The plate read В217ОР777. Strip the numbers and you are left with three Cyrillic letters, В-О-Р, that spell vor: the Russian word for thief. They sat on the back of a customized Lamborghini Huracan, a car worth roughly $200,000 before the bespoke paintwork, and the man behind the wheel was, by the assessment of three governments, the most prolific cyber-thief alive. Britain's National Crime Agency would later release the footage: Maksim Yakubets spinning the Huracan through Moscow, the thief plate catching the light. Confirmed reporting
It is tempting to read that as arrogance, and it partly is. But arrogance does not survive a $5 million bounty and a ten-count US federal indictment unless something is holding the roof up. The Russian word for that roof is krysha, and it is the subject this project exists to track. The Huracan with the thief plate is not a story about a flashy criminal. It is a status report, rendered in carbon fibre, on a protection arrangement that reached all the way into the FSB.
This is the first of two dispatches on Evil Corp, the group Yakubets built. Part 2 follows the machinery of state protection and the rebrand carousel that kept the operation alive after sanctions. This part is about where it came from: a family, a banking trojan, and a decade in which the line between organized crime and the Russian state quietly dissolved.
A family business
Most organized cybercrime is a distributed affair, strangers cooperating across forums and chat servers. Evil Corp was something older and more intimate. The NCA described it as a family-centred operation run out of Moscow, closer in shape to a traditional crime syndicate than to a hacking crew. The Yakubets family had been in financial crime before Maksim was born: his father, Viktor Yakubets, had significant historical ties to money laundering. Maksim carried that inheritance into the internet age and brought the family with him, recruiting his father, his brother Artem, and his cousins Kirill and Dmitry Slobodskoy. Confirmed reporting
Blood solved the hardest problem in organized crime, which is trust. The group's real edge was never only technical. It was the ability to convert stolen credentials into spendable money at scale, and that meant money mules, cryptocurrency desks, front companies, and lawyers, all professionalized to a degree most technically gifted criminals never reached. Drawing on the family's laundering knowledge, Evil Corp became, in the NCA's phrase, experts at realizing the proceeds. At their peak they were a tight unit working out of physical offices in Moscow, including the Chianti Café and Scenario Café, socializing with their wives and girlfriends and taking group holidays together. Confirmed reporting
Yakubets ran it like a boss who had read about operational security. He compartmented members so that no one saw the whole picture, and reportedly kept the details of his work secret even from his wife. The one person he trusted without reservation was his long-term second in command, Aleksandr Ryzhenkov, a partnership that began around 2013 and outlasted every disruption that followed. Confirmed reporting
Born from Zeus
Evil Corp did not appear from nothing. It is the heir to the single most consequential lineage in financial cybercrime, the one that runs through Evgeniy Bogachev, known online as Slavik. Around 2005 and 2006 Bogachev built the original Zeus banking trojan, a credential stealer that became one of the most widely deployed crime tools ever written. By 2009 it had evolved into Jabber Zeus, wired for real-time coordination over instant messaging, and Yakubets was already inside that world, working alongside Bogachev and other notorious operators. Confirmed reporting
In 2011 the lineage produced its masterpiece: GameOver Zeus, a peer-to-peer botnet far harder to decapitate than anything before it. At its height it infected somewhere between half a million and a million machines and is tied to roughly $100 million in theft, and it doubled as the delivery vehicle for the early CryptoLocker ransomware. There was also a quieter feature. Researchers found a covert Zeus variant tuned not for fraud but for espionage, sweeping for classified material tied to Ukraine, Georgia and Turkey. Ukrainian officials later said Bogachev had been working under the supervision of an FSB unit. The US indicted him in 2014. Russia has never handed him over. Credible reporting
That arrangement, criminal talent shielded in exchange for occasional intelligence work, is the template Yakubets would inherit and deepen. Before Evil Corp had a name, its founders gathered inside The Business Club, the coalition of Russian-speaking criminals that formed around the Zeus operation between 2011 and 2014. Ryzhenkov was there, running bank-transfer fraud against UK targets, a British focus that would never leave the group. When international law enforcement took down GameOver Zeus in June 2014 under Operation Tovar, the Business Club dissolved as a formal entity. Its core did not scatter. It reconstituted under new management. Confirmed reporting
Dridex and the birth of Evil Corp
In June 2014, weeks after Operation Tovar, Yakubets and Ryzhenkov rebuilt the operation around a new banking trojan called Dridex, written on the bones of their Zeus-era code. They registered the domain Ev17corp.biz to coordinate, and Evil Corp had a name. Dridex went on to become one of the most successful banking malware strains ever fielded, spread through phishing and tuned to slip past common antivirus. It drained accounts at hundreds of small and mid-sized companies across the United States and Europe, and US prosecutors would put its charged losses above $100 million. Confirmed reporting
