Organizer of hitmen from FSB's Vympel unit, along with six other Russians, accused of collaborating with hacker group Evil Corp

by admin

Cover photo: National Crime Agency (UK)

The U.S. Department of the Treasury, the UK’s Foreign, Commonwealth & Development Office (FCDO), and Australia’s Department of Foreign Affairs and Trade (DFAT) have imposed sanctions on seven Russians and two Russian companies allegedly linked to the hacker group Evil Corp, according to a joint trilateral investigation by the three countries. The group’s leader, Maksim Yakubets, was indicted in the U.S. and sanctioned in 2019, along with several other members of the group.

The identities of some of the associated Russians have been revealed for the first time. The joint investigation determined that Eduard Benderskiy, the organizer of a hitman group from the FSB’s Vympel unit, was involved with the group. (The Insider previously reported on Vympel in connection with an investigation into the assassination of former Chechen field commander and asylum seeker Zelimkhan Khangoshvili in a Berlin park in 2019.) Viktor Yakubets, the Evil Corp leader’s father, and Maksim’s brother, Artem Yakubets, were also sanctioned, along with Yakubets' friend Aleksandr Ryzhenkov and Aleksandr’s brother Sergey.

U.S. investigators noted that Maksim Yakubets' relationship with Benderskiy — his father-in-law — as well as his employment at Russia’s National Engineering Corporation (NIK, ОАО «НИК»), where Igor Chayka, son of Russian Security Council member Yuriy Chayka, is a major investor, helped the hacker and his team operate without attracting the attention of law enforcement.

Organizer of hitmen from FSB's Vympel unit, along with six other Russians, accused of collaborating with hacker group Evil Corp

As the UK's National Crime Agency stated in its eight-page investigation summary:

“Evil Corp held a privileged position, and the relationship between the Russian state and this cybercriminal group went far beyond the typical state-criminal relationship of protection, payoffs and racketeering. In fact, prior to 2019, Evil Corp were tasked by Russian Intelligence Services to conduct cyber-attacks and espionage operations against NATO allies. Liaison with the intelligence services was led by Maksim Yakubets.

As Evil Corp evolved, he became the group’s main contact with Russian officials, developing or seeking to develop relationships with FSB, SVR and GRU officials. Multiple other members of the Evil Corp group have their own ties with the Russian state. In particular, Yakubets’ father-in-law, Eduard Benderskiy, was a key enabler of Evil Corp’s state relationships.”

The evolution of Evil Corp

According to the investigation, Maksim Yakubets turned hacking banks and companies into a family business. He brought in his father, Viktor Yakubets, who was previously involved in money laundering, as well as his brother Artem and cousins Kirill and Dmitry Slobodskoy.

Between 2011 and 2014, Yakubets met Aleksandr Ryzhenkov and Igor Turashev, who, along with other group members, were engaged in fraudulent transfers involving a number of UK banks. By 2014, they developed the Dridex malware, using it to “infect computers and harvest login credentials from hundreds of banks and other financial institutions in over 40 countries, resulting in more than $100 million in theft losses and damage suffered by U.S. and international financial institutions and their customers,” as per the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC).

The group then shifted to a model that enabled other criminals to “rent” the malware and management panel to steal or extort money from organizations and corporations (known as the “Ransomware-as-aService”, or RaaS model).

Organizer of hitmen from FSB's Vympel unit, along with six other Russians, accused of collaborating with hacker group Evil Corp

A similar model was later adopted by the LockBit group. According to UK officials, Evil Corp began using LockBit's infrastructure for their attacks in 2022.

Suspected members of Evil Corp

The U.S. imposed sanctions on seven Russian nationals. They are:

  • Eduard Vitalevich Benderskiy (Maksim Yakubets' father-in-law)
  • Vadim Gennadyevich Pogodin
  • Beyat Enverovich Ramazanov
  • Aleksandr Viktorovich Ryzhenkov (Maksim Yakubets’ friend and long-term business partner)
  • Sergey Viktorovich Ryzhenkov (Aleksandr Ryzhenkov's brother)
  • Aleksey Evgenyevich Shchetinin
  • Viktor Grigoryevich Yakubets (Maksim Yakubets' father)

The FBI has put out a wanted notice for Aleksandr Ryzhenkov, who is “believed to reside in Russia, possibly Moscow.”

Organizer of hitmen from FSB's Vympel unit, along with six other Russians, accused of collaborating with hacker group Evil Corp

Sanctions were also imposed on Vympel-Assistance LLC and Solar-Invest LLC — companies owned by Eduard Benderskiy — in connection with the Evil Corp case. Other companies and public organizations associated with Benderskiy have not been subject to U.S. sanctions.

