{ "id": "76782aaa-cd6f-4614-83dd-1e6afe50f5b2", "created_at": "2026-04-06T00:21:56.846686Z", "updated_at": "2026-04-10T13:12:57.65394Z", "deleted_at": null, "sha1_hash": "f2943671b057e037557f576ccd5c1162e1782d50", "title": "Hacker gang OPERA1ER stole $11M from African companies | Group-IB", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 115279, "plain_text": "Group-IB report: hacker\r\ngang OPERA1ER stole $11\r\nmillion from African\r\ncompanies\r\nMedia Center → Press Releases November 3, 2022 · 6 min to read\r\nOPERA1ER Report Rustam Mirkasymov Threat Intelligence\r\nhttps://www.group-ib.com/media-center/press-releases/opera1er/\r\nPage 1 of 10\n\nGroup-IB, one of the global leaders in cybersecurity headquartered in Singapore, has today issued\r\na new report, “OPERA1ER. Playing God without permission,” in collaboration with the researchers\r\nfrom Orange CERT Coordination Center. The report takes a deep dive into financially motivated\r\nattacks of the prolific French-speaking threat actor, codenamed OPERA1ER. Despite relying solely\r\non known “off-the-shelf” tools, the gang managed to carry out more than 30 successful attacks\r\nagainst banks, financial services, and telecommunication companies mainly located in Africa\r\nbetween 2018 and 2022. OPERA1ER is confirmed to have stolen at least $11 million, according to\r\nGroup-IB’s estimates. One of OPERA1ER’s attacks involved a vast network of 400 mule accounts\r\nfor fraudulent money withdrawals. Researchers from the Group-IB European Threat Intelligence\r\nUnit identified and reached out to 16 affected organizations so they could mitigate the threat and\r\nprevent further attacks by OPERA1ER.\r\nThis report was completed in 2021 while the threat actor remained active. OPERA1ER noticed\r\nGroup-IB’s increasing interest in his activity and reacted by deleting their accounts and changing\r\nsome TTPs to cover their tracks. Group-IB decided to suspend publishing the report and wait until\r\nthe threat actor resurfaced again, which happened in 2022. Therefore, the report contains the\r\nIndicators of Compromise (IOCs) relevant for the period of 2019-2021. The latest IOCs and\r\nOPERA1ER’s targets can be found in Group-IB’s blog post. The changes are small and don’t impact\r\nthe overall findings. Through threat intelligence and resource sharing, Orange-CERT-CC and\r\nGroup-IB were able to better understand the threat actor’s modus operandi. All findings have been\r\ncompiled into the report so that the cybersecurity community could better track OPERA1ER’s\r\nactivity and prevent their attacks in the future.\r\nSmooth OPERA1ER\r\nDigital forensics artifacts analyzed by Group-IB and Orange following more than 30 successful\r\nintrusions of OPERA1ER between 2018 and 2022 helped to trace down affected organizations in\r\nIvory Coast, Mali, Burkina Faso, Benin, Cameroon, Bangladesh, Gabon, Niger, Nigeria,\r\nParaguay, Senegal, Sierra Leone, Uganda, Togo, Argentina. Many of the victims identified were\r\nsuccessfully attacked twice, and their infrastructure was then used to attack other organizations.\r\nAccording to Group-IB’s evaluation, between 2018 and 2022, OPERA1ER managed to steal at least\r\n$11 million, and the actual amount of damage could be as high as $30 million.\r\nhttps://www.group-ib.com/media-center/press-releases/opera1er/\r\nPage 2 of 10\n\nOPERA1ER, also known under the names DESKTOP-group and Common Raven (SWIFT ISAC\r\nSecurity Bulletin, 23 June 2021), traces its roots back to 2016 when they registered their oldest\r\nknown domain. In the new report, Group-IB was able to identify previously unrecognized elements\r\nof the gang’s infrastructure, including their newly deployed Command and Control servers (C\u0026C)\r\ndomains and IP addresses. Based on one of the accounts frequently used by the gang now to\r\nregister domains, Group-IB codenamed the threat actor OPERA1ER.