Case Background
While cybercrime shapeshifts with new attack techniques, technologies, and automation, phishing and business email compromise (BEC) remain preferred tactics for cybercriminals to perpetrate attacks. Crafting convincing interactions with unsuspecting users continues to be a simple yet powerful approach. Today’s social engineering tactics make these threats especially dangerous, particularly when they are meticulously planned, well-researched, and executed by organized groups of cybercriminals.
Operation Delilah was a crucial initiative aimed at unmasking and apprehending the leader of a prolific phishing ring, TMT or SilverTerrier, that affected thousands of companies and individuals across continents. Group-IB has been tracking TMT since 2017. The suspected syndicate members were divided into groups and subgroups executing phishing schemes. By 2020, TMT was believed to have compromised more than 500,000 companies in over 150 countries. According to INTERPOL, one suspect arrested during Falcon II in Nigeria was found with more than 800,000 potential victim domain credentials on his laptop.
It took three coordinated operations by law enforcement agencies from different regions to bring the TMT syndicate to justice. Despite the arrests made during Falcon I and Falcon II, which detained several members, the leader continued to evade capture and commit fraud. Subsequently, Operation Delilah was launched to dismantle TMT and finally end its criminal activities.
Operation Falcon I apprehended three alleged TMT members, and Falcon II captured thirteen more. Finally, Operation Delilah seized the alleged leader, who had orchestrated these mass phishing campaigns and BEC schemes. These operations demonstrate the effectiveness of global law enforcement collaboration in tackling sophisticated cybercrime networks.
Behind the scenes
Operation Delilah was the third in a series of law-enforcement actions to identify and arrest the suspected leader of the phishing and BEC syndicate. INTERPOL-led Falcon I and Falcon II preceded Delilah, carried out in 2020 and 2021 with the support of Group-IB’s Cyber Investigations Team. The two previous operations resulted in the arrest of 14 alleged syndicate members.
Impact
TMT’s wide-circuit phishing and Business Email Compromise (BEC) schemes impacted businesses and individual victims across continents, making their curtailment critical and immediate. Group-IB’s involvement in countering BEC and phishing operations in support of international law enforcement agencies led to the significant downturn and dismantling of a transnational phishing syndicate.
This operation began with an intelligence referral from Group-IB and other vendors, gradually uniting security forces across regions to map out the detailed movements of the threat actor—both digitally and physically. This collaboration resulted in the actors’ apprehension, effectively stopping crime at its source in their home country.
This success was made possible through seamless and real-time international cooperation and coordination between public and private cybersecurity units, combining combative intelligence with authority to ensure that no cybercrime or criminal prevails.
Image source: Interpol
Storyline
A massive cross-border effort to combat cybercrime involved law enforcement and global cybersecurity experts, including Group-IB, targeting a notorious BEC gang. This multi-year initiative began in May 2019 when Group-IB started tracking the gang, which had already targeted over 50,000 government and private sector businesses. Group-IB uncovered that the gang used popular malware strains disguised as purchase orders, product inquiries, and even COVID-19 aid, impersonating legitimate companies.
Unveiling the Prolific Cybercriminal Gang: Operation Falcon
While Nigeria was a hotspot for BEC activity, similar scams originated from other countries. Operation Falcon revealed crucial details about the Nigerian-based BEC gang, including their cyber arsenal, tactics, anti-detection methods, and communication techniques. Their attacks affected organizations worldwide, including the US, UK, Singapore, Japan, and Nigeria. Group-IB’s investigation, which involved reverse engineering malware samples and analyzing seized devices, led to the arrest of several gang members. The gang relied on publicly available spyware and remote access Trojans (RATs) like AgentTesla, Loky, AzoRult, Pony, and NetWire. To evade detection, they used public cryptos. They communicated with their command and control servers using SMTP, FTP, and HTTP protocols, aiming to steal authentication data from browsers, emails, and FTP clients.
BEC Fraud – The Terror Continues: Falcon II
Operation Falcon II was a collaborative effort led by INTERPOL’s Global Financial Crime Task Force, Nigerian law enforcement, various INTERPOL expert teams, and private partners. This 10-day operation resulted in the arrest of 11 alleged members of the TMT gang, also known as SilverTerrier. Group-IB’s crucial threat intelligence helped identify additional suspects, which was shared with INTERPOL’s Cybercrime Directorate.
Taking Down the BEC Gang Leader: Operation Delilah
A year-long operation, initiated in May 2021, concluded with cybersecurity providers’ coordinated effort and intelligence gathering. Operation Delilah was launched based on intelligence from Group-IB, Palo Alto Networks Unit 42, and Trend Micro. Analysts at INTERPOL’s Cyber Fusion Centre further enriched this intelligence to understand the syndicate’s global impact. INTERPOL’s African Joint Operation against Cybercrime (AFJOC) then shared this intelligence with Nigerian law enforcement and coordinated with agencies in Australia, Canada, and the United States through multiple case coordination meetings. This international collaboration was vital in dismantling the cybercrime syndicate and capturing its leader.
And justice for all….
Making significant strides in the operation, investigators tracked the suspect’s online and physical movements with the assistance of private sector firm CyberTOOLBELT. Nigerian law enforcement arrested the 37-year-old suspect at Murtala Muhammed International Airport in Lagos. This arrest concluded a year-long international effort led by INTERPOL’s cybercrime division, with support from Group-IB, Palo Alto Networks, and Trend Micro. It highlights the effectiveness of global cooperation in combating cybercrime.
Effective threat intelligence sharing by private vendors, private-public partnerships, and coordinated efforts by INTERPOL’s Cybercrime Directorate were key to this operation’s success. Group-IB remains committed to reducing cybercrime’s impact, and our long-standing ultimate mission is to fight against these threats and safeguard global citizens and customers.
Conclusion
The series of arrests since late 2020 shows how international law enforcement, cybersecurity experts, and other partners are increasingly working together to tackle major Business Email Compromise (BEC) crimes.
However, BEC remains a significant issue for organizations worldwide. The threat constantly evolves, becoming one of the most common and disruptive forms of cybercrime. This ongoing challenge reminds us of the importance of staying vigilant and continuously improving our defenses against these evolving threats. To combat BEC and other pervasive threats, Group-IB’s advanced cybersecurity solutions and extensive expertise can help proactively protect your business, employees, and stakeholders, ensuring you’re not a victim of these increasingly evasive schemes. Contact us to learn more.