Menu
Browse

Cyber Threat Actor: Ikpa Stephen Orji

Actor Type Location Known Incidents
 Icon
Crime Syndicate
Nigeria
1 incident
Profile

Ikpa Stephen Orji, also known by the alias Ikpa Stephen Orji, is a threat actor whose known operational base is located in Nigeria. The actor has been observed targeting financial institutions, specifically a cooperative urban bank in Andhra Pradesh, India, indicating a focus on the banking sector within the Indian region. The primary strategic objective demonstrated in the attributed activity is financial gain, as evidenced by the fraudulent inflation of account balances, unauthorized fund transfers, and subsequent cash withdrawals from automated teller machines. The actor’s activities have shown an international dimension, with collaborators identified in both Nigeria and the United Kingdom, suggesting a transnational criminal network rather than a state‑sponsored effort. No publicly available information links the actor to any specific ideological, espionage, or disruptive motives beyond the pursuit of illicit monetary proceeds.

In the reported incident, the actor employed phishing emails as the initial access vector, delivering a remote access trojan (RAT) to bank employees. The successful deployment of the RAT exploited multiple missing security controls, including the absence of a valid firewall license, lack of intrusion detection or prevention systems, insufficient phishing protections, missing virtual LAN segmentation, and inadequate employee cybersecurity training. Once inside the network, the RAT provided unauthorized access to interconnected systems, notably the core banking servers, where the actor altered balances in several accounts and transferred funds to numerous external accounts. The stolen proceeds were subsequently withdrawn from a large number of ATMs across India, while authorities managed to freeze a portion of the funds; investigations indicated that the illicit money was likely moved overseas through hawala networks or cryptocurrency conversions. Arrests related to the operation included Nigerian nationals and local accomplices who handled account operations and fund distribution, underscoring the actor’s reliance on a distributed criminal structure to execute and monetize the attack. This 2022 bank compromise serves as a representative example of the actor’s typical methodology and operational scope.

Incidents
Attributed incidents available to members
1 incident
Sources
Sources available to members
0 sources