{ "id": "02930334-6727-4ec1-bddc-72f9f5cdc891", "created_at": "2026-04-06T00:15:30.727283Z", "updated_at": "2026-04-10T03:33:15.475648Z", "deleted_at": null, "sha1_hash": "7756165a23ba62cca5f1fc8781f62ba0e68cee92", "title": "Inside ‘Evil Corp,’ a $100M Cybercrime Menace", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2201742, "plain_text": "Inside ‘Evil Corp,\r\n’ a $100M Cybercrime Menace\r\nPublished: 2019-12-16 · Archived: 2026-04-05 17:46:08 UTC\r\nThe U.S. Justice Department this month offered a $5 million bounty for information leading to the arrest and\r\nconviction of a Russian man indicted for allegedly orchestrating a vast, international cybercrime network that\r\ncalled itself “Evil Corp” and stole roughly $100 million from businesses and consumers. As it happens, for\r\nseveral years KrebsOnSecurity closely monitored the day-to-day communications and activities of the accused\r\nand his accomplices. What follows is an insider’s look at the back-end operations of this gang.\r\nImage: FBI\r\nThe $5 million reward is being offered for 32 year-old Maksim V. Yakubets, who the government says went by\r\nthe nicknames “aqua,” and “aquamo,” among others. The feds allege Aqua led an elite cybercrime ring with at\r\nleast 16 others who used advanced, custom-made strains of malware known as “JabberZeus” and “Bugat” (a.k.a.\r\n“Dridex“) to steal banking credentials from employees at hundreds of small- to mid-sized companies in the\r\nUnited States and Europe.\r\nFrom 2009 to the present, Aqua’s primary role in the conspiracy was recruiting and managing a continuous supply\r\nof unwitting or complicit accomplices to help Evil Corp. launder money stolen from their victims and transfer\r\nhttps://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/\r\nPage 1 of 10\n\nfunds to members of the conspiracy based in Russia, Ukraine and other parts of Eastern Europe. These\r\naccomplices, known as “money mules,” are typically recruited via work-at-home job solicitations sent out by\r\nemail and to people who have submitted their resumes to job search Web sites.\r\nMoney mule recruiters tend to target people looking for part-time, remote employment, and the jobs usually\r\ninvolve little work other than receiving and forwarding bank transfers. People who bite on these offers sometimes\r\nreceive small commissions for each successful transfer, but just as often end up getting stiffed out of a promised\r\npayday, and/or receiving a visit or threatening letter from law enforcement agencies that track such crime (more\r\non that in a moment).\r\nHITCHED TO A MULE\r\nKrebsOnSecurity first encountered Aqua’s work in 2008 as a reporter for The Washington Post. A source said\r\nthey’d stumbled upon a way to intercept and read the daily online chats between Aqua and several other mule\r\nrecruiters and malware purveyors who were stealing hundreds of thousands of dollars weekly from hacked\r\nbusinesses.\r\nThe source also discovered a pattern in the naming convention and appearance of several money mule recruitment\r\nWeb sites being operated by Aqua. People who responded to recruitment messages were invited to create an\r\naccount at one of these sites, enter personal and bank account data (mules were told they would be processing\r\npayments for their employer’s “programmers” based in Eastern Europe) and then log in each day to check for new\r\nmessages.\r\nEach mule was given busy work or menial tasks for a few days or weeks prior to being asked to handle money\r\ntransfers. I believe this was an effort to weed out unreliable money mules. After all, those who showed up late for\r\nwork tended to cost the crooks a lot of money, as the victim’s bank would usually try to reverse any transfers that\r\nhadn’t already been withdrawn by the mules.\r\nhttps://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/\r\nPage 2 of 10\n\nOne of several sites set up by Aqua and others to recruit and manage money mules.\r\nWhen it came time to transfer stolen funds, the recruiters would send a message through the mule site saying\r\nsomething like: “Good morning [mule name here]. Our client — XYZ Corp. — is sending you some money today.\r\nPlease visit your bank now and withdraw this payment in cash, and then wire the funds in equal payments —\r\nminus your commission — to these three individuals in Eastern Europe.”\r\nOnly, in every case the company mentioned as the “client” was in fact a small business whose payroll accounts\r\nthey’d already hacked into.