Phishing Attackshigh

Cosmic Lynx: The Nigerian BEC Gang That Went Upmarket

A sophisticated Nigerian threat actor called Cosmic Lynx pivoted from low-value email scams to high-precision BEC attacks against Fortune 500 executives, stealing $1.3 billion over two years by impersonating attorneys in fake M&A deals.

Fortune 500 Companies / Cosmic Lynx·2020·2 min read

Background

Business Email Compromise evolved significantly between 2018 and 2020. Rather than targeting finance staff with crude CEO impersonation, Cosmic Lynx developed a two-actor method that combined CEO impersonation with a fake external legal counsel persona, adding a layer of social proof.

The Attack

Cosmic Lynx first identified CEO email addresses from LinkedIn and public filings, then sent emails impersonating the CEO telling a senior finance executive about a confidential acquisition. A second actor posed as an external attorney handling the deal and provided wire transfer instructions. Both actors used professional language and demonstrated knowledge of real M&A processes. The fake attorney persona used lookalike domains of real law firms. The gang targeted over 200 Fortune 500 companies across 46 countries, with average transfer requests of $1.27 million per target.

Response

Agari threat researchers discovered and published detailed analysis of Cosmic Lynx in 2020, including 46 BEC campaigns. Law enforcement in multiple countries investigated. The FBI included the operation in its annual IC3 BEC report. Several members were later arrested in international operations.

Outcome

Cosmic Lynx stole an estimated $1.3 billion before disruption. The operation demonstrated that BEC had evolved far beyond crude Nigerian prince scams into highly sophisticated, well-researched financial fraud conducted by organised crime groups.

Key Takeaways

  1. Two-actor BEC (CEO plus attorney) is highly convincing — verify any wire transfer regardless of how many people seem to approve
  2. Research on LinkedIn and company filings gives attackers enough information to craft extremely convincing scenarios
  3. Cross-border BEC operations involve organised crime groups with professional capabilities
  4. Wire transfer requests should always be verified via a phone call to a number from your internal directory — not from the email
BECCEO impersonationfake attorneywire fraudorganised crime

More in Phishing Attacks

2015critical

Anthem Health: 78 Million Patient Records and a Single Phishing Email

2 min readPhishing Attacks
2022high

Okta Breach: The Identity Provider That Protects Everyone Gets Compromised

2 min readPhishing Attacks
2010critical

Operation Aurora: China's Spear-Phish Against Google and 34 Companies

2 min readPhishing Attacks