Summary
Members of cybercrime group, Evil Corp favor license plates using the Russian word вор, which translates to thief. Members of the group are seen posing next to and driving over a dozen high-priced cars in Russia and the United Arab Emirates. An approximate estimated value of the vehicles is $4,000,000 or 4% of their stolen fortune. Much of the research relied on a websites called Nomerogram, which is used for tracking Russian license plates.
Background
In December 2019, the US government with support from the UK's National Crime Agency indicted Maksim Yakubets and Igor Turashev for their alleged associations with Evil Corp, a Russia-based cybercrime group responsible for the development and distribution of Dridex malware. According to the indictment, Evil Corp is alleged to have stolen at least $100 million. In addition to the two indictments, sanctions were applied to Evil Corp members Denis Gusev, Dmitriy Smirnov, Artem Yakubets, Ivan Tuchkov, Andrey Plotnitskiy, Dmitriy Slobodskoy, and Kirill Slobodskoy. Following the indictments and sanctions, photographs of Evil Corp members and their lavish lifestyle quickly emerged, which included multiple sports cars.
This post is inspired by another blog post called Car Spotting and OSINT by MW-OSINT. There is a lot of cool content but one of the tools mentioned in Car Spotting and OSINT is Nomerogram, which is used for tracking vehicles with Russian license plates.
Analysis
Before diving into Evil Corp’s cars, it is worth noting the structure of a Russian license plate. A typical Russian license plate consists of one letter followed by three numbers and two more letters. In addition to these digits is a regional code located on the right of the plate, which is either two or three numbers depending on the region. Some cities and/or regions have multiple codes, but 777 is one of the more popular for Moscow. Therefore, knowing the regional code indicates where the vehicle is registered and possibly where it is frequently located.
Figure 1 - Example of a license plate found in Moscow, Russia
The following vehicles are several of the most common Evil Corp cars observed in public reporting:
2016 Audi R8 (license plate B216OP777)
2014 Lamborghini Huracan (license plate B217OP777)
2016 Lamborghini Huracan (license plate B215OP777)
2016 Audi R8 (license plate B215OP777)
2011 Nissan GTR (license plate B483OP777)
The color of each car changes over time and in one instance, license plate B215OP777 appears on both an Audi R8 and a Lamborghini Huracan. The paint schemes are most likely vinyl wraps, and consist of yellow camouflage and blue skulls with red stripping.
Figure 2 - Vehicles associated with Evil Corp and widely reported on in open sources
Nomerogram requires a complete license plate, so partial plate searches will not work. The initial results can include Make, Model, Year, Engine Size, Color and Registration periods. These results sometimes vary based on available records, but they are always returned in Russian, which may require a translation tool for some. In addition to the vehicles description, results include images of vehicles seen with the license plate the user searched on. Each image has a date and a source from where the photo was seen online. There are three important observations with the search results:
The images are of the license plate and not the vehicle. License plates get sold or traded and therefore, images of vehicles can differ from the make and model initially searched. This is where the registration periods can help pinpoint when a license plate and its vehicle could have changed.
The date associated with the images is when it was first seen online from a specific source. This means there can be multiple photographs, all the same, but with different dates. The dates are not necessarily the original date the photo was taken, but just first seen on the internet from a particular source.
All images have sources, but some are labeled as ‘uploaded by user’ and are limited in verifying or corroborating the original source. In some cases, you can find social media accounts that posted the image online to further use in collection and analysis.
The Audi R8 and its license plate B216OP777 produced a photograph of the Audi next to a blue Lamborghini with a white racing stripe on the driver side. This Lamborghini is not the 2014 Lamborghini Huracan with yellow camouflage seen previously, but a newer 2016 model with license plate B485OP777. The individual on the left, next to the Lamborghini is allegedly sanctioned Evil Corp member, Andrey Plotnitskiy.
