More than $30 million may have been stolen by French-speaking cybercrime operation Opera1er, also known as NXSMS, Desktop-Group, and Common Raven, from cyberattacks against banks, financial services organizations, mobile banking services, and telecommunications companies between 2019 and 2021, SecurityWeek
Opera1er, which is believed to be active since 2016, has been confirmed to have stolen $11 million from its victims, most of which are African banks, although other entities across 15 African, Asian, and Latin American countries have also been impacted by the operation, according to a report from Group-IB.
After obtaining domain controller and back-office system access through spear-phishing
, Opera1er will wait for three months to a year before proceeding with fund exfiltration, which involves the use of bank infrastructure to facilitate the transfer of stolen funds to mule accounts.
"In at least two banks, Opera1er got access to the SWIFT messaging interface. In one incident, the hackers obtained access to an SMS server which could be used to bypass anti-fraud or to cash out money via payment systems or mobile banking systems. In another incident, Opera1er used an antivirus update server which was deployed in the infrastructure as a pivoting point," said Group-IB.