Maksim Viktorovich Yakubets (Russian: Максим Викторович Якубец), online persona aqua, is a Russian national identified on 5 December 2019 by the U.S. Department of Justice and U.S. Treasury as the leader of Evil Corp — the cybercrime operation behind the Dridex banking trojan, the BitPaymer and WastedLocker ransomware families, and later the rebranded Hades, Phoenix CryptoLocker, PayloadBIN, and Macaw Locker strains.
Identification
The DOJ indictment in the Western District of Pennsylvania charged Yakubets with conspiracy to commit fraud, computer hacking, and wire fraud relating to the operation of the Dridex banking malware that had stolen tens of millions of dollars from victims across more than 40 countries. The Treasury simultaneously designated Yakubets and his lieutenant Igor Turashev to the OFAC SDN list — making any ransom paid to Evil Corp a U.S. sanctions violation for the victim. This was the first ransomware-related OFAC designation and reshaped the legal calculus of ransom payments overnight.
The U.S. State Department announced a $5 million reward for information leading to Yakubets's arrest or conviction — the largest cybercrime reward at the time and a marker of how seriously the U.S. government took the Evil Corp threat.
Background
Yakubets is reported by the FBI to have worked for the Russian FSB in addition to running Evil Corp. Public photographs released by the U.K. NCA at the time of the indictment showed Yakubets driving a customised Lamborghini Huracán with a personalised license plate reading "вор" ("thief" in Russian).
The OFAC designation was particularly disruptive because Evil Corp's ransomware affiliates immediately attempted to rebrand and re-shell their operations to evade the sanction, producing a churn of named strains — BitPaymer → DoppelPaymer → WastedLocker → Hades → Phoenix → PayloadBIN → Macaw — that defenders had to track in near-real-time. In September 2024, the U.K. NCA and U.S. DOJ jointly named Yakubets as having transferred Evil Corp affiliates into the LockBit ecosystem after Operation Cronos, and designated his father Viktor Yakubets and several other family members.
Why it matters
Yakubets is the canonical case for sanctions-as-cyber-policy. The 2019 OFAC designation didn't put him in handcuffs but did force every U.S. victim of any Evil Corp-attributed strain to think twice before paying — and through the OFAC reporting requirement, gave U.S. Treasury visibility into payments that were attempted anyway. The model has since been re-applied to LockBitSupp, Wazawaka, and (in 2024) several Conti / TrickBot principals.