Europol Shuts Down Major Phishing Scheme Targeting Mobile Phone Credentials

by Esmeralda McKenzie
Phishing Scheme


Law enforcement authorities have announced the takedown of an international criminal network that leveraged a phishing platform to unlock stolen or lost mobile phones.

The phishing-as-a-service (PhaaS) platform, called iServer, is estimated to have claimed more than 483,000 victims globally, led by Chile (77,000), Colombia (70,000), Ecuador (42,000), Peru (41,500), Spain (30,000), and Argentina (29,000).

“The victims are mainly Spanish-speaking nationals from European, North American and South American countries,” Europol said in a press statement.

The action, dubbed Operation Kaerb, involved the participation of law enforcement and judicial agencies from Spain, Argentina, Chile, Colombia, Ecuador, and Peru.

Pursuant to the joint exercise that took place between September 10 and 17, an Argentinian national responsible for developing and running the PhaaS service since 2018 has been arrested.

In total, the operation led to 17 arrests, 28 searches, and the seizure of 921 items, including mobile phones, electronic devices, vehicles, and weapons. As many as 1.2 million mobile phones are believed to have been unlocked to date.

“While iServer was essentially an automated phishing platform, its specific focus on harvesting credentials to unlock stolen phones set it apart from typical phishing-as-a-service offerings,” Group-IB said.

iServer, per the Singapore-based company, offered a web interface that enabled low-skilled criminals, known as “unlockers,” to siphon device passwords, user credentials from cloud-based mobile platforms, essentially permitting them to bypass Lost Mode and unlock the devices.

Cybersecurity

The criminal syndicate’s administrator advertised the access to these unlockers, who, in turn, used iServer to not only perform phishing unlocks, but also to sell their offerings to other third-parties, such as phone thieves.

The unlockers are also responsible for sending bogus messages to phone theft victims that aim to gather data allowing access to those devices. This is accomplished by sending SMS texts that urge the recipients to locate their lost phone by clicking on a link.

gib

This triggers a redirection chain that ultimately takes the victim to a landing page prompting them to enter their credentials, device passcode, and two-factor authentication (2FA) codes, which are then abused to gain illicit access to the device, turn off Lost Mode, and unlink the device from the owner’s account.

“iServer automates the creation and delivery of phishing pages that imitate popular cloud-based mobile platforms, featuring several unique implementations that enhance its effectiveness as a cybercrime tool,” Group-IB said.

euro

Ghost Platform Goes Down in Global Action

The development comes as Europol and the Australian Federal Police (AFP) revealed the dismantling of an encrypted communications network called Ghost (“www.ghostchat[.]net”) that facilitated serious and organized crime across the world.

The platform, which came included in a custom Android smartphone for about $1,590 for a six-month subscription, was used to conduct a wide range of illegal activities, such as trafficking, money laundering, and even acts of extreme violence. It’s just the latest addition to a list of similar services like Phantom Secure, EncroChat, Sky ECC, and Exclu that have been shut down on similar grounds.

“The solution used three encryption standards and offered the option to send a message followed by a specific code which would result in the self-destruction of all messages on the target phone,” Europol said. “This allowed criminal networks to communicate securely, evade detection, counter forensic measures, and coordinate their illegal operations across borders.”

Several thousand people are thought to have used the platform, with around 1,000 messages exchanged over the service every day prior to its disruption.

afp

Over the course of the investigation that commenced in March 2022, 51 suspects have been arrested: 38 in Australia, 11 in Ireland, one in Canada, and one in Italy belonging to the Italian Sacra Corona Unita mafia group.

Topping the list is a 32-year-old man from Sydney, New South Wales, who has been charged with creating and administering Ghost as part of Operation Kraken, along with several others who have been accused of using the platform for trafficking cocaine and cannabis, conducting drug distribution, and manufacturing a false terrorism plot.

It’s believed that the administrator, Jay Je Yoon Jung, launched the criminal enterprise nine years ago, netting him millions of dollars in illegitimate profits. He was apprehended at his home in Narwee. The operation has also resulted in the takedown of a drug lab in Australia, as well as the confiscation of weapons, drugs, and €1 million in cash.

The AFP said it infiltrated the platform’s infrastructure to stage a software supply chain attack by modifying the software update process to gain access to the content stored on 376 active handsets located in Australia.

“The encrypted communication landscape has become increasingly fragmented as a result of recent law enforcement actions targeting platforms used by criminal networks,” Europol noted.

Cybersecurity

“Criminal actors, in response, are now turning to a variety of less-established or custom-built communication tools that offer varying degrees of security and anonymity. By doing so, they seek new technical solutions and also utilize popular communication applications to diversify their methods.”

The law enforcement agency, besides stressing the need for access to communications among suspects to tackle serious crimes, called on private companies to ensure that their platforms don’t become safe havens for bad actors and provide ways for lawful data access “under judicial oversight and in full respect of fundamental rights.”

Germany Takes Down 47 Cryptocurrency Exchanges

The actions also coincide with Germany’s seizure of 47 cryptocurrency exchange services hosted in the country that enabled illegal money laundering activities for cybercriminals, including ransomware groups, darknet dealers, and botnet operators. The operation has been codenamed Final Exchange.

The services have been accused of failing to implement Know Your Customer (KYC) or anti-money laundering programs and intentionally obscuring the source of criminally obtained funds, thereby allowing cybercrime to flourish. No arrests were publicly announced.

“The Exchange services enabled barter transactions without going through a registration process and without checking proof of identity,” the Federal Criminal Police Office (aka Bundeskriminalamt) said. “The offer was aimed at quickly, easily and anonymously exchanging cryptocurrencies into other crypto or digital currencies in order to conceal their origin.”

U.S. DoJ Charges Two for $230 Million Cryptocurrency Scam

Capping off the law enforcement efforts to combat cybercrime, the U.S. Department of Justice (DoJ) said two suspects have been arrested and charged with conspiracy to steal and launder over $230 million in cryptocurrency from an unnamed victim in Washington D.C.

Malone Lam, 20, and Jeandiel Serrano, 21, and other co-conspirators are alleged to have carried out cryptocurrency thefts at least since August 2024 by gaining access to victims’ accounts, which were then laundered through various exchanges and mixing services.

The ill-gotten proceeds were then used to fund an extravagant lifestyle, such as international travel, nightclubs, luxury automobiles, watches, jewelry, designer handbags, and rental homes in Los Angeles and Miami.

“They laundered the proceeds, including by moving the funds through various mixers and exchanges using ‘peel chains,’ pass-through wallets, and virtual private networks (VPNs) to mask their true identities,” the DoJ said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.



Related Posts