Law