{ "id": "6c92fa20-cbe7-4ef2-ba5c-3053ce974792", "created_at": "2026-04-06T03:37:00.688796Z", "updated_at": "2026-04-10T13:12:07.741992Z", "deleted_at": null, "sha1_hash": "fa96586c709f3b44258afb5fe85fc2d983334d6d", "title": "Treasury Sanctions Members of the Russia-Based Cybercriminal Group Evil Corp in Tri-Lateral Action with the United Kingdom and Australia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 212064, "plain_text": "Treasury Sanctions Members of the Russia-Based Cybercriminal\r\nGroup Evil Corp in Tri-Lateral Action with the United Kingdom\r\nand Australia\r\nPublished: 2026-02-13 · Archived: 2026-04-06 03:20:37 UTC\r\nThe United States takes additional action against the Russia-based cybercriminal group Evil Corp, identifying and\r\nsanctioning additional members and affiliates\r\nWASHINGTON — Today, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) is\r\ndesignating seven individuals and two entities associated with the Russia-based cybercriminal group Evil Corp, in\r\na tri-lateral action with the United Kingdom’s Foreign, Commonwealth \u0026 Development Office (FCDO) and\r\nAustralia’s Department of Foreign Affairs and Trade (DFAT). On December 5, 2019, OFAC designated Evil Corp,\r\nits leader and founder Maksim Viktorovich Yakubets and over a dozen Evil Corp members, facilitators, and\r\naffiliated companies pursuant to Executive Order (E.O.) 13694, as amended by E.O. 13757 (“E.O. 13694, as\r\namended”). The United Kingdom and Australia are concurrently designating select Evil Corp-affiliated individuals\r\ndesignated by OFAC today or in 2019. Additionally, the U.S. Department of Justice has unsealed an indictment\r\ncharging one Evil Corp member in connection with his use of BitPaymer ransomware targeting victims in the\r\nUnited States. Today’s designation also coincides with the second day of the U.S.-hosted Counter Ransomware\r\nInitiative summit which involves over 50 countries working together to counter the threat of ransomware.  \r\n“Today’s trilateral action underscores our collective commitment to safeguard against cybercriminals like\r\nransomware actors, who seek to undermine our critical infrastructure and threaten our citizens,” said Acting Under\r\nSecretary of the Treasury for Terrorism and Financial Intelligence Bradley T. Smith. “The United States, in close\r\ncoordination with our allies and partners, including through the Counter Ransomware Initiative, will continue to\r\nexpose and disrupt the criminal networks that seek personal profit from the pain and suffering of their victims.”\r\nEvil Corp is a Russia-based cybercriminal organization responsible for the development and distribution of the\r\nDridex malware. Evil Corp has used the Dridex malware to infect computers and harvest login credentials from\r\nhundreds of banks and other financial institutions in over 40 countries, resulting in more than $100 million in theft\r\nlosses and damage suffered by U.S. and international financial institutions and their customers. In a concurrent\r\naction with OFAC’s December 2019 sanctions designations, the U.S. Department of Justice indicted Maksim and\r\nEvil Corp administrator Igor Turashev on criminal charges related to computer hacking and bank fraud schemes,\r\nand the U.S. Department of State’s Transnational Organized Crime Rewards Program issued a reward for\r\ninformation of up to $5 million leading to the capture and/or conviction of Maksim.\r\nAdditionally, Maksim used his employment at the Russian National Engineering Corporation (NIK) as cover for\r\nhis ongoing criminal activities linked to Evil Corp. The NIK was established by Igor Yuryevich Chayka (Chayka),\r\nson of Russian Security Council member Yuriy Chayka, and his associate Aleksei Valeryavich Troshin (Troshin).