The Spanish Guardia Civil has dismantled the “GXC Team” cybercrime operation and arrested its alleged leader, a 25-year-old Brazilian known as “GoogleXcoder”.
The GXC team operated a crime-as-a-service (CaaS) platform offering AI-powered phishing kits, Android malware, and voice-scam tools through Telegram and a Russian-speaking hacker forum.
“The Civil Guard has dismantled one of the most active criminal organizations in the field of phishing in Spain, with the arrest of a 25-year-old Brazilian youth, considered the main provider of tools for large-scale credential theft in the Spanish-speaking environment,” Guardia Civil announced,
Group-IB is monitoring the operation and says the GXC team was targeting banks, transportation and e-commerce entities in Spain, Slovakia, the UK, the US and Brazil.
Source: GROUP-IB
The phishing kit mimicked the websites of tens of Spanish and international institutions, and operated at least 250 phishing sites.
The threat group has also developed at least nine Android malware strains that intercept SMS and one-time passwords (OTPs), which are useful for hijacking accounts and validating fraudulent transactions.
The GXC team also provides full technical support and campaign customization services to its clients, serving as a pro-grade and high-yield crime platform.
A police operation carried out on 20 May included coordinated raids in Cantabria, Valladolid, Zaragoza, Barcelona, Palma de Mallorca, San Fernando and La Línea de la Concepción.
During these actions, authorities seized electronic devices containing phishing kit source code, communications with customers, and financial records.
Law enforcement agents recovered the stolen cryptocurrencies from the victims and shut down Telegram channels used to promote the scams. The name of one of these channels was “Steal everything from grandma.”
Authorities said the nationwide raid was made possible due to seized devices and analysis of cryptocurrency transactions of GoogleXcoder, who was arrested more than a year ago.
“Forensic analysis of the seized devices, as well as cryptocurrency transactions, which lasted more than a year due to their complexity, made it possible to reconstruct the entire criminal network, identifying six people directly related to the use of these services,” the Guardia Civil reported.
The GXC team’s investigation is still ongoing, and Spanish authorities have mentioned the possibility of further action to arrest more members of the cybercrime gang.
attend Breach and Attack Simulation Summit and experience future of security verificationHear from top experts and see how AI-powered BAS Changing breach and attack simulations.
Don’t miss the event that will shape the future of your security strategy