\r\nHere’s where it got interesting. Each of these mule recruitment sites had the same security weakness: Anyone\r\ncould register, and after logging in any user could view messages sent to and from all other users simply by\r\nchanging a number in the browser’s address bar. As a result, it was trivial to automate the retrieval of messages\r\nsent to every money mule registered across dozens of these fake company sites.\r\nSo, each day for several years my morning routine went as follows: Make a pot of coffee; shuffle over to the\r\ncomputer and view the messages Aqua and his co-conspirators had sent to their money mules over the previous\r\n12-24 hours; look up the victim company names in Google; pick up the phone to warn each that they were in the\r\nprocess of being robbed by the Russian Cyber Mob.\r\nMy spiel on all of these calls was more or less the same: “You probably have no idea who I am, but here’s all my\r\ncontact info and what I do. Your payroll accounts have been hacked, and you’re about to lose a great deal of\r\nmoney. You should contact your bank immediately and have them put a hold on any pending transfers before it’s\r\ntoo late. Feel free to call me back afterwards if you want more information about how I know all this, but for now\r\nplease just call or visit your bank.”\r\nhttps://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/\r\nPage 3 of 10\n\nMessages to and from a money mule working for Aqua’s crew, circa May 2011.\r\nIn many instances, my call would come in just minutes or hours before an unauthorized payroll batch was\r\nprocessed by the victim company’s bank, and some of those notifications prevented what otherwise would have\r\nbeen enormous losses — often several times the amount of the organization’s normal weekly payroll. At some\r\npoint I stopped counting how many tens of thousands of dollars those calls saved victims, but over several years it\r\nwas probably in the millions.\r\nJust as often, the victim company would suspect that I was somehow involved in the robbery, and soon after\r\nalerting them I would receive a call from an FBI agent or from a police officer in the victim’s hometown. Those\r\nwere always interesting conversations. Needless to say, the victims that spun their wheels chasing after me usually\r\nsuffered far more substantial financial losses (mainly because they delayed calling their financial institution until\r\nit was too late).\r\nCollectively, these notifications to Evil Corp.’s victims led to dozens of stories over several years about small\r\nbusinesses battling their financial institutions to recover their losses. I don’t believe I ever wrote about a single\r\nvictim that wasn’t okay with my calling attention to their plight and to the sophistication of the threat facing other\r\ncompanies.\r\nLOW FRIENDS IN HIGH PLACES\r\nAccording to the U.S. Justice Department, Yakubets/Aqua served as leader of Evil Corp. and was responsible for\r\nmanaging and supervising the group’s cybercrime activities in deploying and using the Jabberzeus and Dridex\r\nbanking malware. The DOJ notes that prior to serving in this leadership role for Evil Corp, Yakubets was also\r\ndirectly associated with Evgeniy “Slavik” Bogachev, a previously designated Russian cybercriminal responsible\r\nfor the distribution of the Zeus, Jabber Zeus, and GameOver Zeus malware schemes who currently has a $3\r\nmillion FBI bounty on his head.\r\nhttps://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/\r\nPage 4 of 10\n\nEvgeniy M. Bogachev, in undated photos.\r\nAs noted in previous stories here, during times of conflict with Russia’s neighbors, Slavik was known to retool his\r\ncrime machines to search for classified information on victim systems in regions of the world that were of\r\nstrategic interest to the Russian government – particularly in Turkey and Ukraine.\r\n“Cybercriminals are recruited to Russia’s national cause through a mix of coercion, payments and appeals to\r\npatriotic sentiment,” reads a 2017 story from The Register on security firm Cybereason’s analysis of the Russian\r\ncybercrime scene. “Russia’s use of private contractors also has other benefits in helping to decrease overall\r\noperational costs, mitigating the risk of detection and gaining technical expertise that they cannot recruit directly\r\ninto the government. Combining a cyber-militia with official state-sponsored hacking teams has created the most\r\ntechnically advanced and bold cybercriminal community in the world.”\r\nThis is interesting because the U.S. Treasury Department says Yukabets as of 2017 was working for the Russian\r\nFSB, one of Russia’s leading intelligence organizations.\r\n“As of April 2018, Yakubets was in the process of obtaining a license to work with Russian classified information\r\nfrom the FSB,” notes a statement from the Treasury.\r\nThe Treasury Department’s role in this action is key because it means the United States has now imposed\r\neconomic sanctions on Yukabets and 16 accused associates, effectively freezing all property and interests of these\r\npersons (subject to U.S. jurisdiction) and making it a crime to transact with these individuals.\r\nThe Justice Department’s criminal complaint against Yukabets (PDF) mentions several intercepted chat\r\ncommunications between Aqua and his alleged associates in which they puzzle over why KrebsOnSecurity\r\nseemed to know so much about their internal operations and victims. In the following chat conversations\r\nhttps://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/\r\nPage 5 of 10\n\n(translated from Russian), Aqua and others discuss a story I wrote for The Washington Post in 2009 about their\r\ntheft of hundreds of thousands of dollars from the payroll accounts of Bullitt County, Ky:\r\ntank: [Are you] there?\r\nindep: Yeah.\r\nindep: Greetings.\r\ntank: http://voices.washingtonpost.com/securityfix/2009/07/an_odyssey_of_fraud_part_ii.html#more\r\ntank: This is still about me.\r\ntank: Originator: BULLITT COUNTY FISCAL Company: Bullitt County Fiscal Court\r\ntank: He is the account from which we cashed.\r\ntank: Today someone else send this news.\r\ntank: I’m reading and thinking: Let me take a look at history. For some reason this name is familiar.\r\ntank: I’m on line and I’ll look. Ah, here is this shit.\r\nindep: How are you?\r\ntank: Did you get my announcements?\r\nindep: Well, I congratulate [you].\r\nindep: This is just fuck when they write about you in the news.\r\ntank: Whose [What]?\r\ntank: 😀\r\nindep: Too much publicity is not needed.\r\ntank: Well, so nobody knows who they are talking about.\r\ntank: Well, nevertheless, they were writing about us.\r\naqua: So because of whom did they lock Western Union for Ukraine?\r\naqua: Tough shit.\r\ntank: *************Originator: BULLITT COUNTY FISCAL Company: Bullitt\r\nCounty Fiscal Court\r\naqua: So?\r\naqua: This is the court system.\r\ntank: Shit.\r\ntank: Yes\r\naqua: This is why they fucked [nailed?] several drops.\r\ntank: Yes, indeed.\r\naqua: Well, fuck. Hackers: It’s true they stole a lot of money.\r\nAt roughly the same time, one of Aqua’s crew had a chat with Slavik, who used the nickname “lucky12345” at the\r\ntime:\r\ntank: Are you there?\r\ntank: This is what they damn wrote about me.\r\ntank: http://voices.washingtonpost.com/securityfix/2009/07/an_odyssey_of_fraud_part_ii.html#more\r\ntank: I’ll take a quick look at history\r\ntank: Originator: BULLITT COUNTY FISCAL Company: Bullitt County Fiscal Court\r\ntank: Well, you got [it] from that cash-in.\r\nhttps://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/\r\nPage 6 of 10\n\nlucky12345: From 200K?\r\ntank: Well, they are not the right amounts and the cash out from that account was shitty.\r\ntank: Levak was written there.\r\ntank: Because now the entire USA knows about Zeus.\r\ntank: 😀\r\nlucky12345: It’s fucked.\r\nOn Dec. 13, 2009, one of the Jabberzeus gang’s money mule recruiters –- a crook who used the pseudonym “Jim\r\nRogers” — somehow learned about something I hadn’t shared beyond a few trusted friends at that point: That The\r\nWashington Post had eliminated my job in the process of merging the newspaper’s Web site (where I worked at\r\nthe time) with the dead tree edition. The following is an exchange between Jim Rogers and the above-quoted\r\n“tank”:\r\njim_rogers: There is a rumor that our favorite (Brian) didn’t get his contract extension at Washington Post. We are\r\ngiddily awaiting confirmation 🙂 Good news expected exactly by the New Year! Besides us no one reads his\r\ncolumn 🙂\r\ntank: Mr. Fucking Brian Fucking Kerbs!\r\nIn March 2010, Aqua would divulge in an encrypted chat that his crew was working directly with the Zeus author\r\n(Slavik/Lucky12345), but that they found him abrasive and difficult to tolerate:\r\ndimka: I read about the king of seas, was it your handy work?\r\naqua: what are you talking about? show me\r\ndimka: zeus\r\naqua: 🙂\r\naqua: yes, we are using it right now\r\naqua: its developer sits with us on the system\r\ndimka: it’s a popular thing\r\naqua: but, he, fucker, annoyed the hell out of everyone, doesn’t want to write bypass of interactives (scans) and\r\ntrojan penetration 35-40%, bitch\r\naqua: yeah, shit\r\naqua: we need better\r\naqua: http://voices.washingtonpost.com/securityfix read it 🙂 here you find almost everything about us 🙂\r\ndimka: I think everything will be slightly different, if you think so\r\naqua: we, in this system, the big dog, the rest on the system are doing small crap\r\nLater that month, Aqua bemoaned even more publicity about their work, pointing to a KrebsOnSecurity story\r\nabout a sophisticated attack in which their malware not only intercepted a one-time password needed to log in to\r\nthe victim’s bank account, but even modified the bank’s own Web site as displayed in the victim’s browser to\r\npoint to a phony customer support number.