\r\n“Detailed analysis of the gang’s recent attacks revealed an interesting pattern in their modus\r\noperandi: OPERA1ER conducts attacks mainly during the weekends or public holidays,” says\r\nRustam Mirkasymov, head of cyber threat research at Group-IB Europe. “It correlates with the fact\r\nthat they spend from 3 to 12 months from the initial access to money theft. It was established that\r\nthe French-speaking hacker group could operate from Africa. The exact number of the gang\r\nmembers is unknown.”\r\nNo rush to cash in\r\nhttps://www.group-ib.com/media-center/press-releases/opera1er/\r\nPage 3 of 10\n\nA distinct feature of the group is the use of off-the-shelf open-source programs, malware freely\r\navailable on the dark web, and popular red teaming frameworks, such as Metasploit and Cobalt\r\nStrike. In at least two incidents in different banks, the attackers deployed Metasploit servers inside\r\ncompromised infrastructure. Because the gang relies solely on public tools, they have to think\r\noutside the box: in one incident, analyzed by Group-IB and Orange, OPERA1ER used an antivirus\r\nupdate server deployed in the infrastructure as a pivoting point.\r\nOPERA1ER start their attacks with high-quality spear phishing emails targeting a specific team within\r\nan organization. Most of their messages are written in French, ranging from fake notifications from\r\ngovernment tax offices to hiring offers from BCEAO (The Central Bank of West African States).\r\nUnder the guise of legitimate attachment, OPERA1ER distributes Remote Access Trojans, such as\r\nNetwire, bitrat, venomRAT, AgentTesla, Remcos, Neutrino, BlackNET, Venom RAT, as well as\r\npassword sniffers and dumpers. After gaining access, OPERA1ER exfiltrate emails and internal\r\ndocuments to use them in further phishing attacks. They take time to study internal documentation\r\ncarefully to better prepare for the cashing out stage, as most of OPERA1ER’s victims used a\r\ncomplex digital money platform.\r\nThe platform has a three-tiered architecture of distinct accounts to allow different types of\r\noperations. To compromise these systems, OPERA1ER would require specific knowledge about key\r\npeople involved in the process, protection mechanisms in place, and links between back-end\r\nplatform operations and cash withdrawals. The gang could have obtained this knowledge directly\r\nfrom the insiders or themselves by slowly and carefully inching their way into the targeted systems.\r\nDigital forensic findings indicate that OPERA1ER harvested credentials for three accounts with\r\ndifferent access levels to perform fraudulent operations.\r\nhttps://www.group-ib.com/media-center/press-releases/opera1er/\r\nPage 4 of 10\n\nThe threat actors targeted operator accounts that contained large amounts of money. Then using\r\nthe stolen credentials transferred money into Channel User accounts and after that, moved the\r\nstolen funds into subscriber’s accounts which they control. Finally, the funds were withdrawn from\r\nthe system in cash via a network of ATMs. In one case studied by the researchers, a network of\r\nmore than 400 subscriber accounts controlled by money mules hired by OPERA1ER was used to\r\nenable the cashing out of the stolen funds, mostly done overnight via ATMs. Group-IB and Orange\r\nresearchers discovered that money mules had been recruited three months in advance by analyzing\r\nthe activity on the subscriber accounts used in illicit money withdrawals.\r\nOther findings indicate that at least in two banks, OPERA1ER managed to get access to the SWIFT\r\nmessaging interface software (presumably Alliance Access) running on the banks’ computers. The\r\nsoftware is used to communicate the details of financial transactions. It is important to note that\r\nSWIFT was not compromised, but the attackers were able to break into the systems inside the\r\nbanks where this software was installed.