Suspected bank-infecting OPERA1ER crime boss cuffed

International cops have arrested a suspected "key figure" of a cybercrime group dubbed OPERA1ER that has stolen as much as $30 million from more than 30 banks and financial orgs across 15 countries.

The criminals have been active for at least four years, according to law enforcement and security researchers. During that time, they've targeted financial firms and mobile banking services with malware, phishing campaigns, and large-scale business email compromise (BEC) scams. 

BEC continues to be billion-dollar business for cybercrooks — and a top priority for law enforcement. In 2022 alone, the FBI said it received 21,832 BEC complaints with adjusted losses over $2.7 billion [PDF].

According to Interpol, which led the international task force in Operation Nervone to take down the gang's ringleader, OPERA1ER has stolen at least $11 million — but possibly as much as $30 million — from organizations across Africa, Asia, and Latin America.

"Operation Nervone is a testament to what we can achieve through international collaboration and intelligence sharing," said Bernardo Pillot, Interpol’s Assistant Director of Cybercrime Operations.

"This successful operation marks a significant step in our ongoing mission to dismantle organized cybercrime networks, showcasing the power of collective action in stemming the tide against cybercrime."

Security shop Group-IB first spotted the criminals' illicit email activity in 2018, and published research about the French-speaking gang last fall.

According to its threat intel team, the robberies start with targeted emails that trick staff at these businesses into running backdoor malware, keyloggers, and password stealers.

Crooks then use the stolen credentials from these software nasties to gain admin-level credentials for Windows domain controllers on the network and banks' back-end applications, such as their SWIFT messaging clients, which financial institutions use to send and receive details of transactions from one another.  

• French-speaking voleurs stole $30m in 15-country bank, telecoms cyber-heist spree
• US extradites Nigerian charged over $6m email fraud scam
• Suspected phishing email crime boss cuffed in Nigeria
• Network security guy in extradition tug of war between US and Russia

After the initial break-in, the stealthy smooth operators use tools including Cobalt Strike and Metasploit to maintain persistence and stay on the network for three to 12 months, slyly moving people's money between accounts before eventually withdrawing funds from ATMs using hired help.

In one heist, "a network of more than 400 mule subscriber accounts were used to quickly cash out stolen funds mostly done overnight via ATMs," the researchers said in a November 2022 report.

Group-IB has also worked with Interpol on another counter-BEC initiative code named Operation Delilah.

So it was also with Operation Nervone. Interpol's Cybercrime Directorate, Group-IB, and French telecom company Orange exchanged intel to track the criminals and pinpoint likely locations for their illegal transactions. Then, in early June, law enforcement in Côte d'Ivoire arrested a key suspect linked to attacks against financial institutions across Africa, it was announced on Tuesday.

The US Secret Service's Criminal Investigative Division and Booz Allen Hamilton DarkLabs cybersecurity researchers provided additional intelligence that led to the arrest. 

Additionally, two Interpol initiatives backed Operation Nervone: the African Joint Operation against Cybercrime and the Interpol Support Programme for the African Union in relation to Afripol. ®