Three Nigerians suspected of being part of a cybercrime group that has made tens of thousands of victims around the world have been arrested today in Lagos, Nigeria, Interpol reported.
In a report disclosing its involvement in the investigation, security firm Group-IB said the three suspects are members of a cybercrime group they have been tracking since 2019 and which they have been tracking under the codename of TMT.
Group-IB said the group primarily operated by sending out mass email spam campaigns containing files laced with malware.
To send their email spam, the group used the Gammadyne Mailer and Turbo-Mailer email automation tools and then relied on MailChimp to track if a recipient victim opened their messages.
The file attachments were laced with various strains of malware that granted hackers access to infected computers from where they focused on stealing credentials from browsers, email, and FTP clients.
Group-IB said the group relied "exclusively on a variety of publicly available" malware strains such as AgentTesla, Loky, AzoRult, Pony, NetWire, and others, all available for download for free or for sale at cheap prices on underground forums.
Once the hackers had access to credentials, the TMT group would engage in Business Email Compromise (BEC), a type of online fraud where they'd attempt to trick companies into making payments into the wrong accounts — controlled by the group's members.
More than 50,000 victims
The TMT group sent email spam campaigns in multiple languages and managed to infect companies in the US, the UK, Singapore, Japan, Nigeria, and others.
While an investigation is still ongoing, Interpol and Group-IB said they were able to track more than 50,000 organizations that have been infected with the group's malware.
All in all, more than 500,000 government and private sector companies in more than 150 countries received emails from the group, according to Interpol.
Group-IB said the group was organized in multiple smaller sub-groups that worked together and that many of the TMT's members are still at large.
A Group-IB spokesperson said this group is not the same TMT group referenced in an AdvIntel 2019 report (as being one of the main distributors of the REvil ransomware).