Interpol, in coordination with the Nigerian police Force and several private-sector partners, has arrested a 37-year-old unnamed man in Nigeria suspected of leading a cybercrime syndicate that is responsible for widespread phishing campaigns and business email compromise (BEC) attacks.
The year-long investigation, codenamed Operation Delilah, reflects the breadth of resources and intelligence needed in order to track down cybercriminals at an international scale. The operation, which spanned four continents and included support by Group-IB, Palo Alto Networks and Trend Micro, is part of a larger effort to identify and arrest members of the prolific TMT phishing and BEC syndicate, which has targeted thousands of companies and individual victims over the years.
“This case underlines both the global nature of cybercrime and the commitment required to deliver a successful arrest through a global to regional operational approach in combating cybercrime,” said Bernardo Pilot, Interpol’s assistant director for cybercrime operations, in a Wednesday statement. “The persistence of national law enforcement agencies, private sector partners and the Interpol teams all contributed to this result, analyzing vast quantities of data, and providing technical and live operational support.”
The operation was first initiated in 2021 after private-sector partners initially shared intelligence information with Interpol about TMT. Interpol analysts then shared that intelligence with Nigerian law enforcement and followed up with multiple case coordination meetings that were supported by law enforcement in Australia, Canada and the U.S.
“Investigators began to map out and track the alleged malicious online activities of the suspect, thanks to ad hoc support from private sector firm CyberTOOLBELT, as well as tracking his physical movements as he traveled from one country to another,” according to Interpol. “Nigerian law enforcement successfully apprehended the suspect at Murtala Muhammed International Airport in Lagos.”
The TMT group (also known as SilverTerrier) is divided into a number of subgroups, and law enforcement efforts to track down a number of individuals connected to those subgroups have persisted for years. Previously, Interpol has led two efforts to crack down on TMT: Operation Falcon, carried out in 2020, and Operation Falcon II, launched at the end of 2021, which have collectively resulted in the arrest of 14 alleged group members, including a suspect in Nigeria that was in possession of over 800,000 potential victim domain credentials.
TMT has operated since at least 2017, with the group developing phishing links,domains and mass mailing campaigns where they impersonated representatives of organizations in order to deploy malware, spyware and remote access trojans, including AgentTesla, Loki, Remcos and Nanocore. According to Interpol, the attackers infiltrated and monitored victims’ systems in order to launch further scams and siphon funds.
The group has also launched BEC scams, an extremely prevalent - and difficult to detect - type of attack that continues to cost businesses millions of dollars, with the recently released Internet Crime Complaint Center (IC3) showing that BEC (and email account compromise) victims reported nearly $2.4 billion in losses in 2021. Through these methods, the group was thought to have compromised more than 500,000 companies in over 150 countries, according to Group-IB, which has tracked TMT since 2019.
Palo Alto Networks’ Unit 42 team said that this recent operation is “significant in that it demonstrates the resolve of global law enforcement to hold BEC actors accountable despite temporary setbacks.”
“Specifically, in this case, the SilverTerrier actor fled Nigeria in 2021 when authorities initially attempted to apprehend him. Months later, in March 2022, he attempted to return home and was quickly identified and detained as he attempted to re-enter Nigeria,” according to Unit 42 researchers. “This level of international cooperation, tracking of actors as they travel internationally and subsequent apprehension of actors upon returning to their home countries represents a laudable advancement in the ability of global law enforcement organizations to combat these types of crimes.”