Figure 3 - Another vehicles using the distinct license plate pattern
This is the fourth car associated with Evil Corp that follows a distinct pattern of B-[three numbers]-O-P-7-7-7. As mentioned, 777 is the regional code for Moscow and Evil Corp is registering these cars in the country’s capital. This observation could provide a reliable indicator for the vehicles and members typical whereabouts. However, the reoccurring pattern of BOP appears particular to Evil Corp's cars.
In the Russian language, BOP is spelled вор which means thief. вор is considered a popular license plate pattern for criminals because of its meaning. There are multiple license plate patterns that Russians associate with, one of particular interest is EKX, which allegedly designates cars belonging to the Federal Protective Service (FSO). Additional cars associated with Evil Corp members, although not exclusively, are likely to follow the license plate pattern в-[three numbers]-о-р-7-7-7. This notion can be used to track future vehicles of Evil Corp and/or similar crime groups.
One of the images of the Audi observed on Nomergrom contains a moniker on the side of the car. The moniker corresponds to an Instagram account that is currently private, but the account’s main image is an Audi R8 wrapped in yellow camo. Further searches on the unique moniker identified a now deleted Twitter account that went by AQUA, which is a known alias of indicted and sanctioned Evil Corp member, Maksim Yakubets.
Figure 4 - Social Media handle on the side of the car aligns with this Instagram page
After reviewing the images of the Audi and license plate B216OP777, sometime in or around June 2018 the license plate became associated with a 2016-17 Mercedes Benz Brabus G700. The Brabus G700 is estimated to be twice the price of the original Audi R8 (depending on millage, options, etc.). While it is currently unknown if the Brabus G700 is owned by Evil Corp entities, it is possible that the yellow camo Audi is no longer and a more subdue (arguably) G700 is being used by the alleged criminals.
Figure 5 - License plate B216OP777 is now associated with a Mercedes G700
A number of vehicles likely associated to members of Evil Corp have been identified throughout researching the above license plates. A social media page for sanctioned Evil Corp member, Andrey Plotnitsky identified additional cars registered in both Russia the United Arab Emirates. It is not certain if all identified vehicles are owned by Evil Corp members, but it is probable that the majority are at least associated with Evil Corp entities. The vehicles model year for some of the cars listed below are assessed based on the dates they appear in pictures and body styles because Nomergrom didn't produce any results.
The following cars are likely associated with Evil Corp and located in Russia according to their license plates:
2014-16 Lamborghini Huracan (Yes, another one but in silver.)
2014-2016 BMW M5
2016 Mercedes Benz AMG GLE 63S
2016 Ferrari Ferrari 488 GTB
1992-2006 Hummer H1
1967-69 Chevrolet Camaro
2003 Rolls Royce Phantom (This is likely a rental)
1978 Ford Ranchero
The following cars are likely associated with Evil Corp and located in the United Arab Emirates according to their license plates:
2014-17 BMW M4
2016-17 Mercedes AMG 63 S
2014-17 Ferrari 488 (Classic Red)
2014-17 Ferrari 488 (Grey Camo)
2014-17 Porsche Cayenne
2014-17 Rolls Royce Phantom
2016-17 Mercedes Benz G700
The average retail price for each vehicle mentioned varies depending on make, model, year, condition, etc. Average pricing for the vehicles mentioned typically range in value from $100,000 to $300,000. Therefore, a quick and dirty estimated value of the approximately 20 cars mentioned, equals $4,000,000 or 4% of Evil Corp's estimated stolen fortune.
Figure 6 - Additional vehicles identified
Conclusion
Tracking Evil Corp’s cars show specific license plates the threat actor, and likely other Russia-based cybercrime groups use. Nomerogram is just one tool that can help in Open Source Intelligence (OSINT) investigations, specifically with tracking cars in Russia. The results provided by the tool allow analysts to identify a variety of selectors for collection, analysis and validation. The overall use of the tool and analysis techniques could be handy for a variety of professional fields, such as enhanced due diligence reporting, law enforcement investigations and asset tracing.
Comments