Fraud Management & Cybercrime
Authorities Say French-Speaking Gang Stole $30M From Financial Firms in 15 Nations
International law enforcement agencies say they arrested the mastermind of a French-speaking cybercriminal syndicate dubbed Opera1er for carrying out more than 30 successful attacks against financial institutions, banks, mobile banking services and telecommunications companies.
The group is accused of stealing an estimated $30 million in a variety of scams including malware, phishing and business email compromise.
Interpol led the operation, called Nervone, with support from the African Joint Operation against Cybercrime, AFRIPOL, the Direction de L’information et des Traces Technologiques, Group-IB and the Orange CERT Coordination Center.
Group-IB first identified the Opera1er group in 2018 and noticed the group preferred to hit victims on weekends or during public holidays. Group-IB’s intelligence helped uncover the identity and potential location of the unnamed kingpin, detained in early June in Abidjan, Côte d’Ivoire, Mali.
Group-IB said the gang is also known as Desktop-Group and NXSMS, and in 2020 the Society for Worldwide Interbank Financial Telecommunication – aka SWIFT – dubbed it Common Raven.
Victims included financial services firms and telecommunications companies in Burkina Faso, Benin, Cameroon, Bangladesh, Gabon, Niger, Nigeria, Paraguay, Senegal, Sierra Leone, Uganda, Togo and Argentina, and the attacks occurred between March 2018 and October 2022.
The group used off-the-shelf, open-source programs, freely available malware and popular red-teaming frameworks, such as Metasploit and Cobalt Strike.
The group has employed attack chains that use spear-phishing baits, triggering a sequence of actions that ultimately culminate in the use of post-exploitation tools. “Most of the messages were written in French, and mimicked fake tax office notifications or hiring offers,” Group-IB said.