View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
November 4, 2022updated 07 Jul 2023 10:50am

Cyber bank robbers Opera1or may have nabbed $30m in crime spree

A combination of low-skill tactics helped the group drain cash from banks in Africa and South America, new research says.

By Claudia Glover

A French cybercrime gang is believed to have stolen up to $30m from banks in countries across Africa and South America since it began operating in 2016. The hacking group, Opera1er, has drained accounts from financial institutions in at least 15 countries, new research has revealed.

French-speaking cybercriminals have hacked into institutions in Africa and South America. (Photo by Delpixel/Shutterstock)

The research from cybersecurity vendor Group IB reveals the hacking group has made a confirmed $11m since 2019. However, the researchers say in their report that the illicit funds may have topped $30m. 

French cybercriminals Opera1or target banks

The main victims are financial services, banks, mobile banking services and telecoms companies. Thirteen countries in Africa suffered attacks on their services, followed by two in South America and one in Bangladesh.

The attacks begin with spear-phishing emails, designed to mine data on their victims. The list of targets is created with precision, aimed at specific teams within the companies, Group IB says.

The strikes themselves do not use sophisticated tools or zero-day vulnerabilities. The hackers instead favour tools in open-source programmes and free remote access trojans (RATs) found on the dark web.

In at least two banks, Opera1or got access to the SWIFT banking system, which is used to make international money transfers. “In one incident, the hackers obtained access to an SMS server which could be used to bypass anti-fraud or to cash out money via payment systems or mobile banking systems,” states the report. 

How did Opera1or access the money?

Once the hackers gained access to a system, they mined the credentials of key operators with authority to approve the movement of digital money within that system.

Content from our partners
Rethinking cloud: challenging assumptions, learning lessons
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business

The gang targets accounts that contain large sums of money and use their inflated credentials to move said money into user accounts under their control. The money then gets sent to “mule”, or subscriber accounts that the gang also control, ultimately arriving somewhere where it can be withdrawn in cash from an ATM.

In order to implement this attack quickly, the gang would target the “operator accounts”, belonging to people working in positions of responsibility, specifically. This explains why the spear-phishing email campaigns were so painstakingly targeted, Group IB’s researchers explain. Mail subjects during phishing campaigns are created with knowledge of the jobs of the people they are targeting, including headings like, “notification from government tax office,” or, “hiring offers from the BCEAO”. BCEAO is the central bank of the West African states.

In one case, a network of more than 400 mule subscriber accounts was used to quickly cash out stolen funds via ATMs. The mules for the project were hired up to three months in advance. Some of the mule accounts are opened by the gang and their affiliates, while some appear to have been opened by members of the public but had been dormant for some time and then reactivated by the gang. 

Cybercrime and the financial industry

The financial sector is the fifth most likely to be attacked, according to new data on cybercrime released by EU cyber body the European Union Agency for Cybersecurity (ENISA).

During the reporting period, financial institutions were among the top organisations impersonated by phishers, explains the report. Phishing attacks are popular methods of cracking into banking services, followed by ransom denial of service (RDoS) and double and triple extortion tactics.

The Bank of England cited cyberattacks as the biggest risk to the UK financial system as part of research it released last month. Seventy-four per cent of respondents in a survey of banking executives from across the UK deemed that, in both the short and long term, the looming risk of a cyberattack is the most severe risk they faced, followed by inflation, or a geopolitical incident.

Read more: Banks must act quickly to tackle changing cyber threat

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.