\r\nIn one bank, the threat actor took control of an SMS server that could have been used to bypass\r\nanti-fraud or cash out money via payment or mobile banking systems. However, it is unknown\r\nwhether the threat actor managed to steal money in any of those attacks.\r\nhttps://www.group-ib.com/media-center/press-releases/opera1er/\r\nPage 5 of 10\n\nFor the first time, Group-IB described OPERA1ER complete Tactics, Techniques, Procedures, tools,\r\nand kill chain obtained from investigations of incidents involving the gang. The report will be\r\nhelpful for corporate cybersecurity teams as it contains hunting tricks and Indicators of\r\nCompromise (IoCs), which can be used to check the networks for traces of OPERA1ER, prevent\r\ntheir future attacks, and take proactive measures to defend the perimeter.\r\nShare article\r\nAbout Group-IB\r\nFounded in 2003 and headquartered in Singapore, Group-IB is a leading creator of cybersecurity\r\ntechnologies to investigate, prevent, and fight digital crime. Combating cybercrime is in the\r\ncompany’s DNA, shaping its technological capabilities to defend businesses, citizens, and support\r\nlaw enforcement operations.\r\nGroup-IB’s Digital Crime Resistance Centers (DCRCs) are located in the Middle East, Europe, Central\r\nAsia, and Asia-Pacific to help critically analyze and promptly mitigate regional and country-specific\r\nthreats. These mission-critical units help Group-IB strengthen its contribution to global cybercrime\r\nprevention and continually expand its threat-hunting capabilities.\r\nGroup-IB’s decentralized and autonomous operational structure helps it offer tailored,\r\ncomprehensive support services with a high level of expertise. We map and mitigate adversaries’\r\ntactics in each region, delivering customized cybersecurity solutions tailored to risk profiles and\r\nrequirements of various industries, including retail, healthcare, gambling, financial services,\r\nmanufacturing, crypto, and more.\r\nhttps://www.group-ib.com/media-center/press-releases/opera1er/\r\nPage 6 of 10\n\nThe company’s global security leaders work in synergy with some of the industry’s most advanced\r\ntechnologies to offer detection and response capabilities that eliminate cyber disruptions agilely.\r\nGroup-IB’s Unified Risk Platform (URP) underpins its conviction to build a secure and trusted\r\ncyber environment by utilizing intelligence-driven technology and agile expertise that completely\r\ndetects and defends against all nuances of digital crime. The platform proactively protects\r\norganizations’ critical infrastructure from sophisticated attacks while continuously analyzing\r\npotentially dangerous behavior all over their network.\r\nThe comprehensive suite includes the world’s most trusted Threat Intelligence, The most complete\r\nFraud Protection, AI-powered Digital Risk Protection, Multi-layered protection with Managed\r\nExtended Detection and Response (XDR), All-infrastructure Business Email Protection, and External\r\nAttack Surface Management.\r\nFurthermore, Group-IB’s full-cycle incident response and investigation capabilities have consistently\r\nelevated industry standards. This includes the 77,000+ hours of cybersecurity incident response\r\ncompleted by our sector-leading DFIR Laboratory, more than 1,400 successful investigations\r\ncompleted by the High-Tech Crime Investigations Department, and round-the-clock efforts of\r\nCERT-GIB.\r\nTime and again, its solutions and services have been revered by leading advisory and analyst\r\nagencies such as Aite Novarica, Gartner®, Forrester, Frost \u0026 Sullivan, KuppingerCole Analysts AG,\r\nand more.\r\nBeing an active partner in global investigations, Group-IB collaborates with international law\r\nenforcement organizations such as INTERPOL, EUROPOL and AFRIPOL to create a safer\r\ncyberspace. Group-IB is also a member of the Europol European Cybercrime Centre’s (EC3)\r\nAdvisory Group on Internet Security, which was created to foster closer cooperation between\r\nEuropol and its leading non-law enforcement partners.