Nigerian police arrest members of SilverTerrier BEC gang

Interpol said today that Nigerian authorities have detained 11 internet scammers, including members of the SilverTerrier cybercrime group.

Authorities said the suspects engaged in business email compromise (BEC), a type of internet crime where hackers use phishing emails or email account hacks to trick companies or government entities into making payments to the wrong bank accounts.

The arrests took place last year, between December 13 and December 22, as part of Operation Falcon II.

Interpol said that following a forensic analysis of the data extracted from phones and computers seized during house searches, they said the 11 suspects were linked to attacks on more than 50,000 targets.

"One of the arrested suspects was in possession of more than 800,000 potential victim domain credentials on his laptop," Interpol officials said today.

Another suspect had breached accounts and was monitoring conversations inside 16 companies and their customers and was seen diverting funds to accounts linked to SilverTerrier, a well-known cybercrime group engaged in BEC scams.

In addition, officials said that a third suspect was also linked to BEC attacks across a wide range of West African countries, including Gambia, Ghana, and Nigeria, something that is quite rare, as BEC gangs typically targeted western companies.

Interpol also thanked cybersecurity firms Group-IB and Palo Alto Networks, who helped identify the hackers during the investigation. While Nigerian officials did not share the name of the 11 suspects, Palo Alto Network shared more details in a blog post, naming some of the suspects as:

• Darlington Ndukwu - an individual who provided support for other groups, being linked to more than 1,300 domain registrations, 285 of which were used by the SilverTerrier gang. This actor is also known to have targeted a security researcher by using their name and organization to register a fraudulent domain.
• Onuegwu Ifeanyi Ephraim - an individual active for more than seven years, who provided support for other groups, being linked to 144 malicious domain registrations.
• Oyebade Fisayo - an individual active for more than seven years, who provided support for other groups, being linked to more than 250 domain registrations. In addition to supporting BEC schemes directly, this actor has historically offered free advice to his Facebook friends on how to use remote access trojans.
• Kevin Anyanwu - active since 2015.
• Onukwubiri Ifeanyi Kingsley - an individual who's linked to more than 20 malicious domain registrations. Researchers also tied him to another 370 malicious domains, based on registration data for homes on the same street. He also used the Pony and LokiBot malware.
• Kennedy Ikechukwu Afurobi - this actor is associated with 97 domains and the Pony, AZORult, and PredatorPain malware.

Follow-up to Operation Falcon (2020)

Operation Falcon II is a follow-up for Operation Falcon, which took place in November 2020 and resulted in the arrest of three suspects who were members of the TMT cybercrime gang.

In addition, Interpol also worked with the same Nigerian authorities to arrest another 18 suspects in March 2021, who were also believed to have participated in a wide range of BEC attacks.

According to the FBI's 2020 cybercrime report, BEC scam attacks ranked as the top source of financial losses in internet-related crime for the third year in a row, with nearly $1.9 billion lost in 2020 alone.

According to a report published by cyber-security firm Agari in October 2020, around 50% of all BEC scam groups are believed to reside in Nigeria.

The Interpol arrests last year are part of a recent crackdown from Nigerian authorities against the local BEC scene, which also included several other arrests, such as:

• The arrest of 167 suspects in Nigeria in September 2019 as part of Operation reWired.
• The arrest of two brothers in November 2019.
• The arrest in June 2020 of a famous social media influencer named Hushpuppi who made his fortune through BEC scams.
• The arrest of six other fraudsters in the same month.
• The arrest of 16, then 13, and then another 30 suspects in January 2021.
• The arrest of ten suspects in early March 2021.