‘London Blue’ cybercriminals turn to large-scale email scam

Criminals have used data brokers to compile a 50,000-person target list for their business email compromise scam.

Email users the world over are familiar with the “Nigerian prince” scam in which someone posing as a foreign dignitary requests a money transfer. While this ruse may not fool many, it has grown more clever and industrialized in recent years – to the point of threatening big businesses.

A prime example is London Blue, a network of cybercriminals exposed by new research from email-security firm Agari. The group has laid the groundwork for large-scale business email compromise (BEC) attacks by compiling a list of more than 50,000 corporate officials, including dozens of executives from the world’s biggest banks, according to Agari.  Over half of the 50,000 targets were in in the United States.

“The pure scale of the group’s target repository is evidence that BEC attacks are a threat to all businesses, regardless of size or location,” Agari researchers wrote.

BEC attacks use personalized emails, sent using spoofed email-name identities, to request fund transfers. In this case, London Blue has used commercial data brokers to collect potential target information at scale, cutting down on the “time-consuming research” that often goes into spearphishing, Agari said. Using commercial data-brokers gives the attack the “volume of a mass spam campaign, but with the target-specific customization of spear-phishing attacks,” the research states.


The data harvesting is just one way in which London Blue operates like an efficient global corporation. Various members are in charge of sales, email marketing, and business intelligence, Agari said. London Blue’s primary members hail from Nigeria, and at least two of its operatives are based in the United Kingdom. Seventeen collaborators, who mostly help move money, are based in Western Europe and the United States, researchers found.

An attack on Agari itself offered researchers’ insight into London Blue’s operations. The attackers spoofed an email from Agari’s CEO to its CFO, requesting a money transfer. An Agari employee traded emails with London Blue to make a transfer seem imminent. Through the email exchange, the researchers learned more about the “mule accounts” that London Blue used to move money.

On the backs of those mules, London Blue has stolen hundreds of thousands of dollars to date, Agari estimated.

Despite law-enforcement crackdowns on email scammers, BEC schemes remain a threatening fixture of the cybercriminal landscape. Over the last five years, BEC schemes have caused more than $12 billion in losses around the world, the FBI estimates.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts