The Rise of the First-Ever Russian BEC Group Cosmic Lynx

A new class of money cons

• Cosmic Lynx forged fake merger-and-acquisition scenarios that require a two-fold impersonation scheme involving the target organization’s CEO and external legal counsel.
• The group asks target employees - a senior executive (such as Vice President, General Manager, or Managing Director) to work with “external legal counsel” to coordinate the payments needed to close the purported acquisition.
• The group then impersonates the identity of a real lawyer and sends an introductory email to the victim giving an overview of the procedure.
• Finally, Cosmic Lynx convinces the target employee to send payments to mule accounts in Hong Kong with secondary accounts located in Hungary, Portugal, and Romania.

Innovation for profit

• In March, Cosmic Lynx began exploiting COVID-19 themes in their BEC scam attacks.
• Since July 2019, Cosmic Lynx has targeted professionals in 46 countries across six continents and launched more than 200 BEC attacks, asking for large sums (hundreds of thousands or even millions of USD).

The Russian link

• Cosmic Lynx relies on the same infrastructure linked with malware campaigns from Russian-linked Emotet and TrickBot malware and fake Russian documents websites.
• The metadata of documents delivered to victims used Russian cultural references and contained time and date stamps set to Moscow Standard Time.