A suspected senior member of the hacker group OPERA1ER has been arrested in Operation Nervone, conducted jointly by multiple international law enforcement agencies, Interpol said in a press note.\n\n\u201cFollowing extensive cooperation, Interpol, Afripol, Group-IB, and C\u00f4te d\u2019Ivoire\u2019s Direction de l'Information et des Traces Technologiques (DITT) are announcing the arrest of a suspected senior member of the group, dealing a significant blow to their criminal activities,\u201d Interpol said. \n\nOPERA1ER \u2014 also known as NX$M$, DESKTOP Group, and Common Raven \u2014 has been operational for over four years. It is a highly organized criminal organization that has targeted financial institutions and mobile banking services with malware, phishing campaigns, and large-scale business email compromise (BEC) scams.\n\n\u201cThe group is believed to have stolen an estimated $11 million \u2014 potentially as much as $30 million \u2014 in more than 30 attacks across 15 countries in Africa, Asia, and Latin America,\u201d Interpol said. \n\nOperation Nervone\n\nOperation Nervone was backed by two key Interpol initiatives \u2014 the African Joint Operation against Cybercrime, and the Interpol Support Programme for the African Union, which works with the AU's Afripol intergovernment police coordination agency. The initiatives are funded by the UK's Foreign, Commonwealth & Development Office and Germany\u2019s Federal Foreign Office, respectively.\u00a0\n\n\u201cIn early June, authorities in C\u00f4te d\u2019Ivoire were able to arrest a key suspect linked to attacks against financial institutions across Africa,\u201d Interpol said in its release. \n\nResearchers at Group-IB first identified the group\u2019s illicit email campaigns in 2018, when they recognized spear phishing operations responsible for spreading malware such as remote access tools. \n\nAdditional information that helped with the investigation was shared by the Criminal Investigative Division of the US Secret Service and researchers from DarkLabs, a Booz Allen Hamilton cybersecurity team.\n\nThe hacker group OPERA1ER\n\nOPERA1ER is a French-speaking, financially motivated hacker group, according to Group-IB. The cybersecurity firm was able to identify at least 30 attacks carried out by OPERA1ER between 2019 and 2021. The group successfully compromised payment and Internet banking systems in all these attacks. \n\nIn at least two banks, OPERA1ER was able to access the SWIFT messaging interface, which is used to communicate the details of financial transactions. \n\nThe group used spear phishing emails as their initial attack vector. The emails contained links to Google Drive, Discord servers, compromised legitimate websites, and malicious servers, which belong to the threat actor. Most of the emails were written in French, however, researchers also reported emails written in English. \u201cFurthermore, this email targeted only 18 users in the same country all linked to financial services associated with the topic and some VIPs,\u201d Group-IB said in the report.\u00a0\n\nThe group used multiple payloads including NanoCore, H-Worm (Houdini Worm), WSH Rat, Remcos, Adwind, or QNodeJS between 2019 and 2020. \n\n\u201cOnce an initial RAT is deployed, operators analyze compromised machines. When a machine of interest is infected, Metasploit Meterpreter or Cobalt Strike Beacon is downloaded and launched,\u201d Group-IB said in the research, adding that the group typically waited for a year after the initial intrusion and the final payload execution.\u00a0\n\nThe group would finally withdraw the stolen money as cash through an extensive network of ATMs over holidays or weekends to avoid detection. There were also links found between OPERA1ER and a cybercriminal group, Bluebottle, that used a signed Windows driver in attacks against at least three banks in French-speaking African countries, according to Symantec.