Skip to main content

“Illegals and Evil Corp GRU Operations and Global Sanctions in 2024”

Redoracle TeamOriginal8/25/25About 4 minNews“grufancybearunit26165illegalespionageopcwwadausadaevilcorpyakubetssanctions”

Image

Introduction

This analysis titled “Illegals and Evil Corp GRU Operations and Global Sanctions in 2024” synthesizes investigative reporting and official actions concerning Russia related intelligence operations and criminal cyber networks. It integrates coverage of alleged GRU illegals and Unit 26165 activity with multinational sanctions targeting Evil Corp and associated figures. Keywords integrated throughout include gru, fancybear, unit26165, illegal, espionage, opcw, wada, usada, evilcorp, yakubets, sanctions.

Executive Overview

This report weaves two interlinked narratives. First, long running investigative reporting identifies individuals operating under journalistic or diplomatic cover who are reported to have served GRU intelligence aims. Second, separate but contextually related multinational enforcement actions in 2024 targeted Evil Corp, a major cybercrime grouping alleged to have laundered large sums and collaborated with other ransomware networks. The combined picture highlights the convergence of espionage, cyber intrusion, disinformation, and criminal finance in modern state linked operations.

Key Figures and Roles

Pablo González / Pavel Rubtsov
Reported profile and activity

  • Born 1982 in Moscow; reported by investigative outlets to have Russian and Spanish ties and to have presented publicly as a journalist.
  • Investigations by The Insider and partners allege that González operated as an illegal under the GRU Fifth Department, cultivating contacts among émigrés and opposition circles in Europe and collecting travel and personal data for handlers.
  • Reports attribute González to media projects such as Eulixe and to involvement with disinformation initiatives including Bonanza Media.
  • Detained by Ukraine’s SBU in the early 2022 invasion period and reported returned to Moscow in an August 2024 prisoner exchange according to The Insider.

Oleg Sotnikov
Reported profile and activity

  • Identified in U.S. indictments and investigative reporting as a GRU officer connected to Unit 26165 and linked to cyber intrusions against international bodies including OPCW and anti doping agencies USADA and WADA.
  • Reporting details a 2018 operation near The Hague where a GRU team attempted to breach OPCW infrastructure before being intercepted by Dutch authorities.
  • Open source investigations including facial comparison analyses published by investigative outlets are cited as evidence used to link Sotnikov to the events.

Maksim Yakubets and Evil Corp network
Sanctions and enforcement in 2024

  • In late 2024 the United Kingdom, United States, and Australia imposed sanctions on multiple individuals tied to Evil Corp, naming Maksim Yakubets and family members among those sanctioned according to reporting by the BBC and allied outlets.
  • Authorities describe Evil Corp as responsible for extensive theft and laundering operations over roughly a decade, with links to other ransomware networks such as LockBit cited in sanctions materials.

Structural Elements and Chronology

  • 2016 to 2021: GRU fifth department reported use of media covers and travel across Europe to build intelligence on dissidents and opposition figures.
  • April 2018: Unit 26165 alleged close access operation targeted OPCW in The Hague; Dutch counterintelligence actions followed.
  • 2017 to 2019: Public activity tied to alleged illegals includes Eulixe founding and attendance at media events later linked by investigators to GRU networks.
  • 2022: Arrests and interrogations of suspected operatives amid the Russia Ukraine conflict; rising interest from Polish, Spanish, U K and Ukrainian agencies.
  • August 1 2024: Reported prisoner exchange returns González to Moscow; contemporaneous reporting analyzes the diplomatic signaling of such swaps.
  • October 2024: Multinational sanctions announced targeting Evil Corp affiliates and associated money laundering networks.

Operations Methods and Evidence

  • Espionage as cover: Journalism and diplomatic postings are reported to have been used as plausible covers for intelligence collection on émigrés, activists, and treaty monitoring staff. Attribution of these roles is drawn from investigative reports and court or law enforcement filings.
  • Illegals program: Investigative work links named persons to the Fifth Department and Unit 26165, described as the GRU elements that place operatives abroad without formal diplomatic status.
  • Cyber operations: Unit 26165 and Fancy Bear related activity is tied to high profile intrusions including the OPCW breach and anti doping agency hacks. Evidence cited in reporting includes travel records, hotel and flight manifests, airport footage, forensic device analysis and U S indictments.
  • Disinformation and influence: Media projects and content platforms are described in reporting as mechanisms to shape narratives on Syria, Ukraine, and post Soviet politics.
  • U S Department of Justice indictments and FBI wanted lists name individuals associated with Unit 26165 in connection with longstanding cyber operations.
  • The UK NCA led a 2024 coordinated sanction package against Evil Corp affiliates, citing roughly 300 million in alleged illicit gains and naming family members among those sanctioned. Reporting linked sanctioned figures to broader money laundering and ransomware partnerships.
  • The prisoner exchange in 2024 and parallel enforcement actions reflect a mix of legal pressure, diplomatic negotiation, and strategic signaling by Western states.

Caveats, Source Attribution and Context

This synthesis attributes contested claims to named investigative outlets and official actions. Key source materials informing the analysis include reporting from The Insider, BBC, El Mundo, VSquare, Bellingcat and U S law enforcement releases. Readers are reminded that some biographical and operational details derive from investigative reconstruction and official allegations and remain subject to further verification in courts or through primary documents.

Fact Checking and Sources

Please consult original investigative and official sources for verification: The Insider reporting on Pablo González and Unit 26165, BBC analysis of Evil Corp sanctions, U S DOJ and FBI public filings related to Unit 26165 indictments, and investigative open source projects by Bellingcat and partners. Cross referencing primary court documents and sanctions lists is advised for rigorous confirmation.

Conclusion

The combined reporting and enforcement actions across 2024 present a consistent theme: covert intelligence tradecraft and criminal cyber activity increasingly operate in a blended ecosystem. Allegations that GRU illegals used journalistic and diplomatic covers to gather intelligence and that Evil Corp engaged in transnational laundering and ransomware collaborations illustrate how espionage, cyberattack and organised crime intersect. Multinational sanctions and legal measures reflect an ongoing effort to disrupt those networks while high profile exchanges underscore the diplomatic complexity that governs modern intelligence disputes.

Question for readers: which element of the intertwined espionage and cybercrime ecosystem merits the most urgent policy response in your view?

Last Updated: