Over the past year, a new group of fraudsters believed to be from the Russian cybercriminal space has elevated Business Email Compromise (BEC) scams to a new level.

Most BEC attacks are from Nigerian actors, who target companies of any size. Cosmic Lynx is a different breed that focuses on multinational corporations and tries to score big, asking for large sums (hundreds of thousands or even millions of USD) to be transferred to mule accounts in Hong Kong.

Researchers at email prevention company Agari tracking Cosmic Lynx say that the group is responsible for more than 200 BEC attacks since July 2019 and show operational complexity not seen before with other BEC actors.

Moreover, Cosmic Lynx relies on infrastructure linked with malware campaigns from Emotet and TrickBot, which are tied to the Russian criminal underground.

Laying the groundwork

Almost all companies hit by this threat actor have a global presence and many of them are on the Fortune 500 list or in the global top 2,000.

The group is typically impersonating the CEO of the target company, sending a senior-level executive (in 75% of the cases the titles are Vice President, General Manager, or Managing Director) an email request to close an acquisition with an Asian company.

The target employee is informed that external legal counsel will help coordinate the payments for closing the deal and that utmost discretion is necessary until the acquisition concludes.

Cosmic Lynx then hijacks the identity of a real lawyer and sends an introductory email to the victim giving an overview of the procedure.

They make sure to let the recipient know that the communication between them is confidential, so details of the transaction don't transpire. The secrecy hangs under an alleged non-disclosure agreement signed by the parties.

Apart from creating a detailed signature with the picture and name of a real attorney, the actor also registers domain names resembling those of the legitimate law firm.

In the final stage of the attack, Cosmic Lynx convinces the target employee to send payments to mule accounts in Hong Kong.

"The average amount requested in most executive impersonation BEC attacks is $55,000. Cosmic Lynx, on the other hand, asks for hundreds of thousands, sometimes millions of dollars" - Agari

Agari says that Cosmic Lynx avoids getting payments in certain countries, the U.S. being one of them, suggesting that they have money mules only in some countries. Secondary accounts were located in Romania, Hungary, and Portugal.

Technical skills

Unlike most groups involved in BEC fraud, Cosmic Lynx operates at a technical level that puts them in control of the email infrastructure used in the attacks and makes it more difficult to investigate.


The actor relies on services from anonymous domain providers, and bulletproof hosting to hide their identity and get an alert when law enforcement requests information about them.

Agari says that Cosmic Lynx points their domains to Cloudflare to make them look more legitimate and create a subdomain for email communication purposes.

"By modifying the IP address that the subdomain is pointing to, Cosmic Lynx is able to point part of the domain at seemingly legitimate  infrastructure, while running scams under the subdomain" - Agari

The actor is also probing their victims to learn if they have the DMARC security policy in place. This lets them know if they can spoof the organization's email address, which would make their emails look authentic.

Also, depending on the DMARC setting (p=quarantine, p=none, p=reject), they can choose to change the display name in the email address so that it looks like it's coming from the CEO

The Russian connection

This level of proficiency echoes professional cybercriminals versed in protecting their operations and bypassing security controls. Agari discovered that IP addresses and domains in Cosmic Lynx' infrastructure were used for other malicious activities such as click fraud for Android devices, or in TrickBot campaigns for command and control.

Emotet is also on the list of infamous threats using the same infrastructure as Cosmic Lynx as between March and April 2020 a mail server of the latter was hosted at an IP address that had been used for storing malicious documents linked to Emotet and TrickBot.

Even if these groups operate separately, this shows a connection with actors of the Russian criminal underground involved in sophisticated malicious operations.

Supporting the theory that Cosmic Lynx is based in Russia is metadata from email headers delivered to victims, which contained time and date stamps set to Moscow Standard Time, while no part of the Cosmic Lynx infrastructure was located in Russia. This piece of evidence can be tampered by the sender, though.

Agari also noticed that some IP addresses used by Cosmic Lynx overlapped with infrastructure that hosted websites providing Russian fake documents.

All these clues point at a Russian threat actor, which makes Cosmic Lynx the first one from this region.

Related Articles:

Leaked info of 122 million linked to B2B data aggregator breach

Exchange Online adds Inbound DANE with DNSSEC for everyone

Hackers exploit Roundcube webmail flaw to steal email, credentials

Microsoft Outlook bug blocks email logins, causes app crashes

Critical Zimbra RCE flaw exploited to backdoor servers using emails