Group-IB, one of the global leaders in cybersecurity, has assisted in the INTERPOL-coordinated investigation aimed at disrupting a transnational phishing syndicate, dubbed TMT by Group-IB (aka SilverTerrier). As part of operation Delilah spanning four continents, Group-IB provided threat intelligence that led to the identification of the alleged head of a cybercrime syndicate that launched mass phishing campaigns and business email compromise (BEC) schemes targeting thousands of companies and individual victims. The arrest of a 37-year-old Nigerian man by the Nigeria Police Force marked the culmination of the year-long international operation coordinated and facilitated by the INTERPOL’s cybercrime directorate and supported by Group-IB, Palo Alto Networks, and Trend Micro.
Who are TMT?
Delilah is the third in a series of law-enforcement actions aimed at identification and arrest of the suspected members of TMT (aka SilverTerrier), a prolific BEC and phishing syndicate. Delilah was preceded by INTERPOL-led Falcon I and Falcon II, carried out in 2020 and 2021 with the support of Group-IB’s Cyber Investigations Team. The two previous operations resulted in the arrest of 14 alleged members of the syndicate.
Group-IB has been tracking TMT since 2019. By 2020, TMT was through to have compromised more than 500,000 companies in more than 150 countries. According to INTERPOL, one of the suspects arrested during Falcon II in Nigeria was in possession of more than 800,000 potential victim domain credentials on his laptop.
Tracking the suspect’s movements, online and offline
In May 2021, the police operation, codenamed Delilah, was initiated by an intelligence referral from Group-IB, Palo Alto Networks — Unit 42, and Trend Micro. The intelligence was then enriched by analysts within INTERPOL’s Cyber Fusion Centre. INTERPOL’s African Joint Operation against Cybercrime (AFJOC) then referred the intelligence to Nigeria and followed up with multiple case coordination meetings supported by law enforcement in Australia, Canada and the United States.
Investigators began to map out and track the alleged malicious online activities of the suspect, thanks to ad hoc support from private sector firm CyberTOOLBELT, as well as tracking his physical movements as he travelled from one country to another. Nigerian law enforcement successfully apprehended the suspect at Murtala Muhammed International Airport in Lagos.
Photo of the suspect. Source: INTERPOL
Garba Baba Umar
Assistant Inspector General of the Nigeria Police Force, Head of Nigeria’s INTERPOL National Central Bureau and Vice President for Africa on INTERPOL’s Executive Committee
INTERPOL’s Assistant Director, Cybercrime Operations
Group-IB CEO Group-IB