The FSB’s personal hackers How Evil Corp, the world’s most powerful hacking collective, takes advantage of its deep family ties in the Russian intelligence community
On December 5, the U.S. government formally indicted members of the Russian hacker group “Evil Corp.” Washington says these men are behind “the world’s most egregious cyberattacks,” causing hundreds of millions of dollars in damages to banks. The Justice Department believes Evil Corp’s leader is Maxim Yakubets, who remains at large and was still actively involved in hacking activities as recently as March 2019. Meduza investigative journalist Liliya Yapparova discovered that Evil Corp’s hackers belong to the families of high-ranking Russian state bureaucrats and security officials. She also learned more about the Russian intelligence community’s close ties to Maxim Yakubets, whose arrest is now worth $5 million to the United States.
The first hints of international fame reached Maxim Yakubets and his hacker collective in July 2009, when Yakubets was only 22 years old. He had stolen $415,000 from the treasury of Bullitt County in far western Kentucky, earning the “Ukrainian hackers” a spot in The Washington Post. While others in the group congratulated Yakubets in messages later revealed by the FBI (“this is fucking crazy — you’re in the news, man!”), he only lamented that the newspaper had “described the entire scheme.”
Ten years later, Yakubets has taken over the hacker group and named it “Evil Corp.” He zooms around Moscow in a Lamborghini Huracan. When we searched for his cell phone number in the GetContact app, it revealed that his Moscow friends have him labeled in their phones only as “Mister Prosecutor.”
Real prosecutors have likewise taken notice of the largely Ukrainian-born but Russian-resident group. The states of Nebraska and Pennsylvania have issued indictments against Yakubets; the reward for information leading to his capture, $5 million, is the largest ever offered for a cybercriminal.
The U.S. Department of the Treasury has even gone further, saying the notorious hacker has not only acted in his own financial interests but also began stealing confidential documents for Russia’s Federal Security Service (FSB) in 2017. Russia’s Foreign Ministry called that accusation a “propagandistic attack,” but Meduza has discovered that the Americans are probably right. Not only does Evil Corp work with Russian intelligence; multiple members of the group are close relatives of Russian government and intelligence officials.
Quid pro quo
Maxim Yakubets’s apartment in Moscow was first searched by Russian law enforcement on November 24, 2010. He was home at the time, as was his first wife. They hadn’t been hard to find: Yakubets used the same email address for his hacking work that he used to get a stroller for their one-year-old son delivered to his address. While the information unearthed during the search was passed on to the American government, Russian officials did not take the criminal case against Yakubets any further.
Multiple sources told Meduza that what happened next was extremely predictable. One FSB veteran whose job involved wrangling hackers said, “If it turns out during the first encounter that they’re just cold, then those folks don’t live long. The rest start to collaborate.” This strategy, the source added, has been in place since the 1990s in the Russian intelligence community. In his words, as soon as “the first technical college student from a humble background brought a Ferrari out onto the streets of Moscow,” FSB agents started recruiting — both getting the cybercrime business under control and making it their own.
Karen Kazaryan, the CEO of the Internet Research Institute, and Ruslan Stoyanov, a high-level manager at Kaspersky Lab who is currently serving time for treason in Russia, both added that the arrangement between Russian intelligence officials and hackers is a two-way quid pro quo. The hackers work for the spies and avoid attacking Russian assets; the spies, in turn, don’t prosecute the hackers, allowing them to obtain incredible wealth and pursue eccentric hobbies. “They really do put people in jail very rarely, and even then, it’s just to check a box,” Kazaryan explained.
A convenient marriage
In the summer of 2016, Evil Corp’s attacks slowed significantly for a while. After releasing a burst of phishing emails on August 15 and 16, Maxim Yakubets spent the rest of the month at Crimea’s most expensive resort, Mriya Resort & SPA, spending more than a million rubles ($15,800) a week. He was there with Alyona Benderskaya, who, according to flight records, frequently came along on vacations with Evil Corp members. The group prefers domestic destinations like Sochi or annexed ones like Crimea; for them, traveling abroad carries a high risk of arrest and extradition to the United States.
In the summer of 2017, Benderskaya and Yakubets traveled to Russia’s Lake Baikal, renting a lodge that is marked as complimentary for honeymooning couples. While we couldn’t find information on whether Benderskaya and Yakubets’s marriage is officially registered, Radio Svoboda and British intelligence officials have both noted that the two held a lavish, exclusive wedding ceremony. Following that wedding, all open-source or partially open-source information about Yakubets’s activities and those of his fellow Evil Corp hackers stopped updating on the Internet, a change that may have something to do with the identity of his bride.
Someone with the first name, last name, and patronymic Alyona Eduardovna Benderskaya is labeled in public databases as a co-owner or executive at seven different organizations, three of which have ties to former FSB special ops agent Eduard Bendersky. Bendersky is the masculine form of the surname Benderskaya; Eduardovna is Benderskaya’s patronymic, which means her father’s name is Eduard. Like Radio Svoboda, we can only conclude that Yakubets is now a son-in-law to Eduard Bendersky.
“He’s a former agent but a very influential one to this day, very influential. He has loads of businesses and loads of oil. And his own PMC [private military company] in the Middle East,” said an acquaintance of Bendersky’s who also formerly served in the FSB. To Russian journalists and the public, Bendersky is also known for the extensive influence he has attained through his leading role in Russia’s sport hunting lobby.
When asked how a hacker and the daughter of an FSB agent could have ended up in a relationship, a source close to the FSB pointed out that the group of young people who live in Moscow and are capable of spending enormous amounts of money on their own entertainment is very small. That small group contains both the capital’s cybercriminals and the daughters of its intelligence officers.
While the benefits of Yakubets’s FSB connections are already becoming clear, they may not protect him indefinitely. On one hand, the Evil Corp leader has been in the process of obtaining a security clearance since April 2018. According to Karen Kazaryan, that clearance will allow him to search abroad for embarrassing financial information related to Russian officials. On the other hand, an FSB veteran who maintains close ties with the agency told Meduza that the FSB’s K Division, which handles financial crimes, has begun to target Evil Corp despite its government connections. The former agent said the K Division has been searching for a case that will allow it to breed a new general, and Evil Corp fits the bill: In addition to stealing foreign funds, the group has been accused of legalizing stolen money and finding ways to exchange it for cash. The timing of the K Division’s leadership gap also hasn’t played in Evil Corp’s favor: Kirill Cherkalin, a colonel in the department, was recently taken out of commission due to bribery charges.
The FSB and Eduard Bendersky did not respond to Meduza’s requests for comment. We were unable to reach Alyona Benderskaya by phone, and Maxim Yakubets’s relatives did not answer messages sent to their social media accounts.
The extravagance of evil
Evil Corp’s strongest government connection may flow through Maxim Yakubets, but his marriage with Alyona Benderskaya is not where the story ends. Yet another hacker active in the group is the son of the former mayor of Khimki, a city on the northwest outskirts of Moscow. The relationship itself is clear enough: The former mayor, Vladimir Strelchenko, has himself acknowledged that he is the father of a certain “Andrey Kovalsky.” What is less immediately clear is Kovalsky’s own identity: He has six pseudonyms, including both Andrey Kovalsky and Andrey Plotnitsky. His Instagram nickname, Strel, is the only public remnant of his father’s surname.
Plotnitsky didn’t respond to the questions Meduza sent to one of his lawyers, and when he received our messages directly on VKontakte, he responded by shutting down his page. However, he had previously been more active on social media than his Evil Corp colleagues, and his posts offer a glimpse into the lavish lifestyle the group has carried on since its first successes. For example, in 2018, Plotnitsky posted on Instagram criticizing local police in Sochi after they ticketed a presumed fellow hacker for speeding. The incident involved a Lamborghini Huracan, a Ferrari 458, a Nissan GTR35, an Audi R8, and a BMW M3 grinding over a highway at 280 km/hour (174 mph). Kovalsky argued at the time that corruption among “judges, cops, and bureaucrats” should be more of a concern for the police than speeding tickets.
Further digging shows a deep-set obsession with luxury sports cars throughout Evil Corp. For example, the UK’s National Crime Agency has reported that the group works primarily from the basements of Moscow cafés: An agency photograph from the mid-2010s shows a camouflage-colored luxury car parked outside one of them. We identified the facility as the Chianti Café at 1/7 Tatarskaya Street and discovered upon visiting that address that the restaurant had long been closed. Nonetheless, a Moscow resident living nearby told us that Yakubets and Benderskaya had lived for several years on Bakhrushina Street nearby. For several years, he added, the couple’s cars could be seen parked all over the area. “Everybody knows them,” he said.
None of Evil Corp’s members appear to be afraid of flaunting their wealth. The group is known to keep a fleet of luxury cars and motorcycles that are used for anything from entertainment to tradeable currency or payment for chauffeurs. The cars are all registered to just one of the hackers, Dmitry Smirnov, and stored in a private lot. Sources told Meduza that the cars include three Lamborghini Huracans, a Cadillac Escalade, a Chevrolet Camaro, three different Mercedes Benz models, a Volkswagen Amarok, a Nissan GTR patterned with skulls and brass knuckles, and a set of vintage Russian Zhigulis. That list doesn’t even account for other cars that appear to be privately owned, like an ultramarine Audi belonging to Andrey Plotnitsky.
Beyond using their sportscars to disrupt traffic, Evil Corp’s members appear to be fond of flaunting their wealth online, both in public and in private. One member has posted multiple photographs with a captive lion or liger cub under the username Denis Afinov. Others have social media accounts with usernames like “Kirill the Most High” and “Oligarchovich.” A leaked database of logins and passwords shows that even Maxim Yakubets’s email password was statmillionerom, or “to become a millionaire.” The hackers have only showed a hint of self-deprecation on the license plates of their sportscars: At least four of them include the letters “VOR,” the Russian word for thief.
Summary by Hilah Kohen