Cyber Threat Actor: Thieves
| Actor Type | Location | Known Incidents |
Crime Syndicate
|
Mexico
|
1 incident |
|---|
Profile
The threat actor known by the alias “Thieves” operates from Mexico and has been observed targeting the country’s financial sector. Public reporting links the group to a 2018 cyberattack that affected multiple Mexican banks, including Banorte, where fraudulent transfer orders were generated to move hundreds of millions of pesos into accounts controlled by the attackers. The activity was directed at institutional accounts rather than customer deposits, indicating a focus on siphoning funds from the banks themselves. Authorities noted that the scale of cash withdrawals facilitated by accomplices suggested possible insider collaboration, though no definitive proof of internal involvement was disclosed. The central bank described the incident as unprecedented and responded by implementing corrective measures while continuing its analysis.
The actor’s tactics, as evidenced by the 2018 operation, involve compromising third‑party software interfaces used for interbank connectivity to initiate unauthorized transfers. Once the fraudulent orders are in place, the group relies on a network of accomplices who rapidly withdraw the illicit funds from bank branches before the transactions can be fully reversed. Some of the fraudulent transfers were blocked by the banks’ internal controls, prompting the institutions to adopt slower, alternative technologies for payment system communication to mitigate future risk. No public attribution to a state sponsor or a larger criminal consortium has been made available, and the actor’s affiliations remain unspecified in the open sources. The 2018 attack on Mexican financial institutions stands as the most detailed and representative campaign associated with the Thieves alias, illustrating a financially motivated approach that combines technical exploitation of banking software with coordinated cash‑out operations.
