Back to All Research

BEC Groups Wage Multilingual Executive Impersonation Attacks Targeting Companies Worldwide

Discover how two BEC threat groups are using automated translation tools to execute payment fraud and payroll diversion attacks in several languages simultaneously.
February 16, 2023

Business email compromise (BEC) attacks are one of the fastest-growing and financially destructive cyber threats in history. BEC attacks accounted for more than one-third of all cybercrime losses in 2021, totaling nearly $2.4 billion in damage for the year, and the FBI estimates there have been more than $43 billion in exposed losses since 2016.

While these attacks aren’t as common as phishing or identity theft, they represent the most expensive threat currently facing organizations internationally. Since 2016, BEC attacks have consistently ranked at the top of the FBI’s list of costliest cybercrimes in the United States.

But it turns out that BEC is prevalent beyond English-speaking countries.

Recently, we’ve identified two groups using executive impersonation to execute BEC attacks on companies worldwide. These groups are Midnight Hedgehog, which engages in payment fraud, and Mandarin Capybara, a group that executes payroll diversion attacks. Combined, they have launched BEC campaigns in at least 13 different languages, including Danish, Dutch, Estonian, French, German, Hungarian, Italian, Norwegian, Polish, Portuguese, Spanish, and Swedish.

This post will look at the tactics and techniques associated with each of these groups and provide some context about how organizations can defend themselves against multilingual email-based attacks.

(Want to learn more about how we name our threat groups? Check out the recent blog post on our BEC group naming convention.)

How Threat Actors Pull Off Targeted Multilingual Attacks

Attacking targets across various regions and using multiple languages is nothing new. However, in the past, these attacks were perpetrated mainly by sophisticated organizations with large budgets and more advanced resources. For example, to effectively translate email text for more believable social engineering efforts, threat groups may hire native speakers.

But, as technology becomes more accessible and affordable, it lowers the barrier to entry. We’ve consistently observed BEC actors leveraging the same commercial online services that sales and marketing teams rely on to identify prospects and personalize communications. Using these resources, BEC actors tend to collect target contact information—referred to as “leads”—within a certain geographic area, usually a single country or state.

And thanks to the proliferation of automated translation tools like Google Translate, scammers can instantly translate emails into whatever language they need. For instance, a group might run a campaign in the Netherlands with text in Dutch while simultaneously running the same campaign in Spain with text in Spanish.

Using widely available marketing technology and highly accurate translation apps, attackers can rapidly scale their efforts, maximizing their reach and wreaking havoc across the globe. And because many translation tools now use machine learning to improve context, such as translating the meaning of a sentence rather than each word individually, they’re much easier to manipulate for nefarious purposes.

Why does this matter? We’ve taught our users to look for spelling mistakes and grammatical errors to better identify when they may have received an attack. When these are not present, there are fewer alarm bells to alert native speakers that something isn’t right.

Midnight Hedgehog: Engaging in Payment Fraud Around the World

The first group we’ll look at uses executive impersonation to deceive recipients into making payments for bogus services—usually by posing as a company’s CEO. As with other impersonation attacks, Midnight Hedgehog threat actors appear to thoroughly research their target’s responsibilities and relationship to the CEO and then create spoofed email accounts that mimic a real account. Like many payment fraud attacks, the group targets finance managers or other executives responsible for initiating the company’s financial transactions.

We’ve seen attacks from Midnight Hedgehog dating back to at least January 2021. Their attacks have been sent from accounts hosted on a variety of free webmail providers, including Gmail, Yandex, Earthlink, and Web.de, and domains created by the group registered with NameCheap or GoDaddy. Based on the intelligence we collected during our active defense engagements with the group, individuals associated with the group are likely located in multiple countries, including England, Canada, the United States, and Nigeria.

To date, we’ve observed two versions of Midnight Hedgehog’s initial emails written in 11 languages: Danish, Dutch, Estonian, French, German, Hungarian, Italian, Norwegian, Polish, Spanish, and Swedish.

In one version, the Midnight Hedgehog actor impersonates a CEO to make an urgent request for the target to complete a payment to a company in England. In a second version, the impersonator asks the target to share the company’s current bank account balance and requests that they promptly complete a payment for a specified amount.

1 Examples of Midnight Hedgehog Emails in Different Languages 1
2 Examples of Midnight Hedgehog Emails in Different Languages 2

Examples of Midnight Hedgehog emails in different languages

(Row 1: Danish, Dutch; Row 2: Estonian, French; Row 3: German, Hungarian; Row 4: Italian, Norwegian; Row 5: Polish, Spanish; Row 6: Swedish)

As a result of the active defense engagements we’ve conducted with Midnight Hedgehog actors, we’ve been able to get a glimpse at what a successful attack looks like.

