For the last decade, the hackers behind Evil Corp have led a sustained assault on the bank accounts of thousands of victims across dozens of countries. By steadily evolving malware known as Bugat, they indiscriminately siphoned tens of millions of dollars from unwitting victims. Thursday, the FBI indicted Evil Corp’s alleged leader: Maksim V. Yakubets, also known as “aqua.”

The indictment, which you can read in full below, details in broad strokes the playbook that Yakubets and Igor Turashev, another Russian charged in the scheme, allegedly have rolled out countless times. They’d convince victims to click on a malicious link in a phishing email to download Bugat. Once installed, the malware would use a variety of techniques to steal: a keylogger to grab passwords, or creating fake banking pages to trick someone into voluntarily entering their credentials. Armed with that information, the hackers would arrange for electronic funds transfers from victim bank accounts to a network of so-called money mules, who would then get the funds back to Evil Corp.

“Each and every one of these intrusions was effectively a cyber-enabled bank robbery,” said assistant US attorney general Brian Benczkowski at a press conference announcing the indictment Thursday. Both men are still at-large in Russia.

Evil Corp was apparently also in the franchise business. According to court documents, Yakubets gave a UK resident access to Bugat in exchange for $100,000 up front, plus 50 percent of all revenues, with a minimum take of $50,000 a week. Like any good franchisor, Yakubets offered technical support as needed.

Courtesy of the FBI

Since at least 2011, the FBI estimates that Bugat—also known as Dridex and Cridex—resulted in losses of $100 million or more across hundreds of banks. What makes the Evil Corp campaign so impressive isn’t just the scale, but how adaptable it has proved to be. Law enforcement has pursued them for years, even successfully prosecuting Dridex sysadmin Andrey Ghinkul. US law enforcement disabled some of the conspiracy’s sub-botnets in 2016 by sinkholing them. The FBI indicted a related Belarus-based money mule network that same year. And still, Evil Corp persisted.

“The Dridex malware conspiracy was a constantly evolving and adapting criminal enterprise that had a level of sophistication and scope of threat that we rarely see,” US attorney Scott Brady said at Thursday’s press conference. Over the years, Brady said, Evil Corp has switched from a centralized command-and-control center to peer-to-peer botnets to make their activities harder to trace, used more sophisticated so-called web injects to trick users into entering sensitive information, and ditched international wire transfers for the relative anonymity of ransomware tied to cryptocurrency payments.

“This is why this has been the most widespread and destructive malware and banking trojans in the world over the last decade,” Brady said.

In all, Yakubets and Turashev have been indicted on 10 Bugat-related counts, covering conspiracy, computer hacking, wire fraud, and bank fraud. But the Yakubets story goes further still. Which is maybe why the US government has taken the rare step of offering $5 million for information leading to his arrest.

By Zeus

Since 2006, few malware campaigns have caused as much international consternation as Zeus, a trojan horse that became the favored malware of organized crime. Both the original Zeus and its later variants, Jabber Zeus and GameOver Zeus, had a roughly similar modus operandi to Bugat: steal banking credentials, transfer the money. A separate criminal complaint also unsealed Thursday alleges that Yakubets has been involved almost since the beginning.

Zeus attacks netted $70 million from US targets, a diverse list that includes banks, a luggage store, and the Franciscan Sisters of Chicago. It hit 21 municipalities, banks, and nonprofit organizations in 11 states over its decade-long reign. The specific role Yakubets played, according to the criminal complaint, was to provide “money mules and their associated banking credentials in order to facilitate the movement of money which was withdrawn from victim accounts by fraudulent means.”