Protection LayerThe Bloodline · Part 3 of 7 · Evil Corp II

The Roof Over Evil Corp

A former FSB assassin's handler became Maksim Yakubets's father-in-law. After that, the indictments came and the sanctions came, and the group simply changed its name. The protection never moved. This is what a roof actually buys.

By Reno July 3, 2026 14 min read Open Research
The krysha over the network · illustration

Part 1 ended at a wedding. A country club north of Moscow in 2017, a third of a million dollars, the entire crew in attendance, and a bride whose surname matters more than anything else in this story. Alyona Benderskaya's father is Eduard Benderskiy, and to understand what Maksim Yakubets married into you have to understand what Benderskiy did for a living before he became a businessman. Confirmed reporting

Benderskiy is a former senior officer of the FSB's Vympel unit, one of the most secretive special-operations formations in Russia. Vympel was created in 1981 as a KGB instrument for work abroad: infiltration, sabotage, kidnapping, assassination. It was later folded into the FSB and rebranded internally as Department V, nominally re-pointed at domestic counter-terrorism, though its overseas reach plainly survived. Today Benderskiy presents as a private businessman, running a cluster of companies carrying the Vympel name and chairing a charitable fund for former FSB Spetsnaz officers, a role that makes him a living switchboard for the security services' veterans. Confirmed reporting

The man at the wedding

The switchboard has been used for more than networking. In 2020 a joint investigation by Bellingcat and Der Spiegel concluded that Benderskiy supervised the preparation for the August 2019 assassination of Zelimkhan Khangoshvili, a Georgian-Chechen dissident shot dead in broad daylight in Berlin's Kleiner Tiergarten. The killer, Vadim Krasikov, had served in the same Vympel unit and was in regular phone contact with Benderskiy in the run-up to the murder. Bellingcat's assessment was that Benderskiy's web of Vympel companies functions as a de facto arm of the FSB, kept partly for deniable operations abroad. Credible reporting

The endnote is its own argument. A German court convicted Krasikov. In August 2024 he was returned to Russia in the largest East-West prisoner exchange since the Cold War, a measure of how much the Russian state will spend to bring its assassins home. This is the man whose daughter married the leader of Evil Corp. Confirmed reporting

The father-in-law did not protect a criminal. He integrated one, into a network built for deniable work abroad.

From protected to tasked

The relationship between Evil Corp and the Russian state ran well past the ordinary bargain of payoffs and tolerance. The NCA's language is unusually direct: prior to 2019, Evil Corp were tasked by Russian intelligence services to conduct cyber-attacks and espionage against NATO allies. This was not a criminal group the state happened to ignore. It was a criminal group the state put to work. Confirmed reporting

Yakubets ran that liaison himself, becoming the group's main point of contact with Russian officials and cultivating relationships across the FSB, the SVR and the GRU, the full intelligence triad. By 2017 the US Treasury assessed he was working for the FSB, and by April 2018 was in the process of obtaining a license to access classified Russian information, tasked, in Treasury's words, with acquiring protected data through aggressive actions in cyberspace. Benderskiy was the enabler who made those introductions possible, leveraging his status to graft a cybercrime crew onto the security apparatus. Confirmed reporting

This is the inheritance from Part 1 reaching maturity. Bogachev's Zeus operation had run a covert espionage variant under FSB supervision. A decade later his successor was not running a hidden side-channel for the state; he was attending meetings, seeking a clearance, and marrying into Vympel. The espionage-for-protection model had stopped being a secret feature and become the business relationship itself. Analyst inference

December 2019: the indictment that did not land

On December 5, 2019, the response arrived in force. The US Treasury's OFAC designated Evil Corp and its members. The Department of Justice unsealed a ten-count indictment against Yakubets and a second against Igor Turashev, a key Dridex administrator. The State Department posted the $5 million reward. On paper it was the most aggressive action ever taken against a cybercrime group. Confirmed reporting

None of them were arrested. All of them stayed in Russia. After the 2019 sanctions, Benderskiy used his influence to shield the group, both by providing senior members with physical security and by ensuring Russia's own authorities did not pursue them. The indictment was real. The roof was simply higher than the indictment could reach. Confirmed reporting

What the action did change was the economics. An OFAC designation is radioactive in the ransomware market: any victim who pays a sanctioned entity risks its own liability, so paying Evil Corp by name became a compliance hazard. That single fact drove everything Evil Corp did next. The group did not need to evade arrest, the roof handled that. It needed to evade attribution, so that victims could keep paying without paying a sanctioned name. Analyst inference

The split, and the carousel of names

The pressure cracked an existing fault line. A souring relationship between Yakubets and Turashev, building since mid-2019, broke open. Turashev left and led development of DoppelPaymer, a fork of the group's ransomware, while the Yakubets and Ryzhenkov core kept the main operation. Both halves stayed in Russia and beyond reach. In a detail that captures the whole ecosystem, Turashev and his company placed third in a December 2022 hackathon organized by the Wagner Group. Confirmed reporting

The core's answer to the attribution problem was to keep changing its name while keeping its code. Researchers tracked the lineage strain by strain: a shared codebase wearing new labels roughly once a year, each rebrand an attempt to muddy the link back to a sanctioned operation.

