Russian Group Called “Cosmic Lynx” Exposed for Massive BEC Operation

By Bill Toulas / July 8, 2020

Agari researchers have discovered a new BEC (business email compromise) group of Russian cybercriminals, and they’re calling them “Cosmic Lynx.” The operation’s size is dizzying, counting over two hundred individual campaigns since July 2019, which targeted companies and individuals in 46 countries. As shown in the map below, Cosmic Lynx made no exceptions other than Russia, hitting most developed countries worldwide. They mainly went after big companies and multinational organizations in the “Fortune 500” and “Global 2000” lists.


Source: Agari

BEC works best when you manage to grab the credentials of those that stand the highest in an organization’s hierarchy, as sending emails from these accounts has massively better chances of achieving the goal. Thus, Cosmic Lynx targeted mainly the Managing Directors, Vice Presidents, and General Managers of the companies.


Source: Agari

As for how to first contact is made, there are obviously many custom tricks used by the group, all deploying some form of social engineering traps. In one case, for example, they impersonate a UK-based law firm, urging the recipient to discuss payment details with an “external legal counsel.” That person is sending bank account details that point to a money mule in Hong Kong, diverting a $1.55 million payment to the actors in just a single case. In general, Cosmic Lynx had an average attack request of $1.27 million, whereas the average of BEC scammers, in general, is “only” $55k.

bec message

Source: Agari

To succeed when targeting the “big fish,” one must take care of all details, even the smallest ones. For this reason, Cosmic Lynx is leaving nothing to chance. They register domains that can be used to spawn email accounts that mimic the entities they need to impersonate and exploit DMARC controls to spoof CEOs’ email addresses. They also register the domains through NiceVPS, which is an anonymous provider.

Beside the BEC campaigns, the same actors have been confidently linked with operations involving the Emotet and Trickbot banking trojans’ deployment and the spreading of click-fraud malware on the Android platform. Moreover, they have also been linked with the operation of a popular Russian carding marketplace on the dark web and various fake document websites that help other actions launch malicious campaigns. Thus, Cosmic Lynx is an actor that spreads across numerous fields, having a substantial direct or indirect impact in a series of cyber-crime operations.


For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: