Two Russians Indicted Over $100M Dridex Malware TheftsRussia's FSB Security Service Now Employs One Suspect, Authorities Allege
He drives a garish, customized Lamborghini in Moscow with a license plate that reads "thief" and is working for Russia’s security service, the FSB.
So allege U.S. and U.K authorities about Maksim Yakubets, 32, saying he was the ringleader of a cybercrime group dubbed "Evil Corp." that was behind the notorious banking malware Dridex, which thieves used to steal more than $100 million from hundreds of banks across 40 countries.
On Thursday, Britain's National Crime Agency released photos of Yukabets and purchases he allegedly made using stolen funds. They include numerous luxury vehicles and forking out £250,000 ($329,000) for his lavish wedding. Authorities allege that Yukabets worked from the basements of multiple Moscow cafes, directing dozens of others to launch cybercrime attacks.
Yakubets has been indicted in federal court in Pennsylvania together with an alleged co-conspirator: 38-year-old Igor Turashev. The U.S. Justice Department on Thursday said both have been charged with conspiracy, fraud conspiracy, three counts of bank fraud, wire fraud and intentional damage to a computer.
Authorities also allege Yakubets was part of another notorious cybercrime group that ran the infamous GameOver/Zeus botnet and malware. Authorities believe Zeus malware has been used to steal at least $70 million, just from U.S. bank accounts.
Yakubets is accused of working with Evgeniy M. Bogachev, who has long been sought by U.S. authorities (see: Report: Russian Espionage Piggybacks on Cybercrime). Bogachev, who has been on the FBI’s most wanted list since 2015, is accused of masterminding GameOver/Zeus.
According to a separate criminal complaint filed in federal court in Nebraska, Yakubets allegedly worked with the Zeus crew to line up "money mules." Fraudsters recruit money mules to transfer stolen money, and then instruct those people to further transfer the money for a small cut. Those people are usually unwitting participants.
U.S. authorities are so keen to get Yakubets in custody that they’re offering a record $5 million reward for information that leads to his arrest. But suspects in Russia are difficult to apprehend, as there’s no extradition treaty between the two countries. The FBI, for example, continues to offer a $3 million reward for information leading to Bogachev's arrest or conviction.
"While the two alleged perpetrators were unmasked and indicted on Thursday for crimes costing hundreds of millions of dollars, we are still far behind in the fight to protect our financial systems, and neither has been brought to justice yet," Pierson tells Information Security Media Group.
Zeus and Dridex, which has also been known as Bugat and Cridex, were sophisticated, ever-evolving pieces of malware that were typically distributed through phishing messages.
Once on a computer, Dridex could inject fields into real banking pages and steal customers' personal information and authentication credentials, allowing attackers to drain accounts. Zeus was also capable of collecting time-sensitive two-factor authentication codes, which protects bank accounts from unauthorized takeovers.
The list of the suspects' victims and near-victims is numerous. According to the indictment, in August 2012, Yakubets and Turashev stole $2.1 million from Peneco Oil, a Pennsylvania energy company, and later stole another $1.3 million. They’re also accused of attempting to steal $999,000 from the state's Sharon City School District in December 2011.
OpSec Error: Full Chat Logs
Yakubets, who went by the nickname "aqua," has apparently been watched by U.S. authorities for a long time. Investigators say they have known his real identity since 2010. Perhaps surprisingly, that was thanks in part to cooperation between U.S. and Russian law enforcement agencies in 2010, in what was a different era for U.S.-Russia relations.
The breakthrough happened as authorities were trying to get a handle on Zeus, which emerged in 2009, ushering in a new wave of sophistication in banking malware. Zeus proved to be such a potent toolkit for draining banks accounts that it drew wide scrutiny from global law enforcement and computer security researchers.
Zeus, which was a toolkit that could be purchased by other cybercriminals, was difficult for anti-virus software to detect because attackers constantly changed the code. The malware was also controlled by a resilient botnet infrastructure, with command-and-control servers located around the world.
Also referred to as zbot, Zeus was capable of sending login credentials, two-factor authentication codes and one-time passwords directly to attackers using the Jabber instant messaging protocol. That enabled the cybercriminals receiving the data to act quickly before time-sensitive codes expired.
But the break in this Zeus investigation came in 2009 after FBI investigators, working with private companies and researchers, honed in on a server nicknamed INCOMEET that was receiving the stolen credentials, according to the criminal complaint. The server was hosted by a Brooklyn-based company called Ezzi.net.
Police executed four search warrants on the server in 2009 and 2010. The INCOMEET server held a raft of helpful data - extensive chat logs, account credentials and information about infected computers, the complaint says.
"The INCOMEET’s server operators had configured it to record on its hard drive ongoing logs of every chat message sent through the server," the complaint says. "These chat communications included discussions among conspirators made as they were in the progress of transferring money out of victim bank accounts."
The users of the server employed nicknames, but investigators plucked a crucial clue from the chats: an email address, "firstname.lastname@example.org." In July 2010, the U.S. filed a mutual legal assistance request regarding the email address. Russia returned a name: Maksim Yakubets.
Russian authorities found that the email addresses had been accessed from a specific IP address that was linked to a postal address in Moscow. The email address had been used to make travel arrangements and as well order a baby carriage which was delivered to the postal address.
Russia also executed a search warrant at the address in November 2010, but the criminal complaint does not detail what occurred after that.
From Hacker to FSB Agent?
But it appears that Yakubets didn’t get in trouble. In fact, in what security experts say is a regular occurrence, it appears that the Russian government became interested in Yakubets for other purposes, and may have done a deal in which he agreed to work for the government in exchange for not having to face criminal charges.
"As of 2017, Yukabets was working for the Russian FSB, one of Russia’s leading intelligence organizations that was previously sanctioned," the U.S. Treasury Department says in a press release issued Thursday. The Treasury Department has announced a range of new sanctions against Russian entities tied to the new charges.
During 2017, Yukabets was tasked with helping the Russian government acquire confidential documents through cyber-enabled means, the Treasury Department says. As of April 2018, Yukabets "was in the process of obtaining a license to work with Russian classified information from the FSB."
The U.S. has alleged before that Russian intelligence officers coopted hackers into working for them, most notably in the string in intrusions against Yahoo that compromised virtually its entire user base (see Outsourcing Cyber Espionage Landed Russia in Trouble).
Two of the four men indicted in those attacks were allegedly Russian FSB agents (see: Russian Spies, Two Others, Indicted in Yahoo Hack).
In the case of Yukabets, unless he mistakenly travels to a country that has an extradition agreement with the U.S. - or which agrees to look the other way - he can avoid prosecution.
"DOJ is taking the gloves off in its attempts to civilize cyberspace, however, Yukabets is untouchable," says Tom Kellerman, head cybersecurity strategist at VMware. "He is one of the digerati of the dark web."