Threat ActorsThe Bloodline · Part 1 of 7

The Common Ancestor

The modern ransomware world traces to a dozen people who learned the trade together when the crime was still wire fraud rather than encryption. Every lineage in this series begins with the same man, the same trojan, and the same club.

By Reno July 3, 2026 10 min read Open Research
ZEUS THE BUSINESS CLUB EVIL CORP CONTI One crew, two pillars · illustration

Before the leak sites, before the million-dollar ransoms, before anyone had coined the phrase ransomware-as-a-service, there was a banking trojan called Zeus and the man who wrote it. Evgeniy Mikhailovich Bogachev, who operated online as slavik (and as lucky12345 and monstr), authored Zeus in the mid-2000s. Zeus was never one gang's private weapon. Bogachev sold and rented it, seeding an entire generation of financially motivated crews with a common technical heritage. Confirmed reporting

Bogachev matters to this series less as a ransomware operator, which he mostly was not, than as the common ancestor. He is the node through which the future leaders of both Evil Corp and Conti first entered organized cybercrime. The UK National Crime Agency places both Maksim Yakubets and Vitaly Kovalev in his orbit from at least 2009. Hold those two names. This entire series is, in one sense, the story of what each of them built after leaving the same room. Confirmed reporting

The other half of the operation

The malware was only half of the business. The other half was the human logistics of turning stolen bank credentials into cash, and that work fell to the Jabber Zeus crew, named for the instant-messaging plugin that pinged operators in real time when a high-value account was compromised. Unusually for this ecosystem, its central figures are now partly in custody. Vyacheslav Penchukov ("tank," "father"), a Ukrainian who moonlighted as a club DJ, coordinated the cash-out side, evaded his 2012 indictment for a decade, and was finally arrested in Geneva in October 2022. He pleaded guilty and was sentenced in July 2024 to an effective nine years, with restitution and forfeiture near $74 million. Ivan Klepikov ("petr0vich") ran systems administration. Alexey Bron ("thehead") moved funds through WebMoney. The UK money-mule layer was run by Yevhen Kulibaba ("jonni") and his deputy Yuriy Konovalenko, both convicted in the UK before extradition to the United States. Confirmed reporting

Look past the aliases and the crew is a template, the one every operation in this series will reuse: a hard separation between the people who write the malware and the people who move the money, a core built on trusted personal relationships rather than anonymous forums, and a home base in jurisdictions beyond Western reach. The same architecture reappears, scaled up a hundredfold, in Conti's corporate org chart a decade later. Analyst inference

The botnet that would not die, and the man who did not have to

By 2011 the lineage had produced its masterpiece. GameOver Zeus was a peer-to-peer botnet, far harder to decapitate than its centrally controlled predecessors, and around it Bogachev assembled the elite crew that monetized it: The Business Club. GameOver Zeus also doubled as a delivery vehicle for CryptoLocker, the early ransomware that Bogachev's infrastructure pushed to infected machines. The pattern that would define the next decade was already fully formed: banking fraud and ransomware running on the same rails, operated by the same people. Confirmed reporting

In June 2014, an international operation led by the FBI and partners, Operation Tovar, dismantled the GameOver Zeus botnet and disrupted CryptoLocker with it. As a technical strike it was a genuine success. As a strategic one it had a hole in the middle: nobody went to prison. Bogachev was indicted, added to the FBI's Cyber Most Wanted list, and later sanctioned by OFAC in 2016 with a $3 million reward outstanding. He simply stayed in Russia, where he remains. Confirmed reporting

The lesson the ecosystem drew, and applied for the next decade: infrastructure can be seized, but protected people cannot, as long as they stay home and stay useful.

