Researchers tie email fraud campaign aimed at Fortune 500 firms to Russian scammers

Researchers say it's the first-ever Russian crime ring of this kind. Nigerian roots are more common.
email, bec, business email compromise, scam, fraud, dmarc, @ symbol
(Getty Images)

An emerging group of scammers masquerading as legitimate business executives is behind more than 200 email-based attacks that aim to swindle hundreds of thousands of dollars from companies, according to new findings.

Dubbed “Cosmic Lynx” in research published Tuesday by the email security firm Agari, the group has targeted individuals in 46 countries since July 2019, often victimizing senior leaders in Fortune 500 or Global 2000 firms. It’s the latest in a long line of business email compromise (BEC) gangs, which impersonate trusted associates to request wire transfers or other payments.

Unlike alleged operators often identified in U.S. indictments, the Cosmic Lynx group is likely made up of attackers based in Russia, researchers said, in what Agari described as the first-ever Russian crime ring of this kind. More often, prosecutions of accused BEC scammers are against suspects with roots in Nigeria.

American victims reported $1.7 billion in BEC-related losses to the FBI last year, making email fraud in which thieves pose as one person to deceive another the most expensive form of cybercrime for people and companies in the U.S.


Typically, the Cosmic Lynx campaign involves attackers impersonating the chief executive of a fictitious Asian company that the target firm supposedly intends to acquire. While masquerading as a CEO, hackers contact someone from the victim company (usually a vice president, general manager or managing director) and introduce that individual to the would-be legal counsel of the Asian-based firm. The “legal counsel” then introduces the victim to another persona, usually posing as a legitimate lawyer at British law firm that specializes in mergers and acquisitions.

In one message sent on May 7, the group instructed one victim to send more than $1.5 million as part of a transaction. The messages often used clear English, with corporate jargon like “synergistic” added in the correct context.

Then, the group usually directs money into accounts in Hong Kong, Hungary, Portugal and Romania, where it is withdrawn by so-called money mules, or humans or physically take cash out of the bank before the victim organization cancels the transaction. Agari did not disclose how much money the Cosmic Lynx group had reaped since the middle of last year.

Often, the messages would include a salutations mentioning the COVID-19 pandemic, encouraging the recipient to “look beyond the crisis” as businesses prepare for an economic recovery.

“Within every crises, the seeds of opportunity are sowed,” one message said. “I am please to share that we are seizing the moment and are pressing ahead to acquire the assets of a distressed company. Our legal team is currently working on closing the transaction and I need you to work closely with them on certain time-sensitive issues.”


Researchers tied the scheme to Russian scammers in part based on the group’s use of TrickBot and Emotet, two widely-used hacking tools designed to steal from banks, with roots in the cybercriminal economy. The group also has launched many of its attacks during peak hours in Russian time zones, and traced computer IP addresses used in this scheme to other websites that hosted fake documents used in other attacks.

“These sites, which seem to be catering to individuals in Russia and Ukraine, sell a variety of fake Russian-language documents, such as diplomas, birth certificates and death certificates,” the Agari report noted.

In one case, attackers sent undercover researchers a document containing wire transfer instructions for payment, and a fake non-disclosure agreement. A review of the metadata from that document showed that it had been saved by a user calling himself “Serge Devant,” the same name as a disc jockey from St. Petersburg, Russia.

“While the name of this user can be easily changed to reflect any name, using the name of a Russian DJ, regardless of whether it is legitimate or not, is notable,” the researchers said. “It should be noted that we have no evidence that the real Sarge Devant is associated with Cosmic Lynx activity.”

Focus on the Cosmic Lynx gang comes amid an ongoing reckoning with business email compromise attacks. The scam technique has yielded profits for a generation of internet fraudsters, even as the U.S. Department of Justice and other law enforcement agencies have sought to curb abuse. The DOJ last week announced it had extradited a Nigerian man accused of laundering millions of dollars on behalf of BEC scammers, providing a glimpse into the complex web of global financial dealings that make such attacks possible.

Latest Podcasts