ITSecurity.org

Technology Security Controls

zeus

Kingpin of Evil Corp lived large. Now there’s a $5 million bounty on his head

by

Screenshot of Justice Department website shows four pictures of same alleged criminal.

Enlarge / Screenshot of Justice Department website shows four pictures of same alleged criminal.
US Justice Department

Federal prosecutors have indicted the kingpin of Evil Corp, the name used by a cybercrime gang that used the notorious Dridex malware to drain more than $70 million from bank accounts in the US, UK, and other countries.

Maksim V. Yakubets, a 32-year-old Russian national who used the handle “Aqua,” led one of the world’s most advanced transnational cybercrime syndicates in the world, prosecutors said on Thursday. The crime group’s alleged deployment of Dridex was one of the most widespread malware campaigns ever. The UK’s National Crime Agency said the syndicate used the name Evil Corp.

Dridex was configured to target the customers of almost 300 different organizations in more than 40 countries by automating the theft of online banking credentials and other confidential information from infected computers. Over time, Dridex creators updated the malware to install ransomware. Previously known as Bugat and Cridex, Dridex used zeroday exploits and malicious attachments in emails to infect targets. The malware was designed to bypass antivirus and other security defenses.

Yakubets and another alleged Dridex operator, 38-year-old Igor Turashev, also from Russia, allegedly used the captured banking credentials to order electronic money transfers from compromised accounts. Prosecutors said the men funneled the stolen funds into the accounts of money mules who would move the funds into other accounts or convert them to cash and smuggle it overseas. Yubets was the leader of the crime group, prosecutors said. Turashev allegedly handled a host of roles, including system administration, management of an internal control panel, and oversight of a botnet that controlled infected computers.

Confiscated images and videos released by UK authorities show alleged members of Evil Corp living large. One photo shows Yakubets and his bride celebrating their 2017 wedding with a lavish chandelier above them. Other images and videos show off expensive sports cars.

  • A photo from Yakubets’ wedding in Moscow.
    UK NCA
  • A Lamborghini belonging to Maksim Yakubets parked outside Chianti Café.
    UK NCA
  • Evil Corp member Andrey Plotnitskiy with cash.
    UK NCA
  • A Lamborghini Huracan and an Audi R8 used by Evil Corp members outside Moscow State University.
    NCA
  • Nissan GTR used by Evil Corp member Dmitriy Smirnov with a Philipp Plein wrap.
    UK NCA
  • An Audi R8 belonging to an Evil Corp member. It’s parked outside Chianti Café, a location used by the group.
    UK NCA
  • Evil Corp member cars: Lamborghini Huracan belonging to Maksim Yakubets.
  • Evil Corp group member Andrey Plotnitskiy standing in front of a Porsche.
    UK NCA
  • An Evil Corp member giving the finger to police.
    UK NCA
  • Evil Corp member Dmitriy Smirnov standing on his Nissan GTR and a Chevrolet Camaro.
    UK NCA
  • Another Evil Corp member.
    UK NCA
  • Evil Corp group members (left to right) Kirill Slovoddkoy, Dmitry Smirnov, and Denis Gusev on holiday in Dubai in 2013.
    UK NCA

Yakubets also stands accused of providing “direct assistance” to the Federal Security Service of the Russian Federation, the KGB successor that’s better known as the FSB.

“In addition to his leadership role within Evil Corp, Yakubets has also provided direct assistance to the Russian government,” officials with the US Treasury Department said. “As of 2017, Yakubets was working for the Russian FSB, one of Russia’s leading intelligence organizations that was previously sanctioned pursuant to E.O. 13694, as amended, on December 28, 2016.”

Mariposa Botnet Author, Darkcode Crime Forum Admin Arrested in Germany

by

A Slovenian man convicted of authoring the destructive and once-prolific Mariposa botnet and running the infamous Darkode cybercrime forum has been arrested in Germany on request from prosecutors in the United States, who’ve recently re-indicted him on related charges.

