Alleged members of a Nigerian cybercrime gang that compromised 500,000 companies and government organizations in more than 150 countries have been arrested.
The arrests were made in Lagos as part of the year-long, INTERPOL-led Operation Falcon targeting cyber-criminals who use business email compromise (BEC) scams to steal money.
Singapore-based cybersecurity company Group-IB, which has been tracking the gang they dubbed TMT since 2019, supported the operation. The company's APAC Cyber Investigations Team, with the help of CERT-GIB teams, identified a trio of Nigerian nationals as gang members.
A Nigerian cybercrime police unit subsequently arrested three suspects, referred to as 32-year-old OC, 34-year-old IO, and 35-year-old OI.
Police said data discovered on the devices of the arrested trio confirms their involvement in the criminal BEC scheme and includes stolen data from at least 50,000 targeted victims.
"The analysis of their operations revealed that the gang focuses on mass email phishing campaigns distributing popular malware strains under the guise of purchasing orders, product inquiries, and even COVID-19 aid impersonating legitimate companies," said a Group-IB spokesperson.
The attackers use Gammadyne Mailer and Turbo-Mailer to send out phishing emails in English, Russian, and Spanish, and MailChimp to track whether a recipient has opened the malicious message.
The goal of their attacks was to steal authentication data from browsers, email, and FTP clients, possibly to sell to the highest dark net bidder.
INTERPOL said: “The suspects are alleged to have developed phishing links, domains, and mass mailing campaigns in which they impersonated representatives of organizations.
“They then used these campaigns to disseminate 26 malware programmes, spyware and remote access tools, including AgentTesla, Loki, Azorult, Spartan and the nanocore and Remcos Remote Access Trojans.”
The gang used these programs to infiltrate and monitor the systems of victim organizations and individuals, then launched scams and syphoned funds.
Vesta Matveeva, head of the Cyber Investigations Team at Group-IB APAC, highlighted the importance of cooperation in catching cyber-criminals.
“This cross-border operation once again demonstrated that only effective collaboration between private sector cybersecurity companies and international law enforcement can bring evildoers to justice,” said Matveeva.
“It allows us to overcome regulatory differences across countries that impede threat intelligence data exchange."
The arrests were made in Lagos as part of the year-long, INTERPOL-led Operation Falcon targeting cyber-criminals who use business email compromise (BEC) scams to steal money.
Singapore-based cybersecurity company Group-IB, which has been tracking the gang they dubbed TMT since 2019, supported the operation. The company's APAC Cyber Investigations Team, with the help of CERT-GIB teams, identified a trio of Nigerian nationals as gang members.
A Nigerian cybercrime police unit subsequently arrested three suspects, referred to as 32-year-old OC, 34-year-old IO, and 35-year-old OI.
Police said data discovered on the devices of the arrested trio confirms their involvement in the criminal BEC scheme and includes stolen data from at least 50,000 targeted victims.
"The analysis of their operations revealed that the gang focuses on mass email phishing campaigns distributing popular malware strains under the guise of purchasing orders, product inquiries, and even COVID-19 aid impersonating legitimate companies," said a Group-IB spokesperson.
The attackers use Gammadyne Mailer and Turbo-Mailer to send out phishing emails in English, Russian, and Spanish, and MailChimp to track whether a recipient has opened the malicious message.
The goal of their attacks was to steal authentication data from browsers, email, and FTP clients, possibly to sell to the highest dark net bidder.
INTERPOL said: “The suspects are alleged to have developed phishing links, domains, and mass mailing campaigns in which they impersonated representatives of organizations.
“They then used these campaigns to disseminate 26 malware programmes, spyware and remote access tools, including AgentTesla, Loki, Azorult, Spartan and the nanocore and Remcos Remote Access Trojans.”
The gang used these programs to infiltrate and monitor the systems of victim organizations and individuals, then launched scams and syphoned funds.
Vesta Matveeva, head of the Cyber Investigations Team at Group-IB APAC, highlighted the importance of cooperation in catching cyber-criminals.
“This cross-border operation once again demonstrated that only effective collaboration between private sector cybersecurity companies and international law enforcement can bring evildoers to justice,” said Matveeva.
“It allows us to overcome regulatory differences across countries that impede threat intelligence data exchange."