Nigerian BEC Syndicate: SilverTerrier (G0083) Threat Profile
- Suspected Origin
- Nigeria
- Motivation
- Financial Gain
- Aliases
- None documented
- Target Sectors
- High Technology, Higher Education, Manufacturing, Financial Services, Media, Professional & Legal Services, Healthcare, Government, Utilities, Wholesale & Retail
- Associated Malware
- Agent Tesla, LokiBot, NanoCore, NetWire, DarkComet, Remcos, AzoRult, Pony, PredatorPain, Formbook, ImminentMonitor, Adwind, Hworm, Revenge, WSHRat
Overview
SilverTerrier (G0083) is a prominent Nigerian cybercrime syndicate that has been a persistent threat since its emergence around 2014. Initially identified by Palo Alto Networks’ Unit 42, this group represents an evolution from traditional advance-fee fraud (known as 419 scams) to more sophisticated, malware-assisted Business Email Compromise (BEC) operations. The group is not a singular entity but rather a loose affiliation of hundreds of actors, estimated to be over 400 distinct individuals or clusters at its peak, many of whom possess technical education and operate from Nigerian cities like Lagos, Owerri, and Port Harcourt.
Their primary motivation is unequivocally financial gain, achieved by targeting organizations rather than individuals, which promises a significantly higher return on investment. SilverTerrier actors have demonstrated a notable adaptability, evolving from opportunistic scammers to a mature, organized cybercriminal network. This evolution has involved refining their operational security and delivery methods in response to increasing law enforcement pressure and global events, such as the COVID-19 pandemic. Some members have even been observed relocating to regions like Turkey and the UAE, possibly to evade Nigerian authorities.
SilverTerrier’s targeting is broad and indiscriminate, impacting organizations across 177 countries and all 50 U.S. states. However, they consistently prioritize sectors rich in financial transactions and sensitive data, including high technology, higher education, and manufacturing. Other frequently targeted sectors include media, financial services, professional and legal services, healthcare agencies, government entities, regional utilities, medical publishing firms, and insurance companies. This wide net is cast globally, with specific campaigns documented to hit targets in the United States, Australia, Canada, Italy, and the United Kingdom.
Tactics & Techniques
SilverTerrier predominantly relies on social engineering, particularly through extensive phishing and spear-phishing campaigns. These campaigns are often conducted in multiple languages and employ malicious attachments or links designed to deliver commodity malware. Email spoofing is a key tactic, allowing them to impersonate legitimate entities or corporate executives to trick victims.
Upon gaining initial access, their objectives include credential theft, monitoring email threads, and eventually inserting fraudulent instructions to facilitate wire or invoice fraud. They are known to exploit vulnerabilities, such as CVE-2017-11882 in Microsoft Office, to execute code remotely and establish a foothold. For command and control (C2) communications, SilverTerrier actors leverage standard application layer protocols like HTTP, FTP, and SMTP.
The group has also been observed using public social media platforms. These platforms are used to bolster their malware infrastructure, facilitate networking, share resources, and coordinate operations, often helping them disguise their activities and enhance social engineering efforts.
Notable Campaigns
Over the years, SilverTerrier has been linked to staggering financial losses worldwide. From 2016 to 2019, BEC losses globally exceeded $26 billion, with 2020 alone seeing $1.8 billion in losses, averaging $96,372 per victim.
A significant shift in their operations was observed in 2020 with the onset of the COVID-19 pandemic. SilverTerrier actors quickly adapted their lures to include COVID-19 themes, such as fake orders for personal protective equipment (PPE), shipping delay notices for pandemic-related items, and fraudulent vaccine-related news. These campaigns were strategically aimed at exploiting global distractions and anxieties. Targets during this period included critical organizations like government healthcare agencies, large universities with medical programs, regional utilities, and insurance companies across multiple Western countries.
Law enforcement efforts have repeatedly targeted SilverTerrier. In January 2022, Interpol coordinated Operation Falcon II with the Nigerian Police Force, leading to the arrest of 11 suspects in Lagos, who were linked to SilverTerrier operations. These arrests disrupted a syndicate believed to have defrauded thousands of companies globally. Later, in May 2022, Interpol announced another significant arrest: a 37-year-old Nigerian man, identified as a key leader of the cybercrime syndicate, during an international operation codenamed Delilah. More recently, Interpol’s Africa Cyber Surge II in 2023 identified networks linked to over $40 million in losses and resulted in 14 arrests, further disrupting similar fraud schemes.
Associated Malware & Tools
SilverTerrier actors predominantly rely on commercially available, commodity malware, which they often acquire from underground forums due to its low cost and minimal infrastructure requirements. This approach has allowed even less technically proficient actors to engage in complex BEC schemes.
Their toolkit is diverse and constantly evolving based on popularity and effectiveness. Key information stealers frequently deployed include LokiBot, Pony, Agent Tesla, AzoRult, PredatorPain, and Formbook.
For persistent access and deeper system control, they utilize a variety of Remote Access Trojans (RATs). Notable RATs in their repertoire include NanoCore, NetWire, DarkComet, Agent Tesla (which functions as both an info stealer and RAT), Remcos, ImminentMonitor, Adwind, Hworm, Revenge, and WSHRat. While some RATs like LuminosityLink, NJRat, Quasar, and WarZone RATs have seen decreased usage, others like NetWire and DarkComet have remained consistently popular over time among segments of the group. Beyond these, the group has also been observed using PowerShell scripts to download additional malicious payloads.
Current Status
Despite significant international law enforcement operations and arrests in late 2021 and 2022, SilverTerrier remains an active and adaptable threat. Following the arrests made during Operation Falcon II, Palo Alto Networks’ Unit 42 noted a temporary reduction in observed activity levels, including fewer phishing campaigns and malware distributions.
However, comprehensive reports indicate that the group has consistently adapted. Recent intelligence from 2025 still highlights SilverTerrier’s ongoing activity, mentioning an average of 17,600 attacks per month in the past year, marking a 45% increase from 2016 levels. This suggests that while law enforcement efforts can disrupt segments of the syndicate, the overall network continues to operate and evolve. The persistent threat posed by SilverTerrier is also reflected in the broader cybersecurity landscape, with BEC and related fund transfer fraud accounting for nearly 30% of cyber insurance payouts in 2024, driving up premiums globally. SilverTerrier, therefore, continues to be a major player in the global BEC landscape, demonstrating resilience and a continued capacity for financially motivated cybercrime.
Related content
Gorgon Group (G0078): Hybrid Threat Actor Profile
Adversary ProfileAPT33: Iran's Evolving Cyber Espionage and Destructive Capabilities
Adversary ProfileLazyScripter Threat Profile: Targeting Airlines and Global Workforce
Adversary ProfileMolerats (G0021): Persistent Cyber Espionage in the Middle East
Worried this actor targets your sector?
Let's map your exposure before they find it themselves.
Book an advisory call