A French-speaking cybercrime group may have stolen more than $30 million from banks and other types of organizations in the past years, according to a new report published by cybersecurity firm Group-IB.
The threat actor is tracked by Group-IB as Opera1er. Some of its activities were previously investigated by others, who have named it Common Raven, Desktop-Group, and NXSMS.
The cybersecurity company is aware of 30 successful attacks conducted between 2019 and 2021 — in many cases the same victim was attacked multiple times. Most of the attacks targeted African banks, but the list of victims also includes financial services, mobile banking services, and telecoms firms. Victims were spotted across 15 countries in Africa, Latin America and Asia.
Group-IB has confirmed the theft of $11 million from victims since 2019, but believes the cybercriminals could have made more than $30 million.
Opera1er attacks typically start with a spear-phishing email sent to a limited number of people within the targeted organization. The goal is to obtain access to domain controllers and banking back-office systems.
Once they gained access to an organization’s systems, the hackers waited for 3-12 months before actually stealing money. In the final phase of the operation, the cybercriminals used the banking infrastructure to transfer money from the bank’s customers to mule accounts, from where they would be withdrawn at ATMs by money mules, typically over weekends and public holidays.
“In at least two banks, Opera1er got access to the SWIFT messaging interface,” Group-IB explained. “In one incident, the hackers obtained access to an SMS server which could be used to bypass anti-fraud or to cash out money via payment systems or mobile banking systems. In another incident, Opera1er used an antivirus update server which was deployed in the infrastructure as a pivoting point.”
Opera1er does not appear to rely on any zero-day vulnerabilities or custom malware. They have been leveraging old software flaws and widely available malware and tools.
Group-IB’s analysis found that most of the attackers’ emails were written in French — the company’s researchers determined that their English and Russian is “quite poor”.
Based on the oldest domain registered by the group, Opera1er has been active since at least 2016.
Related: Millions Stolen From Russian, Indian Banks in SWIFT Attacks
Related: U.S Banks Required to Report Cyberattacks to Regulators Within 36 Hours
Related: France Breaks Up International ATM ‘Jackpotting’ Network

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Intel Boasts Attack Surface Reduction With New 13th Gen Core vPro Platform
- Dole Says Employee Information Compromised in Ransomware Attack
- High-Severity Vulnerabilities Found in WellinTech Industrial Data Historian
- CISA Expands Cybersecurity Committee, Updates Baseline Security Goals
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- Organizations Notified of Remotely Exploitable Vulnerabilities in Aveva HMI, SCADA Products
- Waterfall Security, TXOne Networks Launch New OT Security Appliances
- Hitachi Energy Blames Data Breach on Zero-Day as Ransomware Gang Threatens Firm
Latest News
- Intel Co-founder, Philanthropist Gordon Moore Dies at 94
- Google Leads $16 Million Investment in Dope.security
- US Charges 20-Year-Old Head of Hacker Site BreachForums
- Tesla Hacked Twice at Pwn2Own Exploit Contest
- CISA Ships ‘Untitled Goose Tool’ to Hunt for Microsoft Azure Cloud Infections
- Critical WooCommerce Payments Vulnerability Leads to Site Takeover
- PoC Exploit Published for Just-Patched Veeam Data Backup Solution Flaw
- CISA Gets Proactive With New Pre-Ransomware Alerts