NiceHash CTO Matjaž “Iserdo” Škorjanc, as pictured on the front page of a recent edition of the Slovenian daily Delo.si, is being held by German authorities on a US arrest warrant for operating the destructive “Mariposa” botnet and founding the infamous Darkode cybercrime forum.

The Slovenian Press Agency reported today that German police arrested Matjaž “Iserdo” Škorjanc last week, in response to a U.S.-issued international arrest warrant for his extradition.

In December 2013, a Slovenian court sentenced Škorjanc to four years and ten months in prison for creating the malware that powered the ‘Mariposa‘ botnet. Spanish for “Butterfly,” Mariposa was a potent crime machine first spotted in 2008. Very soon after its inception, Mariposa was estimated to have infected more than 1 million hacked computers — making it one of the largest botnets ever created.

An advertisement for the ButterFly Bot.

Škorjanc and his hacker handle Iserdo were initially named in a Justice Department indictment from 2011 (PDF) along with two other men who allegedly wrote and sold the Mariposa botnet code. But in June 2019, the DOJ unsealed an updated indictment (PDF) naming Škorjanc, the original two other defendants, and a fourth man (from the United States) in a conspiracy to make and market Mariposa and to run the Darkode crime forum.

More recently, Škorjanc served as chief technology officer at NiceHash, a Slovenian company that lets users sell their computing power to help others mine virtual currencies like bitcoin. In December 2017, approximately USD $52 million worth of bitcoin mysteriously disappeared from the coffers of NiceHash. Slovenian police are reportedly still investigating that incident.

The “sellers” page on the Darkode cybercrime forum, circa 2013.

It will be interesting to see what happens with the fourth and sole U.S.-based defendant added in the latest DOJ charges — Thomas K. McCormick, a.k.a “fubar” — allegedly one of the last administrators of Darkode. Prosecutors say McCormick also was a reseller of the Mariposa botnet, the ZeuS banking trojan, and a bot malware he allegedly helped create called “Ngrbot.”

Between 2010 and 2013, Fubar would randomly chat me up on instant messenger apropos of nothing to trade information about the latest goings-on in the malware and cybercrime forum scene.

Fubar frequently knew before anyone else about upcoming improvements to or new features of ZeuS, and discussed at length his interactions with Iserdo/Škorjanc. Every so often, I would reach out to Fubar to see if he could convince one of his forum members to call off an attack against KrebsOnSecurity.com, an activity that had become something of a rite of passage for new Darkode members.

On Dec. 5, 2013, federal investigators visited McCormick at his University of Massachusetts dorm room. According to a memo filed by FBI agents investigating the case, in that interview McCormick acknowledged using the “fubar” identity on Darkode, but said he’d quit the whole forum scene years ago, and that he’d even interned at Microsoft for several summers and at Cisco for one summer.

A subsequent search warrant executed on his dorm room revealed multiple removable drives that held tens of thousands of stolen credit card records. For whatever reason, however, McCormick wasn’t arrested or charged until December 2018.

According to the FBI, back in that December 2013 interview McCormick voluntarily told them a great deal about his various businesses and online personas. He also apparently told investigators he talked with KrebsOnSecurity quite a bit, and that he’d tipped me off to some important developments in the malware scene. For example:

“TM had found the email address of the Spyeye author in an old fake antivirus affiliate program database and that TM was able to find the true name of the Spyeye author from searching online for an individual that used the email address,” the memo states. “TM passed this information on to Brian Krebs.”

Read more of the FBI’s interview with McCormick here (PDF).

News of Škorjanc’s arrest comes amid other cybercrime takedowns in Germany this past week. On Friday, German authorities announced they’d arrested seven people and were investigating six more in connection with the raid of a Dark Web hosting operation that allegedly supported multiple child porn, cybercrime and drug markets with hundreds of servers buried inside a heavily fortified military bunker.