Who is Eduard Benderskiy?

The 54-year-old Benderskiy graduated from the Ryazan Airborne School in 1991 and then served in the “Separate Training Center” of the USSR’s KGB (the official name for the “Vympel” special operations, or “spetsnaz” unit). In the 1990s, he led the private security company “Vympel-A,” which later grew into one of the largest firms of its kind in Russia. In the early 2000s, he headed the “Vympel” Special Forces Veterans Public Organization. Benderskiy's security companies gained the exclusive right to protect Russian oil facilities in Iraq in 2016–2017, effectively performing the role of a private military company.

Read also:
UK imposes “largest sanctions” to date against Russia’s shadow fleet of oil tankers

The “Vympel” unit was also where Vadim Krasikov served — Krasikov, who was returned to Russia in August as part of the largest prisoner exchange since the end of the Cold War, is the operative who was hired to assassinate Zelimkhan Khangoshvili, a Georgian citizen of Chechen origin, in Berlin's Kleiner Tiergarten park in 2019. According to a 2020 investigation by The Insider, Krasikov was in regular contact with Benderskiy, particularly in the period leading up to Khangoshvili's murder.

Benderskiy’s daughter, Alena, met and began traveling everywhere with Maksim Yakubets and other Evil Corp members around 2016–2017, as reported by the independent Russian publication Meduza. They had an extravagant wedding in 2017, details of which were covered in a Radio Liberty investigation. Thus Yakubets, who had been involved in bank hacking for several years, became connected by marriage to Benderskiy, who had strong ties to Russia’s intelligence services.

Organizer of hitmen from FSB's Vympel unit, along with six other Russians, accused of collaborating with hacker group Evil Corp

Benderskiy is also known as an avid hunter. In 2016, he wrote a letter to Russian Deputy Prime Minister Alexander Khloponin requesting “five permits for the hunting of the Putorana snow sheep,” as reported by Meduza, which obtained the letter. In exchange, Benderskiy offered that his club would “assist in funding conservation programs for this subspecies in the amount of 15 million rubles” — close to $225,000 at that time. The Putorana snow sheep (Ovis nivicola borealis), listed in the Red Data Book of Russia, had an estimated population of around 800 at the time of his request; it later declined to 500.

Who is Aleksandr Ryzhenkov?

Aleksandr Ryzhenkov’s name surfaced in connection with Evil Corp for the first time on Oct. 1, 2024. The Insider obtained court documents filed in the U.S. that accused him of fraud, conspiracy, hacking into U.S. computer systems, and conspiracy to launder money. An arrest warrant for Ryzhenkov was issued in Mar. 2023, but this fact only became known recently.

Ryzhenkov, 31, was born in Uzbekistan, lived in Moscow and the Moscow suburb of Khimki, and is known by aliases including Sanya Maloy, Mrakobek, J.d.m0rr1s0n, Jim Morrison, Lizardking, and CHERDAKMUDAK.

According to the investigation, Ryzhenkov began committing cybercrimes against U.S. companies in the summer of 2017. He used the BitPaymer ransomware program, which experts believe shares similarities with Dridex, originally used by Evil Corp hackers.

According to FBI data, in the summer of 2017 Ryzhenkov searched online for information on Bitcoin extortion, ransomware hacker activities, and methods for deleting computer backups — a tactic often employed by ransomware hackers to pressure victims into paying a ransom. At the time, leaked bailiff service data revealed that he had accumulated numerous debts from multiple small loans.

Ryzhenkov remained with Yakubets' team even after a split in the group in 2019, as indicated by British investigators, and together they continued working on a new ransomware virus, later named WastedLocker.

After 2022, many Evil Corp members left the group, but Yakubets and Ryzhenkov continued to commit attacks using ransomware. The UK’s National Crime Agency established that Ryzhenkov, in particular, became a “partner” of LockBit — a ransomware ecosystem sold on underground forums. In 2022, LockBit became the most widespread ransomware in the world. The Canadian Communications Security Establishment noted that LockBit might be responsible for 44% of all such malware attacks globally. In Feb. 2024, the U.S. Department of Justice announced that a joint operation with the FBI and UK’s NCA dismantled LockBit’s infrastructure. The NCA also stated that Ryzhenkov was heavily involved in LockBit attacks.

“Today’s charges against Ryzhenkov detail how he and his conspirators stole the sensitive data of innocent Americans and then demanded ransom,” commented Deputy Attorney General Lisa Monaco. The investigation into Ryzhenkov and other members of Evil Corp continues.

You may also like