\r\nIn October 2022, OFAC designated Chayka, Troshin, and NIK pursuant to E.O. 14024. \r\nhttps://home.treasury.gov/news/press-releases/jy2623\r\nPage 1 of 5\n\nEvil Corp Members and Affiliates \r\nClick to Enlarge\r\nEduard Benderskiy (Benderskiy), a former Spetnaz officer of the Russian Federal Security Service (FSB), which\r\nis designated under numerous OFAC sanctions authorities, current Russian businessman, and the father-in-law of\r\nEvil Corp’s leader Maksim Viktorovich Yakubets (Maksim), has been a key enabler of Evil Corp’s relationship\r\nwith the Russian state. Benderskiy leveraged his status and contacts to facilitate Evil Corp’s developing\r\nrelationships with officials of the Russian intelligence services. After the December 2019 sanctions and\r\nindictments against Evil Corp and Maksim, Benderskiy used his extensive influence to protect the group.  \r\nWhile he has no official position in the Russian government, Benderskiy portrays himself as an aide to the\r\nRussian Duma. Around 2017, one of Benderskiy’s private security firms was involved in providing security for\r\nIraq-based facilities operated by the Russian oil company Lukoil OAO. This same private security firm has been\r\nlauded by the FSB, the Russian Ministry of Foreign Affairs, the Russian Duma, and other Russian government\r\nbodies. \r\nFrom at least 2016, Maksim had business interactions with Aleksandr Tikhonov (Tikhonov), former commander\r\nof the FSB Special purpose Center, Russian government leaders, including OFAC-designated persons Dmitry\r\nhttps://home.treasury.gov/news/press-releases/jy2623\r\nPage 2 of 5\n\nKozak (Kozak) and Gleb Khor, and leaders of prominent Russian banks like OFAC-designated person Herman\r\nGref (Gref), the Chief Executive Officer of Sberbank. In 2019, Benderskiy used his connections to facilitate a\r\nbusiness deal that included Maksim and Kozak, which they believed would earn tens of millions of dollars per\r\nmonth. In the same year, Benderskiy hosted a meeting with Maksim and Gref to discuss business contracts with\r\nNIK.  \r\nAfter the December 2019 sanctions and indictments against Evil Corp and Maksim, Maksim sought out\r\nBenderskiy’s guidance. Benderskiy used his extensive influence to protect the group, including his son-in-law,\r\nboth by providing senior members with security and by ensuring they were not pursued by Russian internal\r\nauthorities. \r\nOFAC designated Benderskiy pursuant to E.O. 14024 for being owned or controlled, or having acted or purported\r\nto act for or on behalf of, directly or indirectly, the Government of the Russian Federation, and pursuant to\r\nE.O. 13694, as amended, for having materially assisted, sponsored, or provided financial, material, or\r\ntechnological support, or goods or services in support of, Maksim, a person whose property and interests in\r\nproperty are blocked pursuant to E.O. 13694, as amended.  \r\nBenderskiy is the general director, founder, and 100 percent owner of the Russia-based business and management\r\nconsulting companies Vympel-Assistance LLC and Solar-Invest LLC. OFAC designated Vympel-Assistance\r\nLLC and Solar-Invest LLC pursuant to E.O. 14024 and E.O. 13694, as amended, for being owned or controlled, or\r\nhaving acted or purported to act for or on behalf of, directly or indirectly, Benderskiy, a person whose property\r\nand interests in property are blocked pursuant to E.O. 14024 and E.O. 13694, as amended.\r\nViktor Grigoryevich Yakubets (Viktor) is Maksim’s father and a member of Evil Corp. In 2020, Viktor likely\r\nprocured technical equipment in furtherance of Evil Corp’s operations. OFAC designated Viktor pursuant to\r\nE.O. 13694, as amended, for having materially assisted, sponsored, or provided financial, material, or\r\ntechnological support, or goods or services in support of, Evil Corp, a person whose property and interests in\r\nproperty are blocked pursuant to E.O. 13694, as amended.  \r\nMaksim has been careful about exposing different group members to different areas of business, however, he\r\nplaced a lot of trust in his long-term associate and second-in-command, Aleksandr Viktorovich Ryzhenkov\r\n(Aleksandr Ryzhenkov). Maksim started working with Aleksandr Ryzhenkov around 2013 while they were both\r\nstill involved in the “Business Club” group. Their partnership endured, and they worked together on the\r\ndevelopment of a number of Evil Corp’s most prolific ransomware strains. In 2016, Aleksandr Ryzhenkov, who is\r\nassociated with the online moniker “Guester” (a pseudonym he has used while conducting operations on behalf of\r\nEvil Corp), sought to acquire internet bots in an Evil Corp operation targeting Switzerland-based targets. Since at\r\nleast mid-2017, Aleksandr Ryzhenkov served as an interlocutor for Maksim with most of the Evil Corp members\r\nand oversaw operations of the cybercriminal group. In mid- 2017, Aleksandr Ryzhenkov targeted a New York-based bank. Following the December 2019 sanctions and indictment, Maksim and Aleksandr Ryzhenkov returned\r\nto operations targeting U.S.