Police Arrest Suspected OPERA1ER Cybercrime Kingpin

Written by

Police have announced the arrest of an individual they believe to be a key figure in a prolific cybercrime group which has stolen at least $11m from banks and telcos over a four-year period.

Interpol said yesterday that it worked with the authorities in Côte d’Ivoire, alongside Afripol, Group-IB and the Orange CERT Coordination Center (Orange-CERT-CC) to make the arrest as part of Operation Nervone.

Additional information was apparently provided by the US Secret Service Criminal Investigative Division and Booz Allen Hamilton DarkLabs cybersecurity researchers.

The group in question, OPERA1ER (aka NX$M$, DESKTOP Group and Common Raven) may have actually stolen as much as $30m from dozens of attacks across 15 countries in Africa, Asia and Latin America, according to Interpol.

Read more on OPERA1ER: Threat Actor "OPERA1ER" Steals Millions from Banks and Telcos.

It was first discovered by Group-IB in 2018 after the threat intelligence firm spotted spear-phishing emails containing remote access Trojans (RATs) and other malware like password sniffers and dumpers.

As reported by Infosecurity last year, subsequent access into the victim organization enabled the gang to harvest and study emails and internal documents for use in future phishing attacks.

This intelligence also enabled it to understand the complex digital payments platform used by the victim organizations, according to the Group-IB report published last year.

The threat actors used this knowledge, and credentials stolen from employees, to move funds through the organizations and ultimately into “subscriber” accounts under their control.

The group then cashed out the funds via ATMs – including one case where they did so via a network of over 400 subscriber accounts controlled by money mules recruited months in advance.

“Any attempt to investigate a sophisticated threat actor such as OPERA1ER, which stole millions from financial service companies and telecom providers across the world, requires a highly coordinated effort between public and private sector bodies,” argued Group-IB CEO, Dmitry Volkov.

“The success of Operation Nervone exemplifies the importance of threat data exchange, and thanks to our collaboration with INTERPOL, Orange-CERT-CC and private and public sector partners, we were collectively able to piece together the whole puzzle.”

What’s hot on Infosecurity Magazine?