Lessons From Evil Corp: Fixing The Flaws In Modern Identity Systems

Michael Engle is Cofounder at 1Kosmos and was previously head of InfoSec at Lehman Brothers and Cofounder of Bastille Networks.

Treasury sanctions against Evil Corp, a Russia-based cybercriminal group responsible for over $100 million in global theft and damage, highlight the severe shortcomings of current identity verification and authentication systems.

By deploying Dridex malware to compromise banking systems and steal credentials, Evil Corp demonstrated how existing security methods fail to protect against sophisticated identity-based threats. Their success isn’t just a testament to their capabilities—it’s an indictment of the systems designed to stop them.

Traditional methods of identity verification and authentication, while once sufficient, are no match for today’s threat actors. Evil Corp exploited these gaps with alarming efficiency:

Passwords As A Primary Defense

Though they’ve outlived their usefulness, passwords remain the most common form of authentication. However, they’re also the weakest link. Dridex thrives on credential theft, using phishing campaigns to harvest usernames and passwords and exploiting reused or weak credentials to gain unauthorized access. These attacks underscore that relying on static credentials is an outdated approach to securing access.

Fragmented Multi-Factor Authentication (MFA)

While MFA provides an additional layer of security, its implementation is often inconsistent. Many organizations adopt MFA piecemeal, leaving critical systems or users exempt due to cost or convenience concerns. Dridex exemplifies how attackers target these vulnerabilities, bypassing weak MFA controls through social engineering or brute force.

Centralized Identity Databases

Identity verification processes rely on centralized personal data repositories, such as employee records. These "honeypots" are prime targets for attackers seeking to compromise large volumes of sensitive data. Once breached, these databases fuel additional attacks, amplifying the impact of initial exploits.

Evil Corp’s operations are a stark reminder that incremental improvements to identity systems are not enough. Organizations must fundamentally rethink how they verify and authenticate identities.

Moving Toward Modern Identity

Enterprises must adopt more resilient identity systems to mitigate risks. Two key approaches for modernizing identity controls are passwordless authentication and, in some cases, verifiable credentials.

Passwordless Authentication

Eliminating passwords addresses one of the most significant vulnerabilities in authentication systems. By leveraging technologies like verified biometrics, FIDO Passkeys and cryptographic tokens, organizations can drastically reduce their attack surface. Passwordless methods help eliminate the risk of credential theft and make phishing campaigns ineffective.

For example, biometric authentication ensures that even if attackers gain access to an account password, they cannot replicate the user’s unique biometrics. Similarly, cryptographic tokens authenticate users without transmitting sensitive data over the network, reducing exposure to man-in-the-middle attacks.

Verifiable Credentials

In many use cases, identity verification is becoming a requirement. Here, reusable and cryptographically secure credentials can enhance both security and privacy. These credentials allow individuals to prove claims—such as employment, citizenship or financial standing—without exposing their personal data.

By using decentralized or distributed systems to verify these credentials, organizations can eliminate centralized personally identifiable information (PII) repositories, reducing the risk of large-scale breaches. Although not universally applicable, verifiable credentials are particularly useful in industries like healthcare and finance where trust and privacy are paramount.

Implementation Challenges

Transitioning to advanced identity systems comes with challenges. Organizations looking to modernize their identity infrastructure should be prepared to navigate the following hurdles:

Integration With Legacy Systems

Many enterprises operate legacy IT systems that are unsuitable for modern authentication methods. This creates integration challenges that require careful planning and phased implementation. Organizations must evaluate their current infrastructure and prioritize upgrades in high-risk areas.

Balancing Security And Usability

While passwordless authentication improves security, users accustomed to traditional methods may resist it. Simplified onboarding processes, clear communication about benefits and comprehensive training can ease the transition.

Privacy Concerns

Biometric authentication and digital credentials raise legitimate privacy concerns. Ensuring compliance with data protection regulations such as GDPR and Illinois BIPA and designing systems that minimize data retention can build user trust.

Best Practices

To deploy modern identity protection while minimizing disruption, organizations should consider the following four recommendations:

1. Conduct comprehensive audits. Start by assessing existing identity and access management systems to identify vulnerabilities and areas for improvement.

2. Adopt standards-based frameworks. Align with well-established standards like NIST 800-63-3 or FIDO2 to ensure security, interoperability and scalability.

3. Ensure a phased implementation. Begin with high-risk use cases or pilot programs to refine processes before scaling. This approach allows organizations to address unforeseen challenges and gather feedback.

4. Collaborate across stakeholders. Involve security teams, IT, legal and compliance early in the planning process to ensure that solutions address technical, regulatory and operational requirements.

Evil Corp’s tactics reveal the need to replace outdated identity systems with modern solutions. This can help reduce vulnerabilities, enhance trust in digital interactions and build resilience.

With AI tools at their disposal, adversaries will only improve the effectiveness of identity-based attacks. Organizations that delay modernization efforts may risk severe financial, operational and reputational damage.

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?