After a year-long investigation that involved Interpol and several cybersecurity companies, the Nigeria Police Force has arrested an individual believed to be in the top ranks of a prominent business email compromise (BEC) group known as SilverTerrier or TMT.
Codenamed Delilah, the law enforcement operation engaged police agencies across four continents and is the third one focused on identifying and arresting suspected members of the SilverTerrier gang.
Caught after 11 months
SilverTerrier activity dates since at least 2015 and expanded into a massive BEC and phishing operation, with many of its members originating from Nigeria.
Security researchers have been tracking the gang under different names, with Palo Alto Networks using SilverTerrier to refer to Nigerian BEC actors, and Group-IB using the TMT tag for its activity.
Both companies have collaborated with Interpol for Operation Delilah, along with cybersecurity company Trend Micro, providing threat intelligence, telemetry data, and other insights about BEC actors.
Interpol’s Operation Delilah started in May 2021 and resulted in the arrest at the Murtala Mohammed International Airport in Lagos of a 37-year-old Nigerian suspect, which Group-IB believes to be the leader of the SilverTerrier/TMT syndicate.
This follows two other Interpol operations, Falcon I in 2020 and Falcon II in 2021, which together resulted in the arrest of 14 SilverTerrier members.
According to a report that Palo Alto Networks shared with BleepingComputer, the individual arrested in March escaped the arrest during the Falcon II operation by fleeing Nigeria in June 2021 and he was caught when trying to get back home.
Before leaving Nigeria, the arrested SilverTerrier suspect tried to sell his Autobiography Special Edition Range Rover for 5.8 million Naira (around $14,000) on social media.
Palo Alto Networks notes that the suspect shares connections with other BEC scammers – Onuegbu Ifeanyi Ephraim, Darlington Ndukwu, and Onukwubiri Ifeanyi Kingsley, that were arrested during Interpol’s Operation Falcon II.
For its BEC activity, the SilverTerrier BEC group used various aliases to register more than 240 domain names, 50 of them serving as command and control servers for malware such as ISRStealer, Pony, and LokiBot.
Group-IB has been tracking TMT/SilverTerrier since 2019 and believes that by 2020 the gang targeted more than 500,000 companies in over 150 countries.
BEC fraud is the most profitable cybercriminal activity today, even more lucrative than ransomware, and has been so for the past several years, with victim reported losses closing to $2.4 billion in 2021.