An Interpol-helmed operation led to the arrest of three suspected cybercriminal gang members in Nigeria whose outfit has allegedly targeted victims in more than 150 countries, including schemes that involved offering COVID-19 aid.
The sting, announced Wednesday, was part of Operation Falcon, a year-long investigation that teamed with cybersecurity company Group-IB and the Nigeria Police Force.
“This group was running a well-established criminal business model,” said Craig Jones, Interpol’s cybercrime director. “From infiltration to cashing in, they used a multitude of tools and techniques to generate maximum profits.”
The gang, dubbed TMT, is divided into numerous subgroups, according to Vesta Matveeva, head of Group-IB’s APAC Cyber Investigations Team. The three suspects arrested in Lagos tallied 50,000 victims in government and industry, the company said. Matveeva said via email that TMT overall might have compromised more than 500,000 victims since 2017.
TMT’s speciality is business email compromise (BEC), where the attackers pose as someone known to an organization, most often to request authentic-looking money transfers. The FBI’s Internet Crime Complaint Center recorded $1.7 billion in losses from BEC scams last year alone, a figure that’s based only on complaints received.
The gang deploys mass phishing campaigns and relies on a range of publicly-available spyware and remote access trojans, among them AgentTesla, Loki, AzoRult, Pony, NetWire, Spartan and NanoCore, according to Group-IB and Interpol.
It sends purchasing orders and product inquiries, and has impersonated legitimate companies offering COVID-19 aid, Group-IB said. It counts victims in the U.S., U.K., Singapore, Japan and Nigeria, according to Group-IB data.
“While the monetization methods of this gang are still being investigated, it’s not uncommon for cybercriminals to sell account access as well as sensitive data extracted form emails could to the highest bidder in the underground markets,” Group-IB said.
Trend Micro, in fact, has identified TMT as a group that sells stolen credentials.
The operation only identified the arrested suspects by their initials, O.C., I.O. and O.I.
The Interpol-led investigation into TMT is ongoing.