A new cybercriminal group, Marco Polo, which has been operating since at least 2018, has been uncovered by security researchers. The oddity of this group is its sheer size, organization, and infrastructure. In fact, the size of the operation has led experts to estimate they they are stealing millions of dollars.
The Marco Polo group targets influential members of the gaming, crypto, and related Web3 communities. With members identified in Eastern Europe, Russia, and Ukraine, this group was most likely unleashed by a transnational criminal organization.
Marco Polo: A symbol of transnational cybercriminal infrastructure
Speaking at the the opening of the Interpol Americas meeting, Jürgen Stock, Secretary General of Interpol, warned the world that transnational criminal syndicates linked to drug and human trafficking are leveraging artificial intelligence to maximize profits, expanding their operations to never-seen-before levels.
“Police officers today are witnessing what is an unprecedented increase in transnational threats, or crises, on a global scale,” Stock said. “A convergence driven by a never-ending thirst of criminal networks to expand their transcontinental grip and maximize their illicit proceeds.”
Transnational criminals that respond to no nation-state have become a state of their own. These groups take to the internet to generate an estimated trillions of dollars in cybercrimes.
Insikt Group reveals Marco Polo’s “hydra heads”
Thanks to Insikt Group’s new technical investigation, cybersecurity researchers are now getting a glimpse of just how powerful these groups can be and the how big their infrastructure and resources are.
More concerning still, exposing these scams is like cutting off one head of the mythical hydra. For every 1 that is cut off, 2 grow back to take its place.
Marco Polo has infected thousands of devices, is running multiple scams simultaneously (30 identified in total ), and operates 50 pieces of malware (including macOS stealers). It has also created dozens of fake malicious domains, generated fake brands, and mastered social media spear-phishing.
It would take several months to fully analyze the Insikt Group report on Marco Polo and uncover the many types of malware, the techniques, and the tools that this group leverages. However, some key highlights jump out right away.
The first evidence of Marco Polo dates back to 2018, with one domain created that year. It was not until 2024 that the group’s infrastructure exploded in size, which could signal the use of automation and AI to scale.
Armed with state-of-the-art malware, Marco Polo targets geeks
In a recent campaign, Marco Polo used social engineering phishing tactics to redirect victims’ traffic to malicious sites and downloads. Their approach indicates that they are highly successful at tricking victims. And these are not just any victims — the prime targets in their sights are tech-savvy gamers and influential crypto users.
Marco Polo threat actors also investigate their targets before contacting them. This allows them to create more convincing interactions to trick their victims, despite the fact that members of this community typically have higher levels of cybersecurity awareness.
Insikt Group revealed that Marco Polo also uses the Atomic macOS stealer, which rents out on the dark web for more than $1,000 a month. This high-priced malware, combined with a wide range of other malware it uses — including HijackLoader, Stealc, and Rhadamanthys — shows that the group is highly invested and committed to its large-scale digital financial heist.
Marco Polo has also breached Zoom meeting software builds, infiltrated software cracks, and poisoned torrent downloads.
How many devices has Marco Polo infected, and what are they after?
Insikt Group estimates that tens of thousands of devices are likely to have been compromised worldwide by Marco Polo, resulting in millions of dollars in illicit revenue.
The group appears to go after any operating system and does not draw the line between users and enterprises. From identity theft to data breaches, reputation damage, and financial damage, Marco Polo’s massive operation shines a light on the difficult reality and the dangers that transnational criminal syndicates pose to the cyber world.
Moonlock checked IPs and domains linked to this group and found that some had been taken down completely, indicating a coordinated action to swiftly cover their digital tracks.
Usually, when criminal groups have this type of infrastructure in place, they will have parallel campaigns already created and on standby, ready to go. Once their scams, fake sites, and software are exposed by security researchers, they just shut down the exposed sites and release a new wave of yet undetected malicious sites and downloads to avoid downtime and keep their criminal operations running smoothly.
Stay one step ahead by knowing how Marco Polo strikes
While Marco Polo is capable of evolving and adapting — and uses advanced malware known to be effective against Macs — users and organizations can still protect themselves by understanding how the group strikes.
All of their attacks require users to engage with a message sent via social media or other means. This requires clicking on a link and, furthermore, downloading software that appears legitimate. Therefore, the first and most important tool for preventing Marco Polo attacks is cybersecurity awareness. Users should never underestimate how effective spear-phishing can be.
Keeping your guard up is easier if you analyze the attack chain of Marco Polo. The group creates fake sites and fake software impersonating web3 decentralized games, crypto projects, Zoom impersonators, video meeting apps, and other meeting software.
While their fake sites are now mostly gone, the group is likely to either continue targeting this population or move to a closely related one that includes, for example, finance and fintech.
If you want to check the full list of websites, software, and brands that this group has created, you can find them in the original Insikt report.
Remember, Marco Polo’s operation is undoubtedly impressive, vast, and global, and its abilities and capabilities are undeniable. However, they still require action on your side to breach your device.
Always download apps and software through official app stores and channels. Stay on top of cybersecurity news and share updates with colleagues, friends, and family. Finally, do not respond to suspicious messages, no matter how professional they might seem.
Final thoughts
The cybercriminal group Marco Polo poses a significant and evolving threat to individuals and organizations alike. Their ability to adapt their tactics and rebrand scams makes them difficult to detect and avoid.
Marco Polo’s massive infrastructure is comparable in size to disinformation attackers that leverage multiple domains and social media under a centralized, coordinated, and goal-oriented objective.
However, the Marco Polo group, unlike disinformation attackers, has no interest in social or political agendas. They are out for money, pure and simple, no matter who it belongs to.
Because cybercriminals respond to no one, Marco Polo will only continue to release fake sites and fake software until they are brought down.
In the future, cybersecurity researchers may find that Marco Polo has changed its name, is using new malware, and has created new sites. Until the entire organization is dismantled, cutting off the individual heads will not keep this monster at bay.