2
REPORT
AGARI | SCARLET WIDOW: BEC BITCOIN LAUNDRY—SCAM, RINSE, REPEAT
Executive Summary
Much of the investigative work done by Agari and others to date
has focused on the activities of business email compromise (BEC)
gangs going for big scores against big targets: jackpots of tens to
hundreds of thousands of dollars, scammed out of medium-sized
and large corporations.
Now, Agari has uncovered and documented the practices of a Nigeria-based scammer
group, dubbed Scarlet Widow, that has evolved a dierent strategy. Rather than focusing
on corporate targets, which are devoting increased resources to cyber-defenses, the group
focuses on more vulnerable sectors such as school districts, universities, and nonprofits, which
the group likely believes are softer targets.
From Rental Fraud to Romance Scams to Tax
Refund Diversion
Agari has been gathering information on Scarlet Widow since 2017 and we have documented
its evolving operations going back to 2015. In 2015, its focus was on romance scams and
property rental fraud. In 2016, Scarlet Widow moved into tax fraud, successfully submitting
dozens of fraudulent returns and scoring thousands of dollars in tax refunds with minimal
eort. By 2017, like so many West African cybercrime groups, the group moved into the
lucrative world of BEC, where it continues to focus its eorts to this day.
Scarlet Widow’s preferred targets for BEC scams include academic institutions, including
K-12 school districts in the American Midwest and universities in five countries, and nonprofit
organizations around the world, ranging from the Boy Scouts of America to the YMCA.
While the bulk of its recent BEC attacks has focused on schools and nonprofits, Scarlet
Widow also seems to be preparing for phishing campaigns targeting tax preparation firms.
In September 2018, the group began collecting targeting information on thousands of United
States-based tax preparers, likely to target these individuals with W-2 BEC attacks prior to
tax season.
Like London Blue, the subject of an Agari report in December, this Nigeria-based cybercriminal
group operates like a modern sales and marketing organization, building out an entire solution
stack to run its scams—including resources for lead generation, email distribution, aliases,
falsified documentation used in romance scams, and more.
Since November 2017, Scarlet Widow has gathered targeting information for more than 30,000
individuals associated with more than 13,000 organizations in 12 countries. Most of the leads
collected by Scarlet Widow were for employees located in two countries—with 73% in the
United States and 20% in the United Kingdom.