Evil Corp is an international cybercrime network that uses malicious software to steal money from its victims' bank accounts. In the last decade, Evil Corp has stolen millions of dollars from hundreds of bank accounts worldwide. Many consider Evil Corp to be the world's largest, most harmful hacking group.
Law enforcement has been pursuing Evil Corp for years with limited success. Although the U.S. government indicted the group's leaders in December 2019, they have not yet been arrested, and the group remains active as of this writing. The Department of Justice (DOJ) reported that attacks related to Evil Corp are still occurring.
Evil Corp is named after a fictional multinational corporation from the hacker-themed television show Mr. Robot. The group is allegedly based out of Moscow, Russia.
Summary of criminal cyberattacks
Evil Corp uses multiple different types of malware to infect user machines. Its latest strain of malware, Dridex, uses a combination of techniques to automate the theft of users' banking credentials. Dridex sometimes goes by the name Bugat. The terms are used interchangeably.
Dridex is distributed using massive phishing email campaigns that send millions of messages per day. Targets receive seemingly legitimate emails with an infected link in the body of the message. If the user clicks the link, Dridex is installed on the machine.
From there, the malware infiltrates the web browser, where it can generate fake bank login pages. Users enter their confidential information into the fake website, and Dridex records what they type using a keylogger. It then sends the credentials to a remote Evil Corp server, giving hackers account access and enabling them to steal money. The money is sent to Evil Corp indirectly through a network of money mules -- people that receive stolen money and transfer it to the attacker. This makes it harder for law enforcement to follow the money back to Evil Corp.
More recent modifications to Dridex also help with the installation of ransomware, which renders the target system unusable until the user sends ransom money to the attacker. These modifications came as a result of ransomware's increasing popularity in the late 2010s. Later versions also include features for handling cryptocurrency.
High scalability and adaptability distinguish Evil Corp as a uniquely influential threat to global cybersecurity. This is partially thanks to the organization's alleged leader, Moscow native Maksim Yakubets. Yakubets has been involved with Evil Corp since its involvement with the Zeus banking Trojan in the early 2000s -- Zeus is considered the predecessor to Dridex. During this time, Yakubets was responsible for managing the network of money mules used to launder the stolen funds from Zeus attacks.
As a leader, Yakubets also cultivates a useful network to ensure Evil Corp's far-reaching influence. Some have speculated that he approaches organized crime like a franchise. For example, according to court documents, Yakubets enlisted one U.K. resident by giving them access to Dridex in exchange for $100,00 upfront, plus 50% of revenue or a minimum of $50,000 per week. The resident would perform exploits on Evil Corp's behalf, and Yakubets would provide the malware and technical support. It was also reported that, under Yakubets, Evil Corp was working closely with the Russian government, providing information.
Under his leadership, Evil Corp has netted well over $100 million in stolen funds through its bank fraud scheme. Notable victims include the following:
- Penneco Oil Co., which lost $3.5 million to Evil Corp in two transactions;
- Franciscan Sisters of Chicago, an order of nuns that were robbed of more than $24,000; and
- Arizona Beverages, which lost millions of dollars in sales due to a breakdown of infrastructure caused by ransomware introduced by Dridex.
Evil Corp mainly targets banks in English-speaking countries.
US Justice Department indictments
In December 2019, Yakubets and co-conspirator Igor Turashev were indicted by the U.S. government on 10 separate counts, including the following:
- computer hacking
- wire fraud
- bank fraud
However, because Yakubets and Turashev are Russian citizens, the United States has not been able to arrest them, as of this writing. Instead, the U.S. government has offered a $5 million reward for information leading to Yakubets' arrest. The hope is that the money will sway someone -- maybe even the Russian government -- to turn him in.
Additionally, the act of indicting the cybercriminals is useful even if there is a slim chance of arrest. The indictment exposes them and makes anonymity and travel much more difficult. A hacker without anonymity or the ability to travel is significantly less effective. Exposing the hackers also raises awareness about future attacks.
Getting to this point has been a process for law enforcement from the U.S. and U.K. In 2015, two Ukrainian nationals and one Moldovan national were arrested and pleaded guilty to charges related to Evil Corp and Dridex attacks. In 2020, the most important players have been homed in on, but more must be done to completely mitigate Evil Corp.
Evil Corp in other contexts
The Russian Evil Corp group takes its name from the television show Mr. Robot. In the show, a multinational corporation known as Evil Corp owns most of the world's industry. The show's protagonist is a hacker who aims to breach the company and wrest some power from it.
A Google search for Evil Corp will return a mixture of results referring to the real group and referring to the fictional show. It is possible that the real-life hacking group chose the name in part because it would be more difficult to find information on it, helping minimize its online presence.
Additionally, Google, at one point, adopted the motto "Don't be evil" to counter the general public consensus that large corporations are inherently evil and to demonstrate an interest in corporate social responsibility. This public consensus is well documented in recent news articles, some of which cite Walmart and Monsanto as the quintessential "evil corporation." A Japanese committee of journalists also issues an annual award -- called a corporate raspberry award -- to the most evil corporation of the year.