FSB veterans commented on Safonov’s story.
Alexander Safonov told this story from a pre-trial detention center - on several hand-written pages. The name he absolutely controlled by the security forces of the hacker group each time he deduced with one capital letter - DOBRO. Whether these people are connected with Evil Corp - and to which “good” the name of the group refers, “Medusa” could not find out.
meduza.io/feature/2019/12/11/ruchnye-hakery-ekstravagantnye-millionery