-based victims. In 2020, Aleksandr Ryzhenkov worked with Maksim to develop\r\n“Dridex 2.0.” \r\nSergey Viktorovich Ryzhenkov (Sergey Ryzhenkov), Aleksey Yevgenevich Shchetinin (Shchetinin), Beyat\r\nEnverovich Ramazanov (Ramazanov), and Vadim Gennadievich Pogodin (Pogodin) are members of Evil Corp\r\nhttps://home.treasury.gov/news/press-releases/jy2623\r\nPage 3 of 5\n\nwho have provided general support to the cybercriminal group’s activities and operations. \r\nIn 2019, Sergey Ryzhenkov, the brother of Aleksandr Ryzhenkov, helped to move Evil Corp operations to a new\r\noffice. In 2020, after Evil Corp’s sanctions designation and indictment, Sergey Ryzhenkov helped Aleksandr\r\nRyzhenkov and Maksim develop “Dridex 2.0” malware. In 2017 through at least 2018, Shchetinin worked with\r\nseveral other Evil Corp members, including Denis Igorevich Gusev, Dmitriy Konstantinovich Smirnov, and\r\nAleksei Bashlikov, to purchase and exchange millions of dollars’ worth of virtual and fiat currencies. In\r\nearly 2020, Pogodin played a crucial role in an Evil Corp ransomware attack, and in mid-2020, he contributed to\r\nan Evil Corp ransomware attack on a U.S. company. \r\nOFAC designated Aleksandr Ryzhenkov, Sergey Ryzhenkov, Shchetinin, Ramazanov, and Pogodin pursuant to\r\nE.O. 13694, as amended, for having materially assisted, sponsored, or provided financial, material, or\r\ntechnological support, or goods or services in support of, Evil Corp, a person whose property and interests in\r\nproperty are blocked pursuant to E.O. 13694, as amended.  \r\nIn addition to today’s sanctions designations, the U.S. Department of Justice has unsealed an indictment charging\r\nAleksandr Ryzhenkov with using the BitPaymer ransomware variant to target numerous victims throughout the\r\nUnited States. Aleksandr Ryzhenkov used a variety of methods to intrude into computers systems and used his ill-gotten access to demand millions of dollars in ransom. The Federal Bureau of Investigation’s published a wanted\r\nposter for Aleksandr Ryzhenkov for his alleged involvement in ransomware attacks and money laundering\r\nactivities.  Also today, the United Kingdom designated 15 and Australia designated three Evil Corp members and\r\naffiliates.\r\nSANCTIONS IMPLICATIONS\r\nAs a result of today’s action, all property and interests in property of the designated persons described above that\r\nare in the United States or in the possession or control of U.S. persons are blocked and must be reported to OFAC.\r\nIn addition, any entities that are owned, directly or indirectly, individually or in the aggregate, 50 percent or more\r\nby one or more blocked persons are also blocked. Unless authorized by a general or specific license issued by\r\nOFAC, or exempt, OFAC’s regulations generally prohibit all transactions by U.S. persons or within (or transiting)\r\nthe United States that involve any property or interests in property of designated or otherwise blocked persons. \r\nIn addition, financial institutions and other persons that engage in certain transactions or activities with the\r\nsanctioned persons may expose themselves to sanctions or be subject to an enforcement action. The prohibitions\r\ninclude the making of any contribution or provision of funds, goods, or services by, to, or for the benefit of any\r\ndesignated person, or the receipt of any contribution or provision of funds, goods, or services from any such\r\nperson. \r\nThe power and integrity of OFAC sanctions derive not only from OFAC’s ability to designate and add persons to\r\nthe SDN List, but also from its willingness to remove persons from the SDN List consistent with the law. The\r\nultimate goal of sanctions is not to punish, but to bring about a positive change in behavior. F or information\r\nconcerning the process for seeking removal from an OFAC list, including the SDN List, please refer to OFAC’s\r\nFrequently Asked Question 897 here. For detailed information on the process to submit a request for removal from\r\nan OFAC sanctions list, please click here.