Nigeria-Based “Scarlet Widow” Gang Uses Cryptocurrency Exchange to
Launder Stolen Funds
FOSTER CITY, Calif.–(BUSINESS WIRE)–A Nigeria-based scammer gang dubbed “Scarlet Widow” is unleashing
ruthless email fraud attacks against K-12 schools, universities and
nonprofits around the world, according to a report
published today by Agari, the next-generation Secure Email Cloud that
restores trust to the inbox.
Scarlet Widow’s targets include dozens of small-town schools and school
districts in Indiana and Wisconsin; U.S. and U.K. nonprofits including
Boy Scouts of America and the Salvation Army; and universities in
Florida, the United Kingdom, New Zealand and Australia, Agari found.
To launder its proceeds, Scarlet Widow is using Paxful, a U.S.-based
peer-to-peer cryptocurrency exchange, that allows it to move scammed
funds beyond the reach of authorities within minutes. Scarlet Widow and
other West African scammers use this exchange to convert fraudulently
obtained gift cards into cryptocurrency for 40 to 80 cents on the dollar.
This is the second report Agari has released on Scarlet Widow, focusing
on the group’s Business Email Compromise (BEC) activities. Agari
described Scarlet Widow’s romance scams targeting lonely men and women
Widow Part 1,” released earlier in February.
During Agari’s investigation into Scarlet Widow, researchers identified
a consolidated database containing targeting information for more than
30,000 individuals at more than 13,000 organizations in 12 countries.
This targeting list includes more than 3,400 individuals at more than
5,500 nonprofits, and more than 1,800 individuals at 660 educational
institutions. Scarlet Widow uses a web scraper to traverse the online
directories of nonprofit organizations and collect email addresses, a
process it refers to as “bombing” the directory.
While the Boy Scouts of America was the nonprofit with the highest
number of individual targets, other major U.S.-based nonprofit
organizations appeared frequently in Scarlet Widow’s target database,
including a West Coast chapter of the United Way, a nationwide
anti-hunger charity, a Texas ballet foundation, a large hospital and
physician group in North Carolina, a Midwest Archdiocese of the Catholic
Church, a well-known annual arts festival, and numerous chapters of the
In the United Kingdom, Scarlet Widow secured targeting information for
individuals at more than 1,300 large and small nonprofits, including the
country’s leading children’s charity, a large advocacy and support group
for the disabled, the national Salvation Army organization, and a family
services hub for a borough of London.
Scarlet Widow has recently targeted universities in Florida,
Massachusetts, and Oregon, including Harvard University, Massachusetts
Institute of Technology (MIT), Oregon State University, University of
Florida, University of Miami, University of Oregon, and others.
In the U.K., some of Scarlet Widow’s academic targets included
University of Oxford, University of Cambridge, Imperial College London,
and University of Glasgow. It went after Australia’s Curtin University
and University of Newcastle; and New Zealand’s University of Canterbury
and Victoria University Wellington. More than one-third of the email
addresses in Scarlet Widow’s educational database were for universities
and K-12 schools in New Zealand.
It is important to note that while these schools and nonprofits were
targeted, the attacks weren’t necessarily successful. Any individual
scam email has a low probability of success—previous Agari research
found a success rate of 0.37%. However, the scam groups generate strong
returns through on a huge volume of attacks. BEC attacks are growing
fast, with reported BEC losses in the United States rising 88% between
2016 and 2017, according to the FBI’s Internet Crime Complaint Center.
While the bulk of its recent BEC attacks have focused on schools and
nonprofits, Scarlet Widow also seems to be preparing for phishing
campaigns targeting tax preparation firms. In September 2018, the group
began collecting targeting information on thousands of United
States-based tax preparers, likely to target these individuals with W-2
BEC attacks before and during the current tax season.
In investigating Scarlet Widow, Agari observed a shift in the group’s
cash out methods that parallels trends observed across the entire BEC
threat landscape. While the group relied on wire transfers in its early
BEC scams, it has now transitioned to seeking payment through Apple
iTunes and Google Play gift cards. This method delivers cash quickly,
can’t be reversed through quick action by bank officials, and eliminates
the need to manage a network of money mules inside the target country.
This behavior mirrors findings from a 2018 report
from the U.S. Federal Trade Commission. From January through September
2018, gift cards and reload cards were the payment method in 26% of
fraud reports, up from just 7% in 2015, the FTC said. Among those who
paid a scammer with a gift or reload card, 42% used iTunes or Google
Play cards, according to the report.
The Agari Cyber Intelligence Division (ACID) is the only
counterintelligence research team dedicated to worldwide Business Email
Compromise (BEC) and spearphishing investigation. ACID uncovers identity
deception tactics, criminal group dynamics, and trends in advanced email
attacks, and helps mitigate cybercrime activity by working with law
enforcement and other trusted partners.
Read the Agari
Download Scarlet Widow, Part 2: BEC
Bitcoin Laundry: Scam, Rinse, Repeat
Agari is transforming the legacy Secure Email Gateway with its
next-generation Secure Email Cloud™ powered by predictive AI. Leveraging
data science and real-time intelligence from trillions of emails, the
Agari Identity Graph™ detects, defends, and deters costly advanced email
attacks including business email compromise, spear phishing and account
takeover. Winner of the 2018 Best Email Security Solution by SC
Magazine, Agari restores trust to the inbox for government agencies,
businesses, and consumers worldwide. Learn more at www.agari.com.