An evasive cybercrime syndicate behind major phishing and BEC attacks—described as a US$2bn cyber pandemic—has been busted.

Photo of the arrested suspect in Operation Delilah. Source: INTERPOL

The suspected leader of a transnational phishing/business-email-compromise syndicate has been arrested by the Nigeria Police Force at the Murtala Muhammed International Airport in Lagos—marking the culmination of a year-long international operation coordinated and facilitated by the INTERPOL cybercrime directorate.

Following two earlier sting operations in 2020 and 2021 where 11 suspected members of the syndicated were arrested, this third blitz of INTERPOL’s Operation Delilah had resulted in the arrest on 25 May of a 37-year-old Nigerian man believed to be the mastermind behind the cybercrime ring known as “SilverTerrier” or “TMT”.

Believed to have surfaced in 2014, the threat group had been to attributed to business email compromise (BEC) and phishing attacks on more than 500,000 firms in over 150 countries by 2020.

Sending a strong signal to cybercrime rings

According to Garba Baba Umar, Assistant Inspector General, Nigeria Police Force; Head of Nigeria’s INTERPOL National Central Bureau; and Vice President for Africa on INTERPOL’s Executive Committee: “The arrest of this alleged prominent cybercriminal in Nigeria is testament to the perseverance of our international coalition of law enforcement and INTERPOL’s private sector partners in combatting cybercrime. I hope the results of Operation Delilah will stand as a reminder to cybercriminals across the world that law enforcement will continue to pursue them, and that this arrest will bring comfort to victims of the suspect’s alleged campaigns.”

INTERPOL’s Assistant Director, Cybercrime Operations, Bernardo Pillot noted: “This case underlines both the global nature of cybercrime and the commitment required to deliver a successful arrest through a global to regional operational approach in combatting cybercrime. The persistence of national law enforcement agencies, private sector partners and the INTERPOL teams all contributed to this result, analyzing vast quantities of data, and providing technical and live operational support. Cybercrime is a threat that none of our 195 member countries faces alone.”

Support from three cybersecurity firms

Operation Delilah, was initiated by an intelligence referral from Group-IB, Palo Alto Networks’ Unit 42, and Trend Micro. The intelligence was then enriched by analysts within INTERPOL’s Cyber Fusion Centre. INTERPOL’s African Joint Operation against Cybercrime (AFJOC) then referred the intelligence to Nigeria and followed up with multiple case coordination meetings supported by law enforcement in Australia, Canada and the United States. 

Subsequently, investigators began to map out and track the alleged malicious online activities of the suspect with ad hoc support from a private sector firm CyberTOOLBELT.

According to Dmitry Volkov, CEO, Group-IB, one of the cybersecurity firms providing crucial threat intel, Delilah clearly demonstrates how effective cybersecurity can be when all parties are involved and motivated to protect people and companies: “Prompt threat intelligence sharing, private-public partnership, and effective multi-party coordination by INTERPOL’s Cybercrime Directorate were crucial to the success of the operation.”

According to a blog post by Unit 42, “this recent blitz was novel in its approach in that it did not target the easily identifiable money mules or flashy Instagram influencers typically seen benefiting from the BEC schemes. Instead, it focused predominantly on the technical backbone of BEC operations by targeting the actors who possess the skills and knowledge to build and deploy the malware and domain infrastructure used in these schemes.” Of the 11 individuals arrested earlier, six had successfully avoided prosecution for the past half-decade due to the complexities of mapping global victims beyond the flow of stolen funds back to the source of malicious network activity, the blog authors noted.