Nigerian police have arrested three suspects in Lagos believed to be members of a major organised crime group responsible for phishing and malware campaigns, and business email compromise (BEC) scams, following a joint investigation with Interpol and cyber security company Group-IB.
The gang allegedly developed phishing links, domains and mass mailing campaigns in which they posed as members of various legitimate organisations with lures including purchase orders, product enquiries, and Covid-19 assistance. Their victims were compromised with a wide variety of malware, remote access trojans (Rats) and spyware, among them AgentTesla, Loki, Azorult, Spartan, nanocore and Remcos, which were used to launch further scams and siphon funds.
Interpol cyber crime director Craig Jones said: “This group was running a well-established criminal business model. From infiltration to cashing in, they used a multitude of tools and techniques to generate maximum profits. We look forward to seeing additional results from this operation.”
The year-long investigation – dubbed Operation Falcon – took place under the auspices of Project Gateway, a framework initiative run by Interpol to gather threat intelligence from the private sector.
During the course of the probe, Interpol’s Cybercrime and Financial Crime unit worked alongside Group-IB to identify and locate the suspects, and eventually assist the Nigeria Police Force, via its National Central Bureau in the nation’s capital, Abuja, in taking them into custody.
“This cross-border operation once again demonstrated that only effective collaboration between private sector cyber security companies and international law enforcement can bring evildoers to justice,” added Group-IB’s APAC cyber investigations team head, Vesta Mateeva.
“It allows to overcome regulatory differences across countries that impede threat intelligence data exchange. While further investigation is underway, we are proud by what we’ve been able to achieve thanks to coordinated efforts by Interpol with the support of Nigerian cyber police,” she said.
Group-IB said the men may have successfully compromised both public and private sector companies in over 150 companies in the space of just three years. It has identified 500,000 targeted victims to date, located in Japan, Nigeria, Singapore, the UK and the US.
The investigation also established that the gang, which Group-IB refers to as TMT, was divided into a number of different subgroups, and as a result a number of individuals are thought to still be at large.
The firm said that the gang’s monetisation efforts were still being investigated, but cautioned that it was not uncommon for cyber criminals to sell account access, alongside any sensitive data they may have been able to exfiltrate from their victims, on underground dark web forums.