How to breach a bank

CybAfriqué is a space for news and analysis on cyber, data, and information security on the African continent.

HIGHLIGHTS

How to breach a bank

An OPERA1ER guide to stealing 11 million dollars.

You must first think of how it ends. One Sunday morning, a student, let’s call her Ange, in Abidjan, will go to a quiet ATM on the street corner and start withdrawing cash. Ange will withdraw the CFA equivalent of up to $1,000, depending on the bank. She will take a ten percent cut from that money and reimburse the remaining to a mule handler. After all, she is a money mule. 

From 2018 to 2022, OPERA1ER (also known as the DESKTOP-GROUP), a French-speaking, financially motivated threat actor group, successfully carried out over 30 attacks, primarily on banks and financial institutions across Africa, by using readily available, "off-the-shelf" malware and stole over $11 million (the actual sum is estimated to be up to $30 million).

If you were OPERA1ER, you would start this operation with a well-crafted “spear-phishing email,” written in fluent French and impersonating entities like government tax offices or the Central Bank of West African States (BCEAO). This will help you bypass spam filters and target specific, important employees in IT, HR, and accounting departments. You will use standard, commodity Remote Access Trojans (RAT) to steal credentials, establish persistence, and execute commands.

Once inside, OPERA1ER largely used open-source "red teaming" frameworks for command and control. They then spent months monitoring their victim’s financial processes and carrying out audits. They hunt for internal documentation, record screenshots, and study the exact steps required to initiate a high-value transfer, or how the bank reconciles its books. 

In one documented case, they deployed their tools by leveraging the bank's own antivirus update server as a relay. 

If you were OPERA1ER, you would wait for the perfect weekend. One Friday evening, immediately after the bank closes, you start by moving money from high-value accounts to hundreds of mule accounts. Some belong to actual people, some will be new accounts with limited capacity. One of those accounts will be Ange’s. All the mules will be instructed to cash out the transfer before noon on Sunday, take their cut, and reimburse the remaining to you.  

OPERA1ER cashed in on the digital boom. Many of the group’s mule accounts were often opened with little KYC requirements  (as was common until very recently). Though these accounts could only move a limited amount of funds, that was often enough. In at least two bank incidents, OPERA1ER successfully gained access to computers running the SWIFT Alliance Access messaging software. Crucially, they didn't hack SWIFT itself (that is much harder). They hacked the endpoint—the bank's computer that interfaces with SWIFT (that's easier). This access grants them the ability to potentially issue fraudulent payment instructions. 

Albeit with the crucial knowledge that it's much harder to move that money through mules due to stricter KYC requirements, digital payment structures and networks, especially in Africa, remain susceptible to attacks like this.

In 2023, Interpol reported that a leader of the OPERA1ER group was arrested in the Côte d’Ivoire during a joint operation tagged Operation Nervone. Join us next week for more on how to breach a bank.

Is Burkina Faso becoming the Sahel’s Russia figure?

Cameroon held its elections a week ago, and Côte d’Ivoire is set to hold hers a week from now. Both elections are happening in francophone neighbours of the coalition of Sahel States, made up of junta-led Mali, Niger, and Burkina Faso. Both are complicated democracies. Paul Biya, the winner of Cameroon’s election, has been president since 1982, and Alassane Ouattara, who is expected to secure a reelection a week from now, has been Côte d’Ivoire since 2010. The disinformation pegs write themselves. 

In May/June, a popular post claiming a coup in Côte d’Ivoire was shared widely across social media. The campaign used fake screen captures purporting to be from French broadcaster France 24 and a falsified graphic attributed to pan-African weekly magazine Jeune Afrique.

According to ANSSI, the accounts responsible are linked to Burkina Faso’s junta supporters. In Cameroon, actors have left a long trail of AI-powered disinformation. 

Groups like the Rapid Intervention Communication Battalion (BIR-C), run by US-based Ibrahima Maiga and the Burkina Faso Faso Ju Junta brothers, have been found running coordinated disinformation to disrupt elections in the regions. Most of the narratives push for military rule and a pan-African sentiment, which is not dissimilar from Russia’s narrative of one soviet in its information campaigns across Eastern Europe. These actors have also been linked with Russian information assets. 

FEATURE

• Chinese state-sponsored threat actor known as Flax Typhoon has been found to have compromised an organization's systems for over a year by weaponizing ArcGIS, a widely trusted mapping and geospatial analytics software. Instead of deploying traditional malware, the hackers used "living off the land" techniques by modifying a legitimate ArcGIS component—a Server Object Extension (SOE)—and turning it into a persistent web shell. Read here.

HEADLINE

• ECOWAS accelerates regional cybersecurity cooperation at third ISAC workshop

• 90 percent of African businesses were affected by cyberattacks in the past year

• Report reveals DDoS as a new dimension of cyberthreats to digital infrastructure in West Africa

• West Africa banking systems face a cybersecurity wake-up call

• Africa: Access Bank integrates PAPSS into AccessMore app to boost intra-African payments

• Burkina Faso launches a call for contributions for its National Strategy on Artificial Intelligence

• NITA-U participates in IGAD Regional Cyber Resilience Workshop discussions in Djibouti

• Increase in cyberattacks: Kaspersky security network reveals more than 20 million attempts in Morocco

• How APIs are building the backbone of Africa’s financial ecosystem

• Niger establishes national cybersecurity center amid rising threats

• Rising cyber threats alarm Gambians

ACROSS THE WORLD

• Israel ranks third worldwide in cyberattacks, Microsoft says

• EFF, unions sue Trump administration over alleged mass social media surveillance of legal residents

OPPORTUNITIES

• RightCon 2026

• Check out these cybersecurity engineer roles 

• CISA cybersecurity grant

IMAGE OF THE WEEK

See you next week.