\r\nRead next\r\nhttps://www.group-ib.com/media-center/press-releases/opera1er/\r\nPage 7 of 10\n\nMarch 19, 2026\r\nGroup-IB\r\nPartners with\r\nCopy Cat Group\r\nto Strengthen\r\nIntelligence-Led\r\nCybersecurity\r\nAcross East\r\nAfrica\r\nMarch 13, 2026\r\nGroup-IB\r\nSupports\r\nINTERPOL’s\r\nOperation\r\nSynergia III,\r\nContributing\r\nIntelligence to\r\nGlobal\r\nCybercrime\r\nTakedown\r\nMarch 12, 2026\r\nGroup-IB\r\nExpands into the\r\nAmericas with\r\nLaunch of Digital\r\nCrime Resistance\r\nCenter in Chile\r\nMarch 3, 2026\r\nGroup-IB and\r\nNebrija\r\nUniversity\r\nStrengthen\r\nCybersecurity\r\nEducation\r\nThrough MOU\r\nand Threat\r\nIntelligence\r\nIntegration\r\nFebruary 26, 2026\r\nGroup-IB\r\nPartners with\r\nSavex\r\nTechnologies to\r\nAdvance\r\nPredictive Threat\r\nIntelligence and\r\nCyber Fraud\r\nProtection\r\nAcross India and\r\nSAARC\r\nFebruary 16, 2026\r\nNational\r\nPolytechnic\r\nUniversity of\r\nArmenia and\r\nGroup-IB sign\r\nstrategic\r\npartnership to\r\nstrengthen\r\ncybersecurity\r\neducation and\r\nresearch in\r\nArmenia\r\nhttps://www.group-ib.com/media-center/press-releases/opera1er/\r\nPage 8 of 10\n\nResources\r\nResearch Hub\r\nSuccess Stories\r\nKnowledge Hub\r\nCertificates\r\nWebinars\r\nPodcasts\r\nTOP Investigations\r\nRansomware Notes\r\nAI Cybersecurity Hub\r\nProducts\r\nThreat Intelligence\r\nFraud Protection\r\nManaged XDR\r\nAttack Surface Management\r\nDigital Risk Protection\r\nBusiness Email Protection\r\nCyber Fraud Intelligence\r\nPlatform\r\nUnified Risk Platform\r\nIntegrations\r\nPartners\r\nPartner Program\r\nMSSP and MDR Partner\r\nProgram\r\nTechnology Partners\r\nPartner Locator\r\nCompany\r\nAbout Group-IB\r\nTeam\r\nCERT-GIB\r\nCareers\r\nInternship\r\nAcademic Aliance\r\nSustainability\r\nMedia Center\r\nContact\r\nAPAC: +65 3159 3798\r\nSubscription plans Services Resource Center\r\nSubscribe to stay up to date with the\r\nlatest cyber threat trends\r\nContact\r\nhttps://www.group-ib.com/media-center/press-releases/opera1er/\r\nPage 9 of 10\n\nEU \u0026 NA: +31 20 226 90 90\r\nMEA: +971 4 568 1785\r\ninfo@group-ib.com\r\n© 2003 – 2026 Group-IB is a global leader in the fight against cybercrime, protecting customers\r\naround the world by preventing breaches, eliminating fraud and protecting brands.\r\nTerms of Use Cookie Policy Privacy Policy\r\nhttps://www.group-ib.com/media-center/press-releases/opera1er/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.group-ib.com/media-center/press-releases/opera1er/" ], "report_names": [ "opera1er" ], "threat_actors": [ { "id": "11c69e3d-a740-4a70-abd3-158ac0375452", "created_at": "2023-01-06T13:46:39.29608Z", "updated_at": "2026-04-10T02:00:03.27813Z", "deleted_at": null, "main_name": "Common Raven", "aliases": [ "NXSMS", "DESKTOP-GROUP", "OPERA1ER" ], "source_name": "MISPGALAXY:Common Raven", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a1071a25-d7c1-41be-a97f-2ec1b167ceb0", "created_at": "2023-02-18T02:04:24.365926Z", "updated_at": "2026-04-10T02:00:04.792271Z", "deleted_at": null, "main_name": "OPERA1ER", "aliases": [ "Common Raven", "DESKTOP-GROUP", "NXSMS", "Operation Nervone" ], "source_name": "ETDA:OPERA1ER", "tools": [ "AgenTesla", "Agent Tesla", "AgentTesla", "Agentemis", "BitRAT", "BlackNET RAT", "Cobalt Strike", "CobaltStrike", "Kasidet", "LOLBAS", "LOLBins", "Living off the Land", "Metasploit", "Negasteal", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Neutrino Bot", "Neutrino Exploit Kit", "Ngrok", "Origin Logger", "PsExec", "RDPWrap", "Recam", "Remcos", "RemcosRAT", "Remvio", "Revealer Keylogger", "Socmer", "VenomRAT", "ZPAQ", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434916, "ts_updated_at": 1775826777, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f2943671b057e037557f576ccd5c1162e1782d50.pdf", "text": "https://archive.orkl.eu/f2943671b057e037557f576ccd5c1162e1782d50.txt", "img": "https://archive.orkl.eu/f2943671b057e037557f576ccd5c1162e1782d50.jpg" } }