Skip to main contentSkip to navigationSkip to navigation
Hands on computer keyboard
Evil Corp carried out cyber-attacks against undisclosed Nato nations, alongside criminal activities such as deploying ransomware. Photograph: Thomas Trutschel/Photothek/Getty Images
Evil Corp carried out cyber-attacks against undisclosed Nato nations, alongside criminal activities such as deploying ransomware. Photograph: Thomas Trutschel/Photothek/Getty Images

Russia’s FSB protected Evil Corp gang that carried out Nato cyber-attacks

This article is more than 2 months old

NCA says cybercriminal gang used family links to spy agency to shield members targeted by US authorities

A prolific Russian cybercriminal gang carried out attacks against Nato countries at the behest of state intelligence services and used family links with Russia’s domestic spy agency to protect its members after being targeted by US authorities, according to the UK’s National Crime Agency.

The dramatically named Evil Corp group had an unusually close relationship with the Russian state, said the NCA.

The UK’s most senior law enforcement agency said in a briefing published on Tuesday: “Evil Corp held a privileged position, and the relationship between the Russian state and this cybercriminal group went far beyond the typical state-criminal relationship of protection, payoffs and racketeering.”

The group, which operated out of locations in Moscow including a pair of cafes, carried out cyber-attacks and espionage operations against undisclosed Nato countries before 2019 – alongside its day-to-day criminal activities such as deploying ransomware. However, when the group was put under sanctions and some of its members indicted by the US in 2019 it turned to the father-in-law of Evil Corp’s founder for protection.

The NCA said Eduard Benderskiy, the father-in-law of Evil Corp’s leader, Maksim Yakubets, was a former high-ranking official in a unit of Russia’s domestic spy agency, the FSB, and used his connections to protect the group after the US moved against it.

“Benderskiy used his extensive influence to protect the group, both by providing senior members with security and by ensuring they were not pursued by internal Russian authorities,” said the NCA.

The NCA briefing describes Evil Corp as a family-centred operation akin to a traditional organised crime gang, with Yakubets joined by his father, brother and cousins in the business.

The group’s influence has declined since 2019, when authorities released pictures to illustrate Yakubets’s multimillionaire lifestyle, including a camouflaged Lamborghini and a personalised registration plate that spelled out “thief”.

Evil Corp also split with a key member around this time and since then it has developed new strains of ransomware, a malicious form of software that is used to lock up targets’ computer systems – which can then be decrypted in exchange for a ransom payment, typically demanded in bitcoin.

The NCA said Yakubets’s right-hand man, Aleksandr Ryzhenkov – named by the NCA on Tuesday – had teamed up with fellow Russian gang LockBit to use its malware in ransomware attacks.

skip past newsletter promotion

LockBit, whose victims include Royal Mail, runs a so-called ransomware-as-a-service operation in which it leases out its software and support functions in exchange for a cut of any proceeds. The NCA said it had determined that Ryzhenkov was a “LockBit affiliate and has been involved in LockBit ransomware attacks against numerous organisations”.

The NCA and other enforcement agencies have since seized LockBit’s website and the infrastructure behind its attacks, severely affecting the group’s activities in an operation revealed in February.

LockBit has claimed more victims since then, but the NCA believes those are attacks on entities that have been hit by LockBit before – or that the gang is lying in an effort to play down the impact of the NCA operation.

More on this story

More on this story

  • Alder Hey children’s hospital explores ‘data breach’ after ransomware claims

  • Chinese hackers collected audio from Trump campaign adviser’s calls – report

  • Chinese believed to have targeted Trump’s and Vance’s phones in US telecommunications breach

  • Justice department charges Iranian operatives in Trump campaign hack

  • Russia accused of trying to influence US voters through online campaign

  • The good hacker: can Taiwanese activist turned politician Audrey Tang detoxify the internet?

  • Russia’s AI tactics for US election interference are failing, Meta says

  • Kamala Harris campaign says it was targeted by foreign hackers

  • Sellafield apologises after guilty plea over string of cybersecurity failings

  • Is the UK resilient enough to withstand a major cyber-attack?

Most viewed

Most viewed