Spanish authorities have announced the arrest of a 25-year-old Brazilian national accused of being the mastermind behind the ‘GXC Team’ crime-as-a-service (CaaS) operation distributing phishing kits and Android malware.
The individual, known as GoogleXcoder, allegedly provided complete phishing services to cybercriminals who sold phishing kits targeting various banks and government entities.
The kits, the authorities say, were designed to clone the websites of the targeted institutions to deceive their users into providing their credentials to the attackers.
Miscreants, the Spanish police say, contacted GoogleXCoder via Telegram to hire his services for hundreds of dollars a day, to aid them in attacks that hit dozens of institutions and thousands of users, and caused millions of dollars in losses.
GoogleXCoder, the authorities say, lived the life of a “digital nomad”, periodically relocating between multiple homes in different Spanish provinces, and using phone lines and payment cards issued in the name of impersonated victims.
The police carried out searches at six locations in Valladolid, Zaragoza, Barcelona, Palma de Mallorca, San Fernando, and La Línea de la Concepción. They arrested GoogleXCoder in San Vicente de la Barquera Cantabria, and identified six other individuals allegedly associated with the CaaS operation.
The investigators seized electronic devices containing source code and financial records. They have deactivated GoogleXCoder’s Telegram channels and are examining digital evidence to identify other suspects.
According to cybersecurity firm Group-IB, which helped with the investigation, Android malware was also being sold through the GXC Team CaaS.
In addition to banks, the cybercriminals targeted ecommerce and transportation organizations in Brazil, Slovakia, Spain, the US, and the UK.
“Over the past year, investigators have tracked a wave of phishing campaigns that have resulted in millions of euros in financial losses. The arrest of GoogleXcoder neutralizes a key enabler of this criminal ecosystem and significantly disrupts the supply of tools used in widespread banking fraud schemes,” Group-IB says.
The CaaS operation, the cybersecurity firm notes, emerged in 2023, offering advanced phishing kits, an SMS-stealing Android trojan, and tools for AI-supported voice scams, as well as support services for cybercriminals using GXC tools.
“One of the group’s Telegram channels was brazenly named ‘Steal everything from grandmas’, reflecting the group’s ruthlessness,” Group-IB explains, noting that the authorities have recovered stolen funds from various digital platforms.
Related: Dutch Teens Arrested for Allegedly Helping Russian Hackers
Related: Interpol Says 260 Suspects in Online Romance Scams Have Been Arrested in Africa
Related: Scattered Spider Suspect Arrested in US
Related: Two Scattered Spider Suspects Arrested in UK; One Charged in US
