Europol stops major phishing program targeting mobile phone data

Law enforcement agencies have announced that they have busted an international criminal network that used a phishing platform to unlock stolen or lost mobile phones.

The phishing-as-a-service (PhaaS) platform, called iServer, is estimated to have affected more than 483,000 victims worldwide, with Chile (77,000), Colombia (70,000), Ecuador (42,000), Peru (41,500), Spain (30,000) and Argentina (29,000) leading the way.

“The victims are mainly Spanish-speaking nationals from European, North American and South American countries,” Europol said in a press release.

The operation, called Operation Kaerb, involved law enforcement and judicial authorities from Spain, Argentina, Chile, Colombia, Ecuador and Peru.

Following the joint exercise that took place between September 10 and 17, an Argentine national responsible for the development and operation of the PhaaS service since 2018 has been arrested.

In total, the operation resulted in 17 arrests, 28 house searches and the seizure of 921 items, including mobile phones, electronic devices, vehicles and weapons. It is believed that 1.2 million mobile phones have been unlocked so far.

“While iServer was essentially an automated phishing platform, it differentiated itself from typical phishing-as-a-service offerings with its specific focus on collecting credentials to unlock stolen phones,” Group-IB said.

iServer offered a web interface that allowed low-skilled criminals, known as “unlockers,” to steal device passwords and user credentials from mobile cloud platforms, essentially bypassing Lost Mode and unlocking the devices, according to the Singapore-based company.

The criminal network’s administrator advertised access to these unlockers, who in turn used iServer to not only perform phishing unlocks, but also to sell their products to other third parties, such as phone thieves.

The unlockers are also responsible for sending fake messages to phone theft victims that aim to collect data in order to gain access to those devices. This is accomplished by sending text messages that urge the recipients to locate their lost phone by clicking on a link.

This starts a redirect chain that eventually takes the victim to a landing page where they are asked to enter their login credentials, device passcode, and two-factor authentication (2FA) codes. These are then abused to gain unauthorized access to the device, disable Lost Mode, and disconnect the device from the owner’s account.

“iServer automates the creation and delivery of phishing pages that imitate popular cloud-based mobile platforms, with several unique implementations that increase its effectiveness as a cybercrime tool,” Group-IB said.

Ghost Platform Goes Down in Global Action

The development comes after Europol and the Australian Federal Police (AFP) revealed the dismantling of an encrypted communications network called Ghost (‘www.ghostchat(.)net’) that facilitated serious and organised crime around the world.

The platform, which came bundled in a modified Android smartphone for around $1,590 for a six-month subscription, has been used to carry out a wide range of illegal activities, including human trafficking, money laundering, and even extreme violence. It’s just the latest addition to a list of similar services including Phantom Secure, EncroChat, Sky ECC, and Exclu that have been shut down for similar reasons.

“The solution used three encryption standards and offered the option to send a message followed by a specific code that would cause all messages on the target phone to self-destruct,” Europol said. “This allowed criminal networks to communicate securely, evade detection, defeat forensic measures and coordinate their illegal operations across borders.”

It is thought that thousands of people used the platform, with around 1,000 messages being exchanged via the service daily before the outage.

During the investigation, which started in March 2022, 51 suspects have been arrested: 38 in Australia, 11 in Ireland, one in Canada and one in Italy, who belonged to the Italian mafia group Sacra Corona Unita.

At the top of the list is a 32-year-old man from Sydney, New South Wales, who is accused of setting up and running Ghost as part of Operation Kraken. Several others are also accused of using the platform to traffic cocaine and cannabis, distribute drugs and devise a false terrorist plot.

It is believed that the administrator, Jay Je Yoon Jung, started the criminal enterprise nine years ago, which earned him millions of dollars in illegal profits. He was arrested at his home in Narwee. The operation also resulted in the dismantling of a drug lab in Australia, as well as the seizure of weapons, drugs and €1 million in cash.

According to AFP, the platform’s infrastructure was infiltrated to launch an attack on the software supply chain, by modifying the software update process and gaining access to content stored on 376 active devices in Australia.

“The encrypted communications landscape has become increasingly fragmented as a result of recent law enforcement actions targeting platforms used by criminal networks,” Europol said.

“In response, criminal actors are now turning to a variety of less established or custom-built communications tools that offer varying levels of security and anonymity. In doing so, they are seeking new technical solutions and also using popular communications applications to diversify their methods.”

The law enforcement agency not only stressed the need for access to communications between suspects to tackle serious crimes, but also called on private companies to ensure that their platforms do not become safe havens for malicious actors and to provide ways for lawful access to data “under judicial supervision and in full respect of fundamental rights.”

Germany Takes Down 47 Cryptocurrency Exchanges

The actions also coincide with Germany’s seizure of 47 cryptocurrency exchange services hosted in the country that facilitate illegal money laundering activities for cybercriminals, including ransomware groups, darknet dealers and botnet operators. The operation is codenamed Final Exchange.

The agencies have been accused of failing to implement Know Your Customer (KYC) or anti-money laundering programs and deliberately disguising the source of criminally obtained funds, allowing cybercrime to flourish. No arrests have been made public.

“The exchange services enabled exchange transactions without going through a registration process and without checking proof of identity,” the Federal Criminal Police Office (also known as the Bundeskriminalamt) said. “The offer was aimed at quickly, easily and anonymously exchanging cryptocurrencies for other crypto or digital currencies in order to conceal their origin.”

US Justice Department charges two people in $230 million cryptocurrency fraud

In a culmination of law enforcement efforts to combat cybercrime, the U.S. Department of Justice (DoJ) reported that two suspects have been arrested and charged with conspiring to steal and launder more than $230 million in cryptocurrency from an anonymous victim in Washington, D.C.

Malone Lam, 20, and Jeandiel Serrano, 21, and other accomplices are believed to have been stealing cryptocurrency since at least August 2024. They are said to have gained access to their victims’ accounts, which were then laundered through various exchanges and mixing services.

The ill-gotten proceeds were then used to finance an extravagant lifestyle, including international travel, nightclubs, luxury cars, watches, jewelry, designer bags, and rental properties in Los Angeles and Miami.

“They laundered the proceeds by, among other things, moving the funds through various mixers and exchanges using peel chains, pass-through wallets, and virtual private networks (VPNs) to conceal their true identities,” the DoJ said.