Agari Identifies First-ever Reported Russian BEC Cybercriminal Ring Targeting Executives in 46 Countries Across Six Continents

COVID-19 used as clever ruse; Illicit funds flow through intricate network of Hong Kong shell company money mule accounts.

FOSTER CITY, Calif. (July 7, 2020) -- Agari, the market share leader in phishing defense solutions for the enterprise, revealed today details of the threat actor group dubbed Cosmic Lynx, the first-ever reported Russian cybercriminal ring to conduct business email compromise (BEC) phishing scams. This is a historic shift to the global email threat landscape and portends new and sophisticated socially-engineered phishing attacks that CISOs around the world must brace for now. Cosmic Lynx was uncovered by the Agari Cyber Intelligence Division (ACID).

“Cosmic Lynx represents the future of organized crime rings that are shifting focus to socially engineered email fraud,” said Armen L. Najarian, CMO and Chief Identity Officer, Agari. “The more favorable economics of socially engineered schemes targeting enterprise victims have driven groups like Cosmic Lynx to defocus on the more costly and less lucrative ransomware fraud.”

Email fraud originated in West Africa in the form of 419 fraud schemes more than 30 years ago, and today 90 percent of BEC scams still emanate from the region. Meanwhile Russian and Eastern European gangs have historically innovated and perfected technology-based malware heists.

Over the years, however, traditional email-based identity deception schemeds have produced greater financial returns relative to highly technical malware attacks. Based on the 2019 FBI IC3 annual report, BEC attacks accounted for $1.7 billion in fraud losses, which made up 40 percent of all cybercrime losses last year. Comparatively, the report documents only $8.9 million in losses attributed to ransomware attacks.

Innovation for Profit
Cosmic Lynx puts a new spin on BEC phishing attacks by fabricating fake merger-and-acquisition scenarios that require a two-fold impersonation scheme involving the target organization’s CEO and external legal counsel. The cybercrime group asks target employees, who tend to hold a VP or higher title, to work with “external legal counsel” to coordinate the payments needed to close the purported acquisition. Cosmic Lynx then impersonates the identity of a legitimate attorney typically at UK-based law firms whose job it is to facilitate the transaction. It then moves the stolen funds through money mule accounts in Hong Kong, with secondary accounts located in Hungary, Portugal, and Romania. The group has actively avoided using money mule accounts in the U.S.

These schemes can translate into high-dollar impersonation scams as reflected in a $2.7M request in a recent Cosmic Lynx scheme. By comparison, the average amount requested in traditional executive impersonation BEC attacks is $55,000.

Remarkably only 15 percent of the Fortune 500 have a DMARC record set at an enforcement policy that would stop malicious actors in their tracks -- meaning 85 percent of companies have left their front doors wide open to fraudsters. Cosmic Lynx takes advantage of these lax DMARC controls to spoof the email addresses of impersonated CEOs, making their attacks appear much more authentic, in contrast to the vast majority of BEC attacks that use free webmail accounts or registered domains to send malicious emails

Exploiting COVID-19
Like many other organized fraud rings, Cosmic Lynx has capitalized on the COVID-19 pandemic. To break the ice with targets, its emails cast an empathetic tone to the global crisis and have adjusted as the crisis has evolved. For example, Cosmic Lynx began using COVID-19 themes as early as March 2020 wishing targets good health and then transitioned to discussing lifting of restrictions and business reopening.

Engagement Synopsis
Since July, 2019 the Agari Cyber Intelligence Division has observed more than 200 BEC campaigns associated with Cosmic Lynx targeting professionals in 46 countries across six continents. Unlike most BEC groups that are relatively target agnostic, Cosmic Lynx has a well defined victim profile of large, multinational organizations. Nearly all Cosmic Lynx target organizations have a significant global presence, with many Fortune 500 or Global 2000 companies. The target employees of Cosmic Lynx schemes are typically senior-level executives, with 75% percent holding the titles of Vice President, General Manager, or Managing Director.

Related Resources

About Agari
Agari is the market share leader in phishing defense solutions for the enterprise. Through applied science, the Agari Identity Graph™ delivers valuable business context to every email risk decision. Agari ensures outbound email from the enterprise cannot be spoofed, increasing deliverability and preserving brand integrity. It also protects the workforce from devastating inbound BEC, VEC, spearphishing, and account takeover-based attacks, reducing business risk and restoring trust to the inbox. Learn more at

About Agari Cyber Intelligence Division
The Agari Cyber Intelligence Division (ACID) is the only counterintelligence research group dedicated to worldwide business email compromise (BEC) investigation. Led by a former FBI intelligence analyst who helped set up the Bureau’s Cyber Behavioral Analysis Center, ACID has conducted more than 8,000 active defense engagements with BEC threat actors since May 2019. ACID works closely with law enforcement and other trusted partners to make it more difficult than ever before for cybercriminals to be successful and abate cybercrime activity. 

Media Contact
Jean Creech Avent
Sr. Director, Global Corporate Communications
+1 843-986-8229
[email protected]

Recent News
April 4, 2024

Fortra announced today their recognition as a “Top Player” in The Radicati Group’s Secure Email Market Quadrant, 2024. The Radicati Group’s analysis found that Fortra provides both breadth and depth of functionality while shaping the market with innovative technology and a compelling strategic vision.

January 12, 2023

In this IT Security Wire article, cybersecurity experts 

September 29, 2022

It’s difficult to control your Social Security number in the wild.

September 14, 2022

In Cyber Protection Magazine’s Crucial Tech podcast, John Wilson, Senior Fellow, Threat Research, delves into the latest research from Agari and PhishLabs by Fortra.

September 12, 2022

In his guest essay for The Last Watchdog, Eric George, Director of Solutions Engineering at PhishLabs by, expl