\r\nIronically, the fake bank phone number was what tipped off the victim company employee. In this instance, the\r\nvictim’s bank — Fifth Third Bank (referred to as “53” in the chat below) was able to claw back the money stolen\r\nby Aqua’s money mules, but not funds that were taken via fraudulent international wire transfers. The\r\nhttps://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/\r\nPage 7 of 10\n\ncybercriminals in this chat also complain they will need a newly-obfuscated version of their malware due to public\r\nexposure:\r\naqua: tomorrow, everything should work.\r\naqua: fuck, we need to find more socks for spam.\r\naqua: okay, so tomorrow Petro [another conspirator who went by the nickname Petr0vich] will give us a [new]\r\n.exe\r\njtk: ok\r\njim_rogers: this one doesn’t work\r\njim_rogers: http://www.krebsonsecurity.com/2010/03/crooks-crank-up-volume-of-e-banking-attacks/\r\njim_rogers: here it’s written about my transfer from 53. How I made a number of wires like it said there. And a\r\nwoman burnt the deal because of a fake phone number.\r\nANTI-MULE INITIATIVE\r\nIn tandem with the indictments against Evil Corp, the Justice Department joined with officials from Europol to\r\nexecute a law enforcement action and public awareness campaign to combat money mule activity.\r\n“More than 90% of money mule transactions identified through the European Money Mule Actions are linked to\r\ncybercrime,” Europol wrote in a statement about the action. “The illegal money often comes from criminal\r\nactivities like phishing, malware attacks, online auction fraud, e-commerce fraud, business e-mail compromise\r\n(BEC) and CEO fraud, romance scams, holiday fraud (booking fraud) and many others.”\r\nThe DOJ said U.S. law enforcement disrupted mule networks that spanned from Hawaii to Florida and from\r\nAlaska to Maine. Actions were taken to halt the conduct of over 600 domestic money mules, including 30\r\nindividuals who were criminally charged for their roles in receiving victim payments and providing the fraud\r\nproceeds to accomplices.\r\nhttps://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/\r\nPage 8 of 10\n\nSome tips from Europol on how to spot money mule recruitment scams dressed up as legitimate job offers.\r\nIt’s good to see more public education about the damage that money mules inflict, because without them most of\r\nthese criminal schemes simply fall apart. Aside from helping to launder funds from banking trojan victims, money\r\nmules often are instrumental in fleecing elderly people taken in by various online confidence scams.\r\nIt’s also great to see the U.S. government finally wielding its most powerful weapon against cybercriminals based\r\nin Russia and other safe havens for such activity: Economic sanctions that severely restrict cybercriminals’ access\r\nto ill-gotten gains and the ability to launder the proceeds of their crimes by investing in overseas assets.\r\nFurther reading:\r\nDOJ press conference remarks on Yakubets\r\nFBI charges announced in malware conspiracy\r\n2019 indictment of Yakubets, Turashev. et al.\r\n2010 Criminal complaint vs. Yukabets, et. al.\r\nFBI “wanted” alert on Igor “Enki” Turashev\r\nUS-CERT alert on Dridex\r\nhttps://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/\r\nPage 9 of 10\n\nSource: https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/\r\nhttps://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "references": [ "https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/" ], "report_names": [ "inside-evil-corp-a-100m-cybercrime-menace" ], "threat_actors": [ { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "6c4f98b3-fe14-42d6-beaa-866395455e52", "created_at": "2023-01-06T13:46:39.169554Z", "updated_at": "2026-04-10T02:00:03.23458Z", "deleted_at": null, "main_name": "Evil Corp", "aliases": [ "GOLD DRAKE" ], "source_name": "MISPGALAXY:Evil Corp", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434530, "ts_updated_at": 1775791995, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7756165a23ba62cca5f1fc8781f62ba0e68cee92.pdf", "text": "https://archive.orkl.eu/7756165a23ba62cca5f1fc8781f62ba0e68cee92.txt", "img": "https://archive.orkl.eu/7756165a23ba62cca5f1fc8781f62ba0e68cee92.jpg" } }