The rest of the attack is similar to most other payment fraud BEC attacks. After a recipient responds to the group’s initial email, the attacker provides the details for a bank account where the requested payment should be sent. These payments have ranged from €16,000 to €42,000 (approximately $17,000 to $45,000).

Nearly all of the mule accounts we’ve collected linked to Midnight Hedgehog have been located in the United Kingdom, which supports the evidence that the group has a physical presence there. We’ve also seen the group use mule accounts located at banks in Portugal, Germany, France, and Italy.

3 Examples of Mule Accounts Provided by Midnight Hedgehog

Examples of mule accounts provided by Midnight Hedgehog

Mandarin Capybara: Payroll Diversion in Multiple Languages

Another group that uses a variety of languages in their attacks is Mandarin Capybara, which also impersonates company executives. However, instead of engaging in payment fraud, Mandarin Capybara targets human resources employees in payroll diversion attacks, asking them to change the executive’s direct deposit details to an account under the group’s control.

The earliest Mandarin Capybara attack we’ve observed dates back to February 2021. The group has consistently used Gmail accounts to send their attacks, updating the display name in each email to spoof the name of the executive that’s being impersonated.

Unlike Midnight Hedgehog, which we’ve only seen target companies in Europe with non-English messages, Mandarin Capybara has attacked companies around the world. We’ve observed the group target American and Australian companies in English, Canadian organizations in French, and European companies in eight languages: Dutch, French, German, Italian, Polish, Portuguese, Spanish, and Swedish.

Mandarin Capybara’s initial emails are similar to many other payroll diversion templates we see every day, with the attacker inquiring if they can update their payroll account to go into effect before the next payday. We’ve observed multiple instances where the group has launched a BEC campaign in one language, then initiated a second campaign from the same email account in a second language, targeting a different organization.

4 Examples of Mandarin Capybara Using Same Email Address

Examples in which Mandarin Capybara used the same email address for a campaign in one language, followed by another campaign with the same message in a different language.

The intelligence we’ve gathered in our active defense engagements with Mandarin Capybara shows that, while the group commonly uses mule accounts in other countries, the types of accounts are similar to mule accounts used in payroll diversion attacks targeting US companies.

Unlike other types of payment fraud BEC attacks, a vast majority of payroll diversion attacks use non-traditional fintech accounts to receive fraudulent funds.

In the United States, the most common banks used by payroll diversion actors are Green Dot, GoBank, Sutton Bank, and MetaBank, which are all linked to either prepaid cards or mobile payment services like CashApp. Similarly, Mandarin Capybara has set up mule accounts at European fintech institutions like Revoilut, Saurus, Monese, Bunq, and SisalPay to receive funds from their payroll diversion attacks.

5 Examples of Mule Accounts Collected From Mandarin Capybara

Examples of mule accounts collected from Mandarin Capybara

How to Protect Your Company Against Multilingual BEC Attacks

As email marketing and translation tools become more accurate, effective, and accessible, we will continue to see hackers exploiting them to scam companies with increasing success. Not only that, because these emails sound legitimate and rely on behavioral manipulation instead of malware-infected files, Midnight Hedgehog, Mandarin Capybara, and other similar BEC groups will be able to easily bypass legacy security systems and spam filters.

So what can be done? It’s important to put procedures in place to verify outgoing payments and payroll updates and keep your workforce vigilant with security awareness training. But the best way to prevent your employees from falling for these attacks is simply to ensure that they never receive them in the first place.

To do so, it is essential to implement behavioral-based security that uses machine learning and AI to understand identity and behavior. Solutions that baseline normal behavior can provide the context needed to determine when anomalous behavior is occurring—no matter in which language the attack is sent.


Discover how Abnormal helps protect organizations from BEC attacks and other emerging threats. Schedule a demo today.

Appendix A: Email Addresses Associated with Previous Midnight Hedgehog BEC Campaigns

