A joint international effort between law enforcement and security research teams has led to the arrest of a suspected senior member of OPERA1ER, a highly organized cybercriminal group that has stolen at least $11 million in more than 30 attacks worldwide.
Since at least 2018, OPERA1ER has targeted financial institutions, banks, mobile banking services and telecom companies with attacks that involve malware, phishing and business email compromise (BEC) scams. The attackers targeted organizations in 15 countries across Africa, Asia and Latin America. The effort led by the International Criminal Police Organization (Interpol), called Operation Nervone, resulted in the key OPERA1ER member (who is not currently being identified by Interpol) being detained in Abidjan, Côte d’Ivoire in early June.
“Operation Nervone is a testament to what we can achieve through international collaboration and intelligence sharing,” said Bernardo Pillot, the Interpol assistant director of Cybercrime Operations, in a Wednesday release. “This operation marks a significant step in our ongoing mission to dismantle organized cybercrime networks, showcasing the power of collective action in stemming the tide against cybercrime.”
Group-IB, which has been tracking the group since 2019, published a report last year showing how the group was able to withdraw funds from victim organizations by accessing their internal payment systems.
Researchers observed that the group is highly organized and would prepare attacks for up to one year, assessing targeted organizations’ internal networks in order to target high value accounts and learning how digital banking systems were designed so that they could circumvent system controls built into platforms to prevent fraud and other abuses. In one case, the group used a network of at least 400 subscriber accounts that were controlled by money mules in order to cash out their stolen funds.
“This is a great step in the right direction as we gain more resources to disrupt the inner workings of BEC.”
“OPERA1ER was notable for leveraging off-the-shelf open-source programs and malware freely available on the dark web, and popular red teaming frameworks, such as Metasploit and Cobalt Strike,” according to Group-IB in a Wednesday post. “They launched their attacks by sending high-quality phishing emails that targeted a specific team within an organization. Most of the messages were written in French, and mimicked fake tax office notifications or hiring offers.”
Law enforcement leaders have stressed that international cooperation is key to taking down cybercriminal groups. This was the case with Operation Nervone, which involved extensive coordination between Interpol, the African Union’s Afripol technical institution that fights against cybercrime and Côte d’Ivoire’s Direction de l'Information et des Traces Technologiques (DITT). Information was provided by Group-IB and the Orange CERT Coordination Center (which worked with Group-IB during its initial investigation into the group); and the United States Secret Service’s Criminal Investigative Division and Booz Allen Hamilton DarkLabs cybersecurity researchers also contributed additional information that confirmed a number of leads, according to Interpol.
These types of partnerships between different international law enforcement agencies, as well as security research teams, have expedited previous investigations into and arrests of cybercriminals. Last year, Interpol, in coordination with the Nigerian police force and several private-sector partners, arrested a suspect in Nigeria behind a cybercrime syndicate called TMT that is responsible for widespread phishing campaigns and BEC attacks. Interpol and various partners have also led other efforts to crack down on TMT - Operation Falcon, carried out in 2020, and Operation Falcon II, launched at the end of 2021 - that have collectively resulted in the arrest of 14 alleged group members.
Interpol touted these arrests as having a disruption on cybercriminal organizations’ activities, however the crackdown activity also shows that law enforcement agencies and security researchers are getting better at understanding how these threat groups operate.
“As we collectively gain more insights into how BEC truly works, we are starting to understand the increased sophistication of scammers all across the world,” said Ronnie Tokazowski, principal threat advisor with Cofense. “This is a great step in the right direction as we gain more resources to disrupt the inner workings of BEC.”