\r\nhttps://home.treasury.gov/news/press-releases/jy2623\r\nPage 4 of 5\n\nSee OFAC’s updated Advisory on Potential Sanctions Risk for Facilitating Ransomware Payments for information\r\non the actions that OFAC would consider to be mitigating factors in any related enforcement action involving\r\nransomware payments with a potential sanctions risk. For information on complying with sanctions applicable to\r\nvirtual currency, see OFAC’s Sanctions Compliance Guidance for the Virtual Currency Industry.\r\nClick here for more information on the individuals and entities designated today.\r\n###\r\nSource: https://home.treasury.gov/news/press-releases/jy2623\r\nhttps://home.treasury.gov/news/press-releases/jy2623\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://home.treasury.gov/news/press-releases/jy2623" ], "report_names": [ "jy2623" ], "threat_actors": [ { "id": "91ff2504-6c1a-4eaa-832b-2c5e297426c5", "created_at": "2022-10-25T16:47:55.740817Z", "updated_at": "2026-04-10T02:00:03.678203Z", "deleted_at": null, "main_name": "GOLD EVERGREEN", "aliases": [ "The Business Club" ], "source_name": "Secureworks:GOLD EVERGREEN", "tools": [ "CryptoLocker", "JabberZeus", "Pony", "Zeus" ], "source_id": "Secureworks", "reports": null }, { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "0a03e7f0-2f75-4153-9c4f-c46d12d3962e", "created_at": "2022-10-25T15:50:23.453824Z", "updated_at": "2026-04-10T02:00:05.28793Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "Ke3chang", "APT15", "Vixen Panda", "GREF", "Playful Dragon", "RoyalAPT", "Nylon Typhoon" ], "source_name": "MITRE:Ke3chang", "tools": [ "Okrum", "Systeminfo", "netstat", "spwebmember", "Mimikatz", "Tasklist", "MirageFox", "Neoichor", "ipconfig" ], "source_id": "MITRE", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "adfbe698-24b2-41fc-a701-781fef330b16", "created_at": "2024-01-09T02:00:04.17648Z", "updated_at": "2026-04-10T02:00:03.504826Z", "deleted_at": null, "main_name": "GREF", "aliases": [], "source_name": "MISPGALAXY:GREF", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "6c4f98b3-fe14-42d6-beaa-866395455e52", "created_at": "2023-01-06T13:46:39.169554Z", "updated_at": "2026-04-10T02:00:03.23458Z", "deleted_at": null, "main_name": "Evil Corp", "aliases": [ "GOLD DRAKE" ], "source_name": "MISPGALAXY:Evil Corp", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "17b1b76b-16da-4c4f-8b32-f6fede3eda8c", "created_at": "2022-10-25T16:07:23.750796Z", "updated_at": "2026-04-10T02:00:04.736762Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "APT 15", "BackdoorDiplomacy", "Bronze Davenport", "Bronze Idlewood", "Bronze Palace", "CTG-9246", "G0004", "G0135", "GREF", "Ke3chang", "Metushy", "Nylon Typhoon", "Operation Ke3chang", "Operation MirageFox", "Playful Dragon", "Playful Taurus", "PurpleHaze", "Red Vulture", "Royal APT", "Social Network Team", "Vixen Panda" ], "source_name": "ETDA:Ke3chang", "tools": [ "Agentemis", "Anserin", "BS2005", "BleDoor", "CarbonSteal", "Cobalt Strike", "CobaltStrike", "DarthPusher", "DoubleAgent", "EternalBlue", "GoldenEagle", "Graphican", "HenBox", "HighNoon", "IRAFAU", "Ketrican", "Ketrum", "LOLBAS", "LOLBins", "Living off the Land", "MS Exchange Tool", "Mebroot", "Mimikatz", "MirageFox", "NBTscan", "Okrum", "PluginPhantom", "PortQry", "ProcDump", "PsList", "Quarian", "RbDoor", "RibDoor", "Royal DNS", "RoyalCli", "RoyalDNS", "SAMRID", "SMBTouch", "SilkBean", "Sinowal", "SpyWaller", "Theola", "TidePool", "Torpig", "Turian", "Winnti", "XSLCmd", "cobeacon", "nbtscan", "netcat", "spwebmember" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775446620, "ts_updated_at": 1775826727, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fa96586c709f3b44258afb5fe85fc2d983334d6d.pdf", "text": "https://archive.orkl.eu/fa96586c709f3b44258afb5fe85fc2d983334d6d.txt", "img": "https://archive.orkl.eu/fa96586c709f3b44258afb5fe85fc2d983334d6d.jpg" } }