082-email[at]myvoda-za.com

admin.direktor7[at]okonomichef.com

algdir[at]web.de

algdirecteur[at]yandex.com

algdsrct[at]earthlink.net

algemeenmgr1[at]gmail.com

algmeeng1[at]gmail.com

algmeeni[at]gmail.com

algmeenn[at]gmail.com

algmndt[at]gmail.com

algn1directeur[at]gmail.com

algndirecteur[at]yandex.com

am.delegato[at]runbox.com

bureau[at]ceo-gmbh.me

ce.pres1010[at]gmail.com

ceo[at]ceo-gmbh.me

ceo[at]the-directors.eu

ceo[at]verwaltung.agency

ceon[at]chf-pdg.com

dannysuzana87[at]gmail.com

davidmoore001.davi[at]yandex.com

diirecteurr[at]gmail.com

directeeur.emaillene[at]gmail.com

directeur.mail47[at]gmail.com

directeur.mail74[at]gmail.com

directeur.mail8[at]gmail.com

directeur[at]esbcde.de

directeurceoi13[at]gmail.com

directeuremaiil[at]gmail.com

directeuremaillene[at]gmail.com

directeurr.emaill[at]gmail.com

director[at]spiinero.com

directteurremaillen[at]gmail.com

direktor[at]dirctor.com

direktor[at]hughes.net

direktor[at]officerroy.com

direktor[at]oficeereply.com

dirrector[at]spiinero.com

e[at]europaays.info

e[at]officereply.net

e3cof[at]yandex.com

eu[at]bluxmail.net

infos[at]axb.quest

lancebradley03[at]gmail.com

mail.officegmbh[at]gmail.com

mail[at]ceo-gmbh.me

mail[at]voda-nl.com

mailprivateinbox[at]yandex.com

mnagdts5[at]proton.me

mngdirectr6[at]protonmail.com

noreply[at]lnfoguard.ch

office[at]ikubfj.com

officedirector[at]directorr.net

pertunia[at]mdwfza.com

petethomp46[at]gmail.com

regisseeurr[at]gmail.com

sudanny820[at]gmail.com

tht3[at]rambler.ru

Appendix B: Email Addresses Associated with Previous Mandarin Capybara BEC Campaigns

adkljal.de[at]gmail.com

anu.t531[at]gmail.com

cc.be.1251[at]gmail.com

cc.bejjj[at]gmail.com

cc.pr112[at]gmail.com

ce.ne3446[at]gmail.com

ck.be9901[at]gmail.com

co.bc.12511[at]gmail.com

co.ge01645[at]gmail.com

co.ge0914[at]gmail.com

co.ge2638[at]gmail.com

co.ge7839[at]gmail.com

co.ge8393[at]gmail.com

contact26778[at]gmail.com

contact27819[at]gmail.com

contact7028[at]gmail.com

esource14[at]gmail.com

file32866[at]gmail.com

fo.de2433[at]gmail.com

fo.it043234[at]gmail.com

fo.it2908[at]gmail.com

fo.it778899[at]gmail.com

fw.it629[at]gmail.com

gll.de9p2[at]gmail.com

gn9875544[at]gmail.com

graceandglory698[at]gmail.com

ha.we1251[at]gmail.com

heyn7721[at]gmail.com

ho.it892005[at]gmail.com

imko1232[at]gmail.com

info000509[at]gmail.com

info006645[at]gmail.com

info10909[at]gmail.com

info12809[at]gmail.com

info20615.001[at]gmail.com

info43825[at]gmail.com

info60894[at]gmail.com

info60999[at]gmail.com

info66798[at]gmail.com

info67984[at]gmail.com

info68096[at]gmail.com

info868.71pf[at]gmail.com

info904578[at]gmail.com

iyanuatiayo[at]gmail.com

japsosa[at]gmail.com

jd630835[at]gmail.com

kl.be8708[at]gmail.com

kl38492.it[at]gmail.com

llc0001107[at]gmail.com

ma.ee.12511[at]gmail.com

mk.de41[at]gmail.com

mkdde08[at]gmail.com

mkde156[at]gmail.com

mkde630[at]gmail.com

mkjll.de21[at]gmail.com

mkkbe90[at]gmail.com

mwjjjon[at]gmail.com

na.es23477[at]gmail.com

ne.be12511[at]gmail.com

newh5803[at]gmail.com

nknkl2469[at]gmail.com

nn.be442[at]gmail.com

oc.ge4918[at]gmail.com

od.wa12511[at]gmail.com

oduk231[at]gmail.com

office560.de[at]gmail.com

officedoc.ch[at]gmail.com

ofowk2[at]gmail.com

ogb.de36[at]gmail.com

oh.it196287[at]gmail.com

omnk2342[at]gmail.com

onkl677[at]gmail.com

onmj34[at]gmail.com

ow.uk23[at]gmail.com

pavel.lukas2[at]gmail.com

qnoi289[at]gmail.com

sapjjj.nl[at]gmail.com

timmo0120[at]gmail.com

we.de9484[at]gmail.com

whome8424[at]gmail.com

workh5997[at]gmail.com

xa.de2358[at]gmail.com

AI B Midnight Hedgehog Mandarin Capybara

See How Abnormal Stops Emerging Attacks

Get a Demo

Get the Latest from Abnormal Intelligence

Subscribe to our monthly newsletter to receive the latest insights from our team directly in your inbox.