The detail that matters most for everything that came later is structural. Evil Corp did not just run Dridex; it segmented and rented the botnet to affiliates, who used it for their own campaigns. That is a ransomware-as-a-service model years before the term existed, and it tells you the group thought like a business with a product line, not like a gang with a tool. The proceeds flowed into a laundering apparatus the family had spent a generation building. Confirmed reporting
The lavish art of impunity
Now return to the cars, because by the late 2010s the money had nowhere private to go. The Huracan with the thief plate was only the headline. The plate itself, В217ОР777, was later traced through open-source imagery: repainted from a camouflage scheme to black, and apparently shipped to Crimea in 2017. Reporting placed a small fleet around Yakubets, including a Nissan GT-R, an Audi R8 and a Dodge Challenger, each dressed in custom paint. Credible reporting
The menagerie went further than cars. Contemporary reporting described pet lion cubs and tigers, and spa vacations that ran up to a million rubles a week. None of this was hidden. It was photographed, posted, and paraded, by a man who at the same moment held the unusual distinction of carrying the largest bounty the US had ever placed on a cybercriminal. Credible reporting
The centerpiece was the wedding. In 2017 Yakubets married Alyona Benderskaya at a country club north of Moscow, an event the NCA priced at more than $330,000 and British tabloids at over £250,000. RFE/RL's Russian Service later surfaced photographs and video of the ceremony. The bride poses for the camera in an expensive gown. The groom is never shown from the front, only from behind. A man this comfortable with a thief plate was, on his own wedding video, careful to keep his face off the record. Confirmed reporting
The bride's surname is the hinge of the entire story, and it is where Part 2 begins. Her father, Eduard Benderskiy, was a former senior officer of the FSB's secretive Vympel unit. The wedding was not only a display of wealth. It was the formalization of a relationship between a criminal enterprise and the Russian security state.
Even the family's public defense fits the pattern. When the BBC's Joe Tidy went to Russia hunting the men on the FBI's cyber most-wanted list, the trail reached the Yakubets family, and footage circulated of Viktor Yakubets, the father, defending his son and professing ignorance of any wrongdoing. The NCA's October 2024 disclosures told a different story, naming Viktor himself as a launderer of the group's proceeds. The man who said he knew nothing was sanctioned for his part in the money. Credible reporting
Role: leader, Evil Corp; Bugat / Dridex conspiracy
Reward: up to $5,000,000 for information leading to arrest and/or conviction
Charges: conspiracy, computer hacking, wire & bank fraud (W.D. Pa., 2019)
Co-defendant: Igor TURASHEV · Status: at large, Russian Federation
Note: largest reward then offered for a cybercriminal
Hold the two images together. A government offers $5 million for the man's arrest. The man drives a car marked thief through the capital and gets married for a third of a million dollars in front of the entire crew. Both things are true at once, and the gap between them is not luck. It is the roof.
That is the thesis this project keeps returning to. The Money and the Metal, the cash-out rails and the bulletproof infrastructure, are dependencies any serious crew can buy. The Krysha, the active protection of the Russian state, is the one that cannot be purchased on a forum, and it is the one that makes a $5 million bounty decorative. Evil Corp is the cleanest case study available of what that protection looks like from the outside: a Lamborghini, a lion cub, and a wedding into the FSB.
Part 2 follows the roof itself. Who Eduard Benderskiy is, what the Vympel unit does abroad, how the relationship turned Evil Corp into a tool of Russian intelligence, and how the group survived sanctions by changing its name again and again while the protection stayed exactly where it was. Analyst inference
Sourcing & confidence
This dispatch draws on the UK National Crime Agency white paper "Evil Corp: Behind the Screens" (October 2024), US Department of Justice indictments and US State Department reward notices (December 2019), and contemporaneous reporting from the BBC, RFE/RL, Business Insider and Krebs on Security, cross-checked against open-source vehicle imagery. Confidence labels follow standard analytic practice.
Confirmed · multiple independent sources, including official designation or indictment language.
Credible · single strong source or consistent industry reporting, not yet officially confirmed.
Analyst inference · the project's own assessment, drawn from the evidence above.
- UK NCA, Evil Corp: Behind the Screens (Oct 1, 2024).
- US DOJ, Yakubets / Turashev indictment and $5M reward (Dec 5, 2019).
- Krebs on Security, Inside Evil Corp, a $100M Cybercrime Menace (Dec 2019).
- RFE/RL, In Lavish Wedding Photos, Clues to FSB Family Ties (Dec 2019).
- BBC (Joe Tidy), Evil Corp: My hunt for the world's most wanted hackers (2021); Business Insider, Lamborghinis, baby lions, and stacks of cash (Dec 2019).