Content, Ransomware

INTERPOL Nabs Top Member of OPERA1ER Cybercrime Syndicate

Hacker man working on computers alone in dark room, rear view.

A senior member of a notorious, “highly organized” criminal organization, believed to have played a major role in stealing some $30 million in more than 30 cyberattacks, has been arrested in an international, joint operation.

The cyberattackers are known as OPERA1ER, with aliases such as NX$M$, DESKTOP Group and Common Raven, and are thought to have heisted at least $11 million and up to $30 million in dozens of attacks across 15 countries in Africa, Asia and Latin America.

Operation Nervone Deals Significant Blow

The apprehended, unnamed suspect, was nabbed in an “extensive cooperation” action dubbed Operation Nervone, led by INTERPOL, AFRIPOL, Group-IB and Côte d’Ivoire’s Direction de l'Information et des Traces Technologiques (DITT). The arrest has dealt a significant blow to the syndicate’s activities, law enforcement officials said.

Additional information was provided by the United States Secret Service’s Criminal Investigative Division and Booz Allen Hamilton DarkLabs cybersecurity researchers, confirming a number of leads.

Group-IB’s Threat Intelligence and High-Tech Crime Investigations units, which have tracked OPERA1ER since 2019, provided timely intelligence that uncovered the identity and potential location of the key member of the cybercriminal group. The individual was subsequently detained in Abidjan, Côte d’Ivoire, the Singapore-based organization said.

OPERA1ER’s Methods Examined

The OPERA1ER crew is said to have targeted financial institutions and mobile banking services with malware, phishing campaigns and large-scale business email compromise (BEC) scams using off the shelf tools.

A detailed overview of OPERA1ER’s methods was published by Group-IB and Orange S.A. in November 2022.

"Most of the messages were written in French, and mimicked fake tax office notifications or hiring offers," Group-IB said. "OPERA1ER was able to get access to internal payment systems used by the affected organizations, and leveraged this to withdraw funds."

In a statement provided to Dark Reading, Dmitsdry Volkov, chief executive at Group-1B said:

"We have been tracking OPERA1ER since 2019. The success of Operation Nervone exemplifies the importance of threat data exchange, and thanks to our collaboration with Interpol, Orange-CERT-CC, and private and public sector partners, we were collectively able to piece together the whole puzzle."

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.