Business Email Compromise (BEC) is one of the most financially devastating cyber threats, costing companies billions worldwide. These highly sophisticated scams exploit human trust, bypassing traditional security measures through deception rather than technical exploits. From fraud syndicates to hacking collectives, organized cybercriminal groups are behind some of the most infamous BEC operations, targeting finance teams, executives, and employees with authority over funds.
Let’s explore 11 of the most notorious BEC cybercrime groups, their usual tactics, past exploits, and ongoing threats.
London Blue is a Nigerian-led BEC group with global collaborators, active since at least 2011. Originally involved in Craigslist scams and credential phishing, the group evolved into a highly organized cybercrime operation resembling a corporate structure. London Blue uses sophisticated tactics, including domain spoofing, social engineering, and commercial sales prospecting tools to build massive target databases. It has targeted over 50,000 financial executives worldwide, with a recent shift towards Asia.
Active since at least 2016, SilverTerrier has been linked to over 2.26 million phishing attacks and 170,700 malware samples, using tactics such as email spoofing, social engineering, and credential theft. The group’s operations have resulted in billions of dollars in global losses. While Nigerian authorities have made high-profile arrests, SilverTerrier remains a major player in BEC schemes.
Scattered Canary is a Nigerian cybercrime syndicate that evolved from a lone scammer into a full-scale BEC enterprise with dozens of members. Initially engaged in Craigslist and romance scams, the group expanded into BEC fraud, tax fraud, social security fraud, and employment scams. Using a scalable model, Scattered Canary runs multiple scams simultaneously, leveraging money mules and sophisticated tools to evade detection.
Silent Starling is a cybercriminal group specializing in vendor email compromise (VEC) attacks. Unlike traditional BEC scams, Silent Starling infiltrates vendors’ email accounts through phishing, then sets up forwarding rules to secretly monitor communications for months. Once they understand the vendor’s business operations, they send fraudulent invoices with altered banking details, tricking customers into wiring funds to attacker-controlled accounts. This patient, intelligence-driven approach makes Silent Starling particularly dangerous.
FIN7, also known as the Carbanak Group, is a financially motivated cybercriminal organization active since at least 2012. Originating in Russia with ties to Ukraine and neighboring countries, FIN7 initially specialized in point-of-sale (PoS) malware to steal payment card data. In 2020, the group expanded into ransomware operations. FIN7 uses phishing, drive-by compromises, and supply chain attacks to gain initial access, and they have also created fake cybersecurity firms to mask their activities.
Cosmic Lynx is a Russian cybercriminal group known for launching over 200 BEC campaigns since 2019, targeting multinational companies in 40+ countries. The group specializes in a dual impersonation scheme and uses spoofed domains and bulletproof hosting for anonymity. Beyond BEC, the group is linked to Emotet, Trickbot, and click-fraud malware. Their sophisticated tactics make them one of the most dangerous BEC actors worldwide.
Cobalt Strike is a legitimate cybersecurity tool designed for penetration testing, but cybercriminals and nation-state actors have widely abused cracked versions for malicious purposes. The tool’s Beacon payload enables stealthy communication, making it a favorite for ransomware gangs and espionage operations. A global law enforcement operation, MORPHEUS, led by the U.K. National Crime Agency and Europol, disrupted nearly 600 illicit Cobalt Strike servers in 27 countries. Criminals have used it to gain persistent access to compromised networks, facilitating ransomware and data breaches. While originally intended for ethical hacking, its misuse has significantly lowered the technical barrier for cybercrime worldwide.
Evil Corp is a notorious Russian cybercrime syndicate responsible for stealing over $100 million through sophisticated banking malware like JabberZeus and Dridex. Led by Maksim V. Yakubets, aka “Aqua,” the group targeted businesses across the U.S. and Europe, using phishing campaigns to steal banking credentials. A key component of their operations involved recruiting “money mules” through fake remote job offers to launder stolen funds. The U.S. Justice Department has placed a $5 million bounty on Yakubets, making it one of the largest rewards for a cybercriminal.
Lazarus Group is a North Korean state-sponsored cybercriminal organization known for executing high-profile financial cyberattacks worldwide. Active since at least 2009, the group has been linked to major cryptocurrency heists, bank intrusions, and espionage campaigns. Lazarus employs sophisticated tactics, including supply chain attacks, social engineering, and malware deployment, to steal funds and launder them through complex blockchain transactions. The group is responsible for some of the largest crypto thefts, leveraging its cyber operations to bypass economic sanctions and fund North Korea’s regime.
ALPHV, also known as BlackCat, is a highly sophisticated ransomware group known for its aggressive extortion tactics and innovative data leak strategies. The group pioneered ALPHV Collections, a searchable database that makes stolen data easily accessible to victims and cybercriminals alike, increasing pressure on organizations to pay ransoms. Unlike traditional leak sites on the dark web, BlackCat’s platform is available on the open internet, making sensitive data more widely exploitable. The group’s advanced ransomware operations include double extortion, data indexing, and collaboration with other cybercriminals to maximize financial gain from their attacks.
LockBit is a ransomware-as-a-service (RaaS) operation and one of the most prolific cybercriminal groups in the world. Known for its double extortion tactics—encrypting victims’ data and threatening to leak it—LockBit was responsible for 44% of global ransomware incidents in early 2023. Since emerging on Russian-language cybercrime forums in 2020, the group has facilitated over 1,700 attacks in the U.S. alone, extorting at least $91 million in ransom payments.
Business Email Compromise (BEC) remains one of the most insidious and financially damaging cyber threats, with organized crime groups constantly refining their tactics to exploit human trust and organizational vulnerabilities. And as these groups evolve, so must our defenses. To stay ahead of these evolving threats, finance leaders must prioritize proactive cybersecurity measures, such as advanced threat intelligence, strong email protocols, and employee training.
Nonprofits are prime BEC targets—see real attacks and what finance leaders must do to protect funds, data, and mission-critical operations.
Manufacturers are top targets for BEC scams. See 6 real cases that expose how attackers steal millions—and what finance teams must do to stay protected.
See how 5 real BEC scams stole millions from healthcare orgs—what finance leaders must know to stop attacks that target payments, data, and operations.
Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.
