Full Report
Interpol’s Operation Haechi V has led to the arrest of over 5500 individuals and seizure of $400m obtained via online fraud
Analysis Summary
# Incident Report: Global Cyber-Enabled Fraud Crackdown (Operation Haechi V)
## Executive Summary
Operation Haechi V, a five-month international policing initiative coordinated by Interpol, successfully led to the arrest of over 5500 individuals involved in widespread cyber-enabled fraud schemes. The operation recovered over $400 million in virtual and fiat assets globally, specifically targeting sophisticated scams like voice phishing, BEC, and romance scams. The success relied heavily on international collaboration and Interpol's I-GRIP initiative for rapid fund recovery.
## Incident Details
- Discovery Date: N/A (Operation spanned from July to November 2024)
- Incident Date: July to November 2024
- Affected Organization: Global (Multiple victims across 40+ countries/territories)
- Sector: Financial Services, individuals, and businesses across various sectors.
- Geography: International, involving law enforcement from over 40 countries/territories, with specific mention of East Asia (South Korea, China), Singapore, and the UK’s Channel Islands (Guernsey).
## Timeline of Events
### Initial Access
- Date/Time: Throughout July to November 2024
- Vector: Diverse cyber-enabled social engineering and fraud techniques: Voice phishing (vishing), romance scams, online sextortion, investment fraud, illegal online gambling, Business Email Compromise (BEC), and e-commerce fraud.
- Details: Specific success involved a voice phishing network in East Asia where scammers impersonated police officers to defraud victims.
### Lateral Movement
- N/A (This report focuses on large-scale fraud operations targeting external victims rather than internal network breaches.)
### Data Exfiltration/Impact
- **Financial Impact:** Over $400 million in virtual assets and government-backed currencies seized globally. A specific voice phishing network in East Asia was linked to $1.1 billion in losses.
- **Specific Seizures:** Singapore Police Force intercepted $39.3m of a $42.3m BEC scam headed to Timor Leste. Guernsey FIU facilitated interception of £2m ($2.5m) stolen via BEC.
### Detection & Response
- **Detection:** Coordinated international law enforcement efforts under Interpol's direction (Operation Haechi V).
- **Response Actions:** Execution of Interpol’s Global Rapid Intervention of Payments (I-GRIP) initiative to intercept funds en route to cybercriminals. Arrests and case resolutions across participating nations.
## Attack Methodology
- Initial Access: Voice phishing (impersonation of police officers), BEC, and social engineering tactics for romance scams/sextortion.
- Persistence: N/A (Focus is on transactional fraud rather than sustained network access.)
- Privilege Escalation: N/A
- Defense Evasion: Unknown specific technical means, but reliance on social engineering and rapid fund movement across international borders to evade immediate financial tracing systems.
- Credential Access: Likely phishing or social engineering used to gain access for BEC schemes.
- Discovery: N/A (Discovery primarily occurred after funds were moved, often via victim reporting or financial institution flagging, leading to I-GRIP actions.)
- Lateral Movement: N/A (Focus on movement of illicit funds, not movement within compromised networks.)
- Collection: Gathering of financial information or pretext setup for social engineering scams.
- Exfiltration: Rapid transfer of illicit funds across VASP accounts and international bank accounts (digital asset movement).
- Impact: Significant financial loss for thousands of individuals and businesses ($400m seized, $1.1bn linked to one network).
## Impact Assessment
- Financial: Over $400 million in assets seized globally; $1.1 billion linked to one vishing network.
- Data Breach: Not primarily a data breach incident, but involved fraud based on stolen PII/context used in scams (e.g., impersonation tactics).
- Operational: Minimal direct operational impact detailed for targeted organizations, but significant impact on victims globally.
- Reputational: Undermining of trust in digital and financial systems generally, as noted by Interpol Secretary General.
## Indicators of Compromise
- **Network indicators (Defanged):** Movement of funds to bank accounts in *T*im*o*r L*e*s*t*e, and various Virtual Asset Service Providers (VASPs).
- **File indicators:** N/A
- **Behavioral indicators:** Impersonation of law enforcement officials via voice calls; rapid, cross-border fund transfers following suspicious transaction initiation.
## Response Actions
- Containment measures: Financial institutions and international police utilized I-GRIP to freeze or intercept funds *en route* to criminal accounts.
- Eradication steps: Arrest of 5500+ suspects across 40+ jurisdictions.
- Recovery actions: Seizure/recovery of over $400 million in assets. Blocking of 1023 VASP accounts.
- **Quantitative Increase:** The operation achieved almost double the number of cases solved (8309) and triple the VASP accounts blocked (1023) compared to the 2023 iteration.
## Lessons Learned
- International police cooperation is highly effective in dismantling borderless cybercrime operations.
- Interpol's I-GRIP is a critical tool for inhibiting the final stage of financial cybercrime (exfiltration).
- Cyber-enabled fraud remains a massive global threat, requiring specialized, coordinated law enforcement responses.
## Recommendations
- Enhance investment in international task forces modeled after Operation Haechi V, focusing on cross-border financial intelligence sharing.
- Promote proactive use of rapid fund interception mechanisms (like I-GRIP) by financial institutions globally.
- Public awareness campaigns specifically targeting high-prevalence scams identified (vishing, romance scams, BEC).