2
THREAT ACTOR DOSSIER
AGARI | EXAGGERATED LION
Business email compromise (BEC) has grown into a billion dollar industry as cybercriminals
use look-alike domains and display name deception to trick employees into revealing sensitive
information or depositing money into criminally-owned bank accounts. When they can
compromise a legitimate email account and use it to send malicious messages, the success rate
becomes even greater. And cybercriminals are taking advantage, to the tune of more than $700
million every month.
The Agari Cyber Intelligence Division (ACID) has identified an African cybercriminal
organization, which we call Exaggerated Lion, that has been active since at least 2013.
Comprised of actors in Nigeria, Ghana, and Kenya, Exaggerated Lion was a prolific check fraud
ring before evolving to BEC attacks starting in mid-2017. Since April 2019, we have conducted
more than 200 active defense engagements against Exaggerated Lion actors. Our visibility into
Exaggerated Lion’s operations as a result of these engagements has given us an in-depth look
at how their BEC attacks unfold and have evolved over time.
One of the most intriguing aspects of Exaggerated Lion’s BEC attacks is their clear preference
to use physical checks as a cashout method rather than wire payments, which makes them
unique in the BEC threat landscape. The group’s history of check fraud and romance scams
has resulted in a vast network of check mules across the United States. Over the course of our
research into Exaggerated Lion, we have uncovered the identities and locations of 28 check
mules, including seven “Tier I” mules who are long-standing romance scam victims that are
trusted with large sums of money and interact more extensively with the main Exaggerated
Lion actors.
During our research, we identified more than 3,000 individuals employed by nearly 2,100
companies that had been targeted by Exaggerated Lion BEC campaigns between April 2019
and August 2019. All of these targets were located in the United States, in 49 of 50 states and
the District of Columbia, an indication of Exaggerated Lion’s square focus on American targets.
Over the course of our engagements with Exaggerated Lion, the group evolved their tactics
and started using fake invoices and W-9s to inject a sense of authenticity into their attacks.
The invoices were created using an easily accessible free invoice generator and the W-9 forms
were obtained from the Internal Revenue Service’s public website. Since these documents are
commonly used in legitimate business transactions, including them gives Exaggerated Lion’s
attacks a better chance of succeeding without any questions being asked.
Another unique characteristic of Exaggerated Lion’s BEC attacks is the use of very long domain
names hosted on G Suite containing words that give the appearance that an email was sent
from secure infrastructure. Our research has uncovered more than 1,400 domains used by
Exaggerated Lion since July 2017 that have been used to launch BEC campaigns. Domains
registered by Exaggerated Lion actors comprise more than 10% of all .MANAGEMENT domains
that have ever been created and nearly 75% of .MANAGEMENT domains registered with
Google.
Executive Summary