That is the first appearance of the dynamic this project exists to track. The takedown teaches the takedown's limits. Operation Tovar is where the ecosystem learned that the West could reach the metal but not the men, and every survival strategy in the chapters ahead, from Evil Corp's rebrand carousel to Conti's diaspora, is a variation on that lesson. Analyst inference

FBI Cyber Most Wanted / US State Dept Rewards (excerpt)
Subject: Evgeniy Mikhailovich BOGACHEV, alias “slavik”, “lucky12345”, “monstr”
Role: author, Zeus trojan; administrator, GameOver Zeus botnet
Reward: up to $3,000,000 for information leading to arrest and/or conviction
Designations: indicted 2014 (W.D. Pa.); OFAC sanctioned, 2016
Status: at large, Russian Federation
Source: FBI Cyber Most Wanted and US Department of State rewards notice. Public record, reproduced for analysis.

The fork

The single most important structural fact in this series comes from the NCA's October 2024 paper Evil Corp: Behind the Screens. It states that Maksim Yakubets "worked with several notorious cybercriminals including Evgeniy Bogachev and Vitaliy Kovalev to deploy malware" since at least 2009, and that Yakubets and Kovalev "came together to form The Business Club cybercrime group" between 2011 and 2014. Kovalev is explicitly described as "involved in Dyre, Trickbot and Conti." Confirmed reporting

Read that sentence twice, because it collapses the apparent separation between the two largest ransomware pillars of the modern era. The Business Club is the fork point. Out of it, Yakubets builds Evil Corp. Out of it, Kovalev moves through Dyre and TrickBot to become Stern, the boss of Conti. The two men were colleagues before either brand existed. The chapters that follow are best read not as rival histories but as two branches of one tree. Confirmed reporting

Fig. 1 · The roots-era roster (per cited sources)
ActorMoniker(s)Roots-era roleStatus
Evgeniy BogachevslavikAuthor of Zeus; ran GameOver Zeus and the Business ClubAt large (Russia); $3M reward
Maksim YakubetsaquaBusiness Club; future Evil Corp leaderAt large (Russia)
Vitaly KovalevBentley, BenBusiness Club; future Conti boss (Stern)At large (Russia)
Vyacheslav Penchukovtank, fatherJabber Zeus cash-out coordinatorSentenced 2024 (US, 9y)
Ivan Klepikovpetr0vichJabber Zeus sysadminIndicted
Alexey BrontheheadJabber Zeus funds movement (WebMoney)Indicted
Yevhen KulibabajonniUK laundering principalConvicted; served
Statuses as reported in cited sources at time of writing. All confidence levels: confirmed. Sources: US DOJ, UK NCA, FBI.

Why the roots era matters

It would be convenient to file all of this as prehistory, a wire-fraud era with no bearing on the leak-site economy of today. The record says otherwise. The people are the same. The trust networks are the same. The money-first architecture is the same. And the protection dynamic, criminal talent shielded at home in exchange for staying useful, was already operating before the first modern ransom note was written. Analyst inference

Part 2 of this series follows the first branch of the fork: Evil Corp, the family firm Yakubets built out of the Business Club's ruins, the fortune it stole, and the wedding that formalized its relationship with the Russian security state.

Sourcing & confidence

This dispatch is adapted from the project's reference study "People, Lineage, Money, and the State" (v3), and draws on the UK National Crime Agency white paper "Evil Corp: Behind the Screens" (October 2024), US Department of Justice indictments and press releases covering the Jabber Zeus crew, GameOver Zeus and Operation Tovar (June 2014), the FBI Cyber Most Wanted listing for Bogachev, and US sentencing records for Penchukov (2024). Confidence labels follow standard analytic practice.

Confirmed · multiple independent sources, including official designation or indictment language.
Credible · single strong source or consistent industry reporting, not yet officially confirmed.
Analyst inference · the project's own assessment, drawn from the evidence above.

Continue · The Bloodline, Part 2 of 7

A Lamborghini Named Thief: the family firm the state adopted

Read Part 2 →
BogachevZeusGameOver ZeusBusiness ClubJabber ZeusOperation TovarThreat Actors