Key figure in OPERA1ER cybercrime syndicate arrested in Ivory Coast after joint INTERPOL operation

Over the last four years, a highly-organized criminal organization has targeted financial institutions and mobile banking services with malware, phishing campaigns and large-scale Business Email Compromise (BEC) scams.

Known as OPERA1ER, with aliases such as NX$M$, DESKTOP Group and Common Raven, the group is believed to have stolen an estimated $11 million – potentially as much as $30 million – in more than 30 attacks across 15 countries in Africa, Asia and Latin America.

A detailed overview of OPERA1ER’s methods was published by Group-IB and Orange in November 2022.

Following an extensive cooperation, INTERPOL, AFRIPOL, Group-IB and Côte d’Ivoire’s Direction de l’Information et des Traces Technologiques (DITT) have now announced the arrest of a suspected senior member of the group, dealing a significant blow to their criminal activities.

How it happened

The group’s illicit e-mail campaigns were first detected by Group-IB in 2018, when they recognized spear phishing operations responsible for spreading malware such as remote access tools.

Under the auspices of Operation Nervone, INTERPOL’s Cybercrime Directorate, Group-IB, and third-party stakeholder Orange, exchanged intelligence which helped track the group’s behaviours and to identify a probable location of their activities.

Additional information was provided by the US’ Secret Service’s Criminal Investigative Division and Booz Allen Hamilton DarkLabs cybersecurity researchers, confirming a number of leads.

In early June, authorities in Côte d’Ivoire were able to arrest a key suspect linked to attacks against financial institutions across Africa.

“Operation Nervone is a testament to what we can achieve through international collaboration and intelligence sharing. This successful operation marks a significant step in our ongoing mission to dismantle organized cybercrime networks, showcasing the power of collective action in stemming the tide against cybercrime,” said Bernardo Pillot, INTERPOL’s Assistant Director of Cybercrime Operations

According to the INTERPOL’s 2022 African Cyberthreat Assessment Report, cybercrime is a growing threat in the West Africa region, with victims located worldwide. Operation NERVONE underscores INTERPOL’s commitment to proactively combat the threat of cybercrime in the region.

Operation Nervone was backed by two key INTERPOL initiatives: the African Joint Operation against Cybercrime and the INTERPOL Support Programme for the African Union in relation to AFRIPOL, funded by the UK’s Foreign, Commonwealth and Development Office and Germany’s Federal Foreign Office, respectively.

In early November 2022, Group-IB, a global firm offering cybersecurity solutions with head offices in Singapore, issued a new report titled, “OPERA1ER. Playing God without permission,” in collaboration with the researchers from Orange CERT Coordination Center. The report takes a deep dive into financially motivated attacks of the prolific French-speaking threat actor, codenamed OPERA1ER. Despite relying solely on known “off-the-shelf” tools, the gang managed to carry out more than 30 successful attacks against banks, financial services, and telecommunication companies mainly located in Africa between 2018 and 2022.

OPERA1ER is confirmed to have stolen at least $11 million, according to Group-IB’s estimates. One of OPERA1ER’s attacks involved a vast network of 400 mule accounts for fraudulent money withdrawals. Researchers from the Group-IB European Threat Intelligence Unit identified and reached out to 16 affected organizations so they could mitigate the threat and prevent further attacks by OPERA1ER.

The Group-IB report was completed in 2021 while the threat actor remained active according to the release. OPERA1ER noticed Grou

p-IB’s increasing interest in his activity and reacted by deleting their accounts and changing some TTPs to cover their tracks. Group-IB decided to suspend publishing the report and wait until the threat actor resurfaced again, which happened in 2022. Therefore, the report contains the Indicators of Compromise (IOCs) relevant for the period of 2019-2021. The changes are small and don’t impact the overall findings. Through threat intelligence and resource sharing, Orange-CERT-CC and Group-IB were able to better understand the threat actor’s modus operandi. All findings have been compiled into the report so that the cybersecurity community could better track OPERA1ER’s activity and prevent their attacks in the future.

Digital forensics artifacts analyzed by Group-IB and Orange following more than 30 successful intrusions of OPERA1ER between 2018 and 2022 helped to trace down affected organizations in Ivory Coast, Mali, Burkina Faso, Benin, Cameroon, Bangladesh, Gabon, Niger, Nigeria, Paraguay, Senegal, Sierra Leone, Uganda, Togo, Argentina. Many of the victims identified were successfully attacked twice, and their infrastructure was then used to attack other organizations. According to Group-IB’s evaluation, between 2018 and 2022, OPERA1ER managed to steal at least $11 million, and the actual amount of damage could be as high as $30 million.


Be the first to comment

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.