Fig. 1 · The rebrand carousel: one operation, many names (2014–2024)
Jun 2014
Dridex
Banking trojan and rented botnet. Evil Corp is born on the domain Ev17corp.biz.
Mid 2017
BitPaymer
First ransomware strain. The pivot from draining accounts to big-game hunting.
Mid 2019
DoppelPaymer (split)
Turashev forks off after the break with Yakubets.
Mid 2020
WastedLocker
Post-sanctions rebrand. Dridex dropped; SocGholish becomes the way in.
Dec 2020
Hades
A 64-bit WastedLocker with heavier obfuscation. Same cluster.
Mar 2021
Phoenix Locker
A near-identical Hades rebrand. One attack drew a $40M payment, a record at the time.
2021
PayloadBIN · Macaw
More names on the same family, hunting for a clean label.
2022–2024
LockBit (as affiliate "Beverley")
Ryzhenkov stops branding his own and rents someone else's.
Sequence and dates per CrowdStrike, SentinelOne and the UK NCA. Strains in this family are linked by shared code, packers and tradecraft; shown to convey the rebrand cadence, not exhaustive of every label used.

The 2020 transformation was thorough. Evil Corp dropped Dridex and switched its way in to SocGholish, the fake-browser-update framework that hijacked legitimate websites to plant a foothold. Members grew quiet, abandoned old accounts and restricted their movements. It did not work cleanly: researchers attributed WastedLocker to them within the year. So the names kept turning, Hades, Phoenix Locker, PayloadBIN, Macaw, each a thin recoat of the same engine. One Phoenix Locker victim paid $40 million, the largest ransom recorded at that point. Confirmed reporting

By 2022 the core reached the logical endpoint of an attribution problem: if your own brand is toxic, stop having one. Ryzhenkov, Yakubets's right hand, became an affiliate of the LockBit ransomware-as-a-service platform under the alias "Beverley." Wearing someone else's banner, he is assessed to have built around 60 LockBit attacks and attempted to extort roughly $100 million. The crew that once rented its own botnet to affiliates had become an affiliate on another crew's botnet. Confirmed reporting

October 2024: the roof gets named

The most revealing action came in October 2024, when the UK, US and Australia moved together. The NCA, working from data taken off the group's own systems through Operation Cronos, publicly tied Ryzhenkov's "Beverley" to LockBit and unsealed a US indictment against him. More striking was who else was named. The action did not just sanction hackers; it sanctioned the roof. Confirmed reporting

UK / US / Australia · Coordinated Evil Corp Designations (excerpt), Oct 1, 2024
Eduard BENDERSKIY : ex-FSB Vympel; father-in-law; "key enabler" & protector
Viktor YAKUBETS : father of Maksim; laundering of group proceeds
Aleksandr RYZHENKOV : second-in-command; LockBit affiliate "Beverley"
Sergey RYZHENKOV · Aleksey SHCHETININ · Beyat RAMAZANOV
Vadim POGODIN · and further members (16 individuals in total)
Entities: Vympel-Assistance LLC · Solar-Invest LLC
US DOJ: indictment unsealed v. A. Ryzhenkov (CFAA, money-laundering conspiracy)
Source: UK NCA / OFAC / Australian sanctions actions and DOJ indictment, October 1, 2024. Public designation record, reproduced for analysis.

Read that list as a structure, not a roster. A father who moved the money. A second-in-command who ran the attacks. And a former FSB Vympel officer, connected by independent investigators to a Berlin assassination, who used his money, power and influence to shield the whole operation from both foreign and domestic consequences. The October 2024 action was the first time a Western government drew the line all the way from a ransomware payment to a state assassin's handler and labeled every node on it. Confirmed reporting

What the roof actually buys

Step back to the project's framing. A ransomware operation rests on three dependencies. The Money, the exchanges and mule networks that cash it out. The Metal, the bulletproof hosting that keeps it online. And the Krysha, the active protection of the Russian state. The first two are commodities; a capable crew can rent either. Evil Corp proves what the third one is worth, because over a decade the state took away almost everything except the protection, and the protection alone kept the principals free.

Watch what each layer of pressure actually moved. Indictments moved nothing; the men stayed in Moscow. Sanctions moved the brand, repeatedly, but never the people behind it. Infrastructure actions moved the tooling: as recently as June 18, 2026, Operation Endgame disrupted the SocGholish network Evil Corp had relied on for initial access, seizing 106 servers and 101 domains and cleaning nearly 15,000 compromised sites. Real cost, real disruption. But SocGholish is Metal, and Metal gets rebuilt. Confirmed reporting

Take the Money and they reroute. Take the Metal and they rebuild. Take the Krysha and the men in the Lamborghinis have nowhere to stand.

The one layer never successfully touched is the roof, and it is the only layer whose removal would end the story rather than pause it. That is the analytic payoff of the whole Evil Corp case: it isolates the load-bearing dependency by elimination. You can read a decade of enforcement as a controlled experiment in which everything was tried except the thing that would have worked. Analyst inference

Which returns us to the car. A Lamborghini marked thief, driven openly past the police of a state that had the man under no real threat, was never a lapse in tradecraft. It was an accurate disclosure. The roof was solid, and he knew it. The work of ending operations like this one is not finding better ways to indict the driver. It is finding ways to reach the roof. Analyst inference

Sourcing & confidence

This dispatch draws on the UK National Crime Agency white paper "Evil Corp: Behind the Screens" and the coordinated UK/US/Australia designations (October 1, 2024), US Treasury/OFAC and DOJ actions (December 2019 and October 2024), Bellingcat and Der Spiegel reporting on the Khangoshvili case, and ransomware-lineage analysis from CrowdStrike and SentinelOne. Confidence labels follow standard analytic practice.

Confirmed · multiple independent sources, including official designation or indictment language.
Credible · single strong source or consistent industry reporting, not yet officially confirmed.
Analyst inference · the project's own assessment, drawn from the evidence above.

Continue · The Bloodline, Part 4 of 7

The Corporation: TrickBot, Conti, and the other branch of the fork

Read Part 4 →
Evil CorpKryshaFSBBenderskiyLockBitRyzhenkovProtection Layer