Interpool arrests 3 Nigerian BEC cybercriminals (June 2, 2022).

Paragraph[German]Three Nigerians suspected as masterminds of global online fraud have now been arrested by Nigerian police in INTERPOL's Operation Killer Bee. The operation is an INTERPOL effort to combat malware cyber fraud across Southeast Asia. The BEC fraudsters used the remote access Trojan (RAT) Agent Tesla, among other malware. The air for cybercriminals is getting considerably thinner in African countries like Nigeria.


I became aware of INTERPOL's announcement via the following tweet, as well as this article from Trend Micro. INTERPOL together with the Nigerian police succeeded in arresting leading heads of a BEC gang (Business Email Compromise).

Online scamming fraud: three Nigerians arrested in INTERPOL Operation Killer Bee

The Economic and Financial Crimes Commission (EFCC) arrested the suspects in a sting operation conducted simultaneously in the Lagos suburb of Ajegunle and in Benin City, 300 km east of the commercial capital.

The Nigerian sting operation is part of a global operation code-named "Killer Bee" involving the INTERPOL General Secretariat, National Central Bureaus (NCBs) and law enforcement agencies in 11 countries in Southeast Asia. 

Agent Tesla RAT used

The arrests followed the release of an INTERPOL cyber report linking a suspected syndicate of Nigerian fraudsters operating from the west coast of Africa to the use of a malicious remote access Trojan (RAT) called Agent Tesla.


The men allegedly used the RAT to redirect financial transactions and steal confidential online connection data from companies, including oil and gas companies in Southeast Asia, the Middle East and North Africa. To this end, Trend Micro writes in this article, in early 2020 companies in the oil and gas industry were attacked by malicious actors using the Agent Tesla malware. This happened just before an agreement by the Organization of the Petroleum Exporting Countries (OPEC) to cut oil production in Russia and Saudi Arabia due to the Covid 19 pandemic.

By analyzing a sample used in this attack (detected as TrojanSpy.MSIL.NEGASTEAL.THCAFBB with SHA-256 hash 0f67d58cb68cf3c5f95308f2542df6ff2e9444dc3efe9dd99dc24ab0f48a4756), Trend Micro security specialists were able to reveal the malicious actors behind the malware and its modus operandi, which was to masquerade as a major oil company in Egypt.

The analyzed malware can steal information and credentials in applications and protocols such as browsers, email clients, File Transfer Protocol (FTP) and Wi-Fi, to name a few. It can also log keystrokes and take screenshots. The actors who deployed Agent Tesla used the Yandex email service as a drop location.

Agent Tesla victims in countries
Agent Tesla victims in countries, Source: Trend Micro

Based on the telemetry data, the security researchers were able to determine that this RAT mainly attacked victims in countries in the Middle East and Southeast Asia. This makes perfect sense, as most oil-producing organizations, factories and companies are from these regions. The figure above shows the distribution of Remote Access Trojan (RAT) email detections across individual countries. Recipients received the crafted email ostensibly from a major oil company (source: Ministry of Petroleum in Egypt), but the senders were those behind the criminal gang.

After months of investigation, Trend Micro security researchers were able to identify the malicious actors behind the campaigns and submit them to Interpol and the Nigerian Economic and Financial Crimes Commission (EFCC). In addition, the specialists were able to elucidate the impact of the malware in terms of infections and financial losses. Finally, the modus operandi of the malicious actors could also be elucidated. Originating from Nigeria, these malicious actors are known for using malware such as LokiBot and Agent Tesla.

First (mild) verdict

One of the fraudsters, Hendrix Omorume, was charged and convicted of three counts of aggravated financial fraud and now faces a 12-month prison sentence. The other two men are still awaiting trial, according to the INTERPOL report. INTERPOL and other law enforcement agencies have recently been stepping up their crackdown on cybercriminals operating in Africa (see links at end of article).

"Through its global police network and constant monitoring of cyberspace, INTERPOL had the necessary global intelligence to warn Nigeria of a serious security threat where millions could have been lost without swift police action," said INTERPOL Director of Cybercrime Craig Jones.

"Further arrests and prosecutions are planned around the world as information continues to come in and investigations progress," Mr. Jones added.

INTERPOL helped investigate the laptops and cell phones seized by the EFCC during the arrests and helped confirm the systematic use of the "Agent Tesla" malware to access business computers and divert money transactions to their own accounts.

Similar article:
Interpol arrests Nigerian head of BEC fraud gang
Operation Falcon II: Interpol and Nigerian police arrest 11 cybercriminals

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *