sb-eu logo
Story image

How a cyber-gang with a posh name stole millions from private equity firms

A cybercrime gang with a moniker reminiscent of a Bond villain has pulled off a sophisticated cyber heist, taking NZ$2.7 million from three different British private equity firm, according to new data from Check Point Research.

The gang, dubbed ‘The Florentine Banker’ by researchers, succeeded in its campaign by manipulating email correspondences, registering lookalike domains, and cashing out in phases. 

Four separate bank transactions attempted to transfer $2.3 million to unrecognised bank accounts.

Emergency intervention by Check Point enabled the recovery of only $1.2 million, leaving the rest as permanently lost funds. 

Researchers concluded that there are potentially more targets in the Florentine Banker’s sights, after recovering several purchased domains unrelated to the other three targets.

The Florentine Banker’s strategy

After selecting a target, the Florentine Banker initiates its attack by setting up a targeted phishing campaign against key people inside the victim’s company, CFOs or other executives who oversee funds.

The first phishing emails targeted only two personnel, of which one provided their credentials. 

The phishing attacks then continue, persisting for weeks in alternating methods, occasionally adding new individuals to the list of targets until the attackers gain a panoramic view of the entire financial picture of the company.

After gleaning high-level credentials from the victims, the Banker’s plan is then separated into five distinct categories:


Once the attackers gain control over the victim’s email account, they start reading their emails. 

The Florentine Banker can spend days, weeks or even months doing reconnaissance before actively intervening in the communication, patiently mapping the business scheme and procedures.

Control and isolation 

The attackers start to isolate the victim from third parties and internal colleagues by creating malicious mailbox rules. 

These email rules divert any emails with filtered content or subjects into a folder monitored by the threat group, essentially creating a ‘man-in-the-middle’ attack.

Lookalike setup

The attackers register lookalike domains - domains that look visually similar to the legitimate domains of the entities involved in the email correspondences they want to intercept. 

The attacker then sends emails from the lookalike domains. They either create a new conversation or continue an existing one - thus deceiving the target into presuming the source of the email is legitimate.

Intercept funds

The attackers begin injecting fraudulent bank account information by both intercepting legitimate wire transfers and generating new wire transfer requests.

Money transfer

The Florentine Banker manipulates the conversation until the third party approves the new banking details and confirms the transaction. If the bank rejects the transaction due to a mismatch in the account currency, beneficiary name or any other reason, the attackers are there to fix the rejects until the money is in their own hands.
“These are times in which wire transfers are very common – from day-to-day actions to government stimulus packages for both citizens and businesses,” says Check Point manager of threat intelligence Lotem Finkelsteen.

“I urge everyone to pay extra attention to what goes in and out of their inboxes, for you may be corresponding with the Florentine Banker.”

Story image
Digital heists: Attacks on financial institutions rise 238% in 3 months
The pandemic has created a perfect storm for financial cybercrime, with attackers taking advantage of every opportunity they get to target financial institutions.More
Story image
Nuance revamps AI authentication to protect seniors from fraud
The tool utilises intelligence voice detection capabilities to let enterprises identify if callers are over the age of 65 and, if so, prioritise their call, get them to a live agent for service and better protect them from fraud.More
Story image
HackerOne hits $100M milestone with bug bounties
“We have arrived at the point in history where you are ignorant and negligent if you do not have a way to receive useful input from ethical hackers."More
Story image
Rise in cyberattacks targeting the cloud as use of collaboration tools increase
“While we are seeing a tremendous amount of courage and global goodwill to overcome the COVID-19 pandemic, we also are unfortunately seeing an increase in bad actors looking to exploit the sudden uptick in cloud adoption."More
Story image
Remote workers need to up their game to keep organisations secure
According to the study, employees' habits, including password re-use and letting family members use corporate devices, are putting critical business systems and sensitive data at risk. More
Story image
Demand for VPNs soars in Hong Kong amid fears over Beijing crackdown
VPN provider Surfshark revealed it has seen a week’s worth of sales in just one hour within the city, indicating that locals feel their internet freedom is under attack.More