Part 1 ended at a wedding. A country club north of Moscow in 2017, a third of a million dollars, the entire crew in attendance, and a bride whose surname matters more than anything else in this story. Alyona Benderskaya's father is Eduard Benderskiy, and to understand what Maksim Yakubets married into you have to understand what Benderskiy did for a living before he became a businessman. Confirmed reporting
Benderskiy is a former senior officer of the FSB's Vympel unit, one of the most secretive special-operations formations in Russia. Vympel was created in 1981 as a KGB instrument for work abroad: infiltration, sabotage, kidnapping, assassination. It was later folded into the FSB and rebranded internally as Department V, nominally re-pointed at domestic counter-terrorism, though its overseas reach plainly survived. Today Benderskiy presents as a private businessman, running a cluster of companies carrying the Vympel name and chairing a charitable fund for former FSB Spetsnaz officers, a role that makes him a living switchboard for the security services' veterans. Confirmed reporting
The man at the wedding
The switchboard has been used for more than networking. In 2020 a joint investigation by Bellingcat and Der Spiegel concluded that Benderskiy supervised the preparation for the August 2019 assassination of Zelimkhan Khangoshvili, a Georgian-Chechen dissident shot dead in broad daylight in Berlin's Kleiner Tiergarten. The killer, Vadim Krasikov, had served in the same Vympel unit and was in regular phone contact with Benderskiy in the run-up to the murder. Bellingcat's assessment was that Benderskiy's web of Vympel companies functions as a de facto arm of the FSB, kept partly for deniable operations abroad. Credible reporting
The endnote is its own argument. A German court convicted Krasikov. In August 2024 he was returned to Russia in the largest East-West prisoner exchange since the Cold War, a measure of how much the Russian state will spend to bring its assassins home. This is the man whose daughter married the leader of Evil Corp. Confirmed reporting
From protected to tasked
The relationship between Evil Corp and the Russian state ran well past the ordinary bargain of payoffs and tolerance. The NCA's language is unusually direct: prior to 2019, Evil Corp were tasked by Russian intelligence services to conduct cyber-attacks and espionage against NATO allies. This was not a criminal group the state happened to ignore. It was a criminal group the state put to work. Confirmed reporting
Yakubets ran that liaison himself, becoming the group's main point of contact with Russian officials and cultivating relationships across the FSB, the SVR and the GRU, the full intelligence triad. By 2017 the US Treasury assessed he was working for the FSB, and by April 2018 was in the process of obtaining a license to access classified Russian information, tasked, in Treasury's words, with acquiring protected data through aggressive actions in cyberspace. Benderskiy was the enabler who made those introductions possible, leveraging his status to graft a cybercrime crew onto the security apparatus. Confirmed reporting
This is the inheritance from Part 1 reaching maturity. Bogachev's Zeus operation had run a covert espionage variant under FSB supervision. A decade later his successor was not running a hidden side-channel for the state; he was attending meetings, seeking a clearance, and marrying into Vympel. The espionage-for-protection model had stopped being a secret feature and become the business relationship itself. Analyst inference
December 2019: the indictment that did not land
On December 5, 2019, the response arrived in force. The US Treasury's OFAC designated Evil Corp and its members. The Department of Justice unsealed a ten-count indictment against Yakubets and a second against Igor Turashev, a key Dridex administrator. The State Department posted the $5 million reward. On paper it was the most aggressive action ever taken against a cybercrime group. Confirmed reporting
None of them were arrested. All of them stayed in Russia. After the 2019 sanctions, Benderskiy used his influence to shield the group, both by providing senior members with physical security and by ensuring Russia's own authorities did not pursue them. The indictment was real. The roof was simply higher than the indictment could reach. Confirmed reporting
What the action did change was the economics. An OFAC designation is radioactive in the ransomware market: any victim who pays a sanctioned entity risks its own liability, so paying Evil Corp by name became a compliance hazard. That single fact drove everything Evil Corp did next. The group did not need to evade arrest, the roof handled that. It needed to evade attribution, so that victims could keep paying without paying a sanctioned name. Analyst inference
The split, and the carousel of names
The pressure cracked an existing fault line. A souring relationship between Yakubets and Turashev, building since mid-2019, broke open. Turashev left and led development of DoppelPaymer, a fork of the group's ransomware, while the Yakubets and Ryzhenkov core kept the main operation. Both halves stayed in Russia and beyond reach. In a detail that captures the whole ecosystem, Turashev and his company placed third in a December 2022 hackathon organized by the Wagner Group. Confirmed reporting
The core's answer to the attribution problem was to keep changing its name while keeping its code. Researchers tracked the lineage strain by strain: a shared codebase wearing new labels roughly once a year, each rebrand an attempt to muddy the link back to a sanctioned operation.
The 2020 transformation was thorough. Evil Corp dropped Dridex and switched its way in to SocGholish, the fake-browser-update framework that hijacked legitimate websites to plant a foothold. Members grew quiet, abandoned old accounts and restricted their movements. It did not work cleanly: researchers attributed WastedLocker to them within the year. So the names kept turning, Hades, Phoenix Locker, PayloadBIN, Macaw, each a thin recoat of the same engine. One Phoenix Locker victim paid $40 million, the largest ransom recorded at that point. Confirmed reporting
By 2022 the core reached the logical endpoint of an attribution problem: if your own brand is toxic, stop having one. Ryzhenkov, Yakubets's right hand, became an affiliate of the LockBit ransomware-as-a-service platform under the alias "Beverley." Wearing someone else's banner, he is assessed to have built around 60 LockBit attacks and attempted to extort roughly $100 million. The crew that once rented its own botnet to affiliates had become an affiliate on another crew's botnet. Confirmed reporting
October 2024: the roof gets named
The most revealing action came in October 2024, when the UK, US and Australia moved together. The NCA, working from data taken off the group's own systems through Operation Cronos, publicly tied Ryzhenkov's "Beverley" to LockBit and unsealed a US indictment against him. More striking was who else was named. The action did not just sanction hackers; it sanctioned the roof. Confirmed reporting
Viktor YAKUBETS : father of Maksim; laundering of group proceeds
Aleksandr RYZHENKOV : second-in-command; LockBit affiliate "Beverley"
Sergey RYZHENKOV · Aleksey SHCHETININ · Beyat RAMAZANOV
Vadim POGODIN · and further members (16 individuals in total)
Entities: Vympel-Assistance LLC · Solar-Invest LLC
US DOJ: indictment unsealed v. A. Ryzhenkov (CFAA, money-laundering conspiracy)
Read that list as a structure, not a roster. A father who moved the money. A second-in-command who ran the attacks. And a former FSB Vympel officer, connected by independent investigators to a Berlin assassination, who used his money, power and influence to shield the whole operation from both foreign and domestic consequences. The October 2024 action was the first time a Western government drew the line all the way from a ransomware payment to a state assassin's handler and labeled every node on it. Confirmed reporting
What the roof actually buys
Step back to the project's framing. A ransomware operation rests on three dependencies. The Money, the exchanges and mule networks that cash it out. The Metal, the bulletproof hosting that keeps it online. And the Krysha, the active protection of the Russian state. The first two are commodities; a capable crew can rent either. Evil Corp proves what the third one is worth, because over a decade the state took away almost everything except the protection, and the protection alone kept the principals free.
Watch what each layer of pressure actually moved. Indictments moved nothing; the men stayed in Moscow. Sanctions moved the brand, repeatedly, but never the people behind it. Infrastructure actions moved the tooling: as recently as June 18, 2026, Operation Endgame disrupted the SocGholish network Evil Corp had relied on for initial access, seizing 106 servers and 101 domains and cleaning nearly 15,000 compromised sites. Real cost, real disruption. But SocGholish is Metal, and Metal gets rebuilt. Confirmed reporting
The one layer never successfully touched is the roof, and it is the only layer whose removal would end the story rather than pause it. That is the analytic payoff of the whole Evil Corp case: it isolates the load-bearing dependency by elimination. You can read a decade of enforcement as a controlled experiment in which everything was tried except the thing that would have worked. Analyst inference
Which returns us to the car. A Lamborghini marked thief, driven openly past the police of a state that had the man under no real threat, was never a lapse in tradecraft. It was an accurate disclosure. The roof was solid, and he knew it. The work of ending operations like this one is not finding better ways to indict the driver. It is finding ways to reach the roof. Analyst inference
Sourcing & confidence
This dispatch draws on the UK National Crime Agency white paper "Evil Corp: Behind the Screens" and the coordinated UK/US/Australia designations (October 1, 2024), US Treasury/OFAC and DOJ actions (December 2019 and October 2024), Bellingcat and Der Spiegel reporting on the Khangoshvili case, and ransomware-lineage analysis from CrowdStrike and SentinelOne. Confidence labels follow standard analytic practice.
Confirmed · multiple independent sources, including official designation or indictment language.
Credible · single strong source or consistent industry reporting, not yet officially confirmed.
Analyst inference · the project's own assessment, drawn from the evidence above.
- UK NCA, Evil Corp: Behind the Screens and Oct 2024 designations.
- US Treasury/OFAC, Evil Corp sanctions and Benderskiy designation (Oct 1, 2024).
- Bellingcat / Der Spiegel, the Berlin assassination and the Vympel network (2020).
- CrowdStrike, Hades as INDRIK SPIDER's successor to WastedLocker; SentinelOne, From Dridex to Macaw.
- Europol / Operation Endgame, SocGholish takedown (Jun 18, 2026); The Register, Russia exploited Evil Corp for NATO attacks.