This article is more than 1 year old

French-speaking voleurs stole $30m in 15-country bank, telecoms cyber-heist spree

Smooth 'OPERA1ER' hit orgs around the world over four or more years

A French-speaking criminal group codenamed OPERA1ER has pulled off more than 30 cyber-heists against telecom organizations and banks across Africa, Asia, and Latin America, stealing upwards of $30 million over four years, according to security researchers.

The robberies start with targeted emails that trick staff at these businesses into running backdoor malware, keyloggers, and password stealers, according to Group-IB's threat intel team, working with French telecom company Orange's CERT Coordination Center. Crooks use the stolen credentials from these software nasties to gain admin-level credentials to Windows domain controllers on the network and banks' back-end applications such as their SWIFT messaging clients, which financial institutions use to send and receive details of transactions from one another. 

After the initial intrusion, the stealthy smooth operators use tools including Cobalt Strike and Metasploit to maintain persistence and stay on the network for three to 12 months, slyly moving people's money between accounts before eventually withdrawing funds from ATM, we're told. 

In one robbery, "a network of more than 400 mule subscriber accounts were used to quickly cash out stolen funds mostly done overnight via ATMs," the researchers wrote in a report this month. Upon further investigation, the analysts discovered the money mules had been recruited up to three months in advance, they added. "It was obvious that the attack was very sophisticated, organized, coordinated and planned over a long period of time."

The gang didn't deploy any bespoke malware, and instead used open source code along with tools they could find for free on the dark web.

"With the basic 'off-the-shelf' toolkit OPERA1ER is confirmed to have stolen at least $11 million since 2019," according to the report. "But the actual amount is believed to be higher than $30 million as some of the compromised companies did not confirm the fact of money loss."

Many of the victim companies were attacked twice, and the crooks used these businesses' infrastructure to attack other organizations. Additionally, criminals used VPNs to cover their tracks. 

While the oldest-known domain registered and used by the group for its underworld activities was created in 2016, the report tracks the criminals' activity from 2018 to 2022.

The banks, other financial institutions, and telecom companies hit over that time period span at least 15 countries: Ivory Coast, Mali, Burkina Faso, Benin, Cameroon, Bangladesh, Gabon, Niger, Nigeria, Paraguay, Senegal, Sierra Leone, Uganda, Togo and Argentina.

Other security researchers have tracked some of the gang's campaigns over the years, including Tom Ueltschi, who named the miscreants DESKTOP-Group. Group-IB also noted that SWIFT tracks the gang as Common Raven. ®

More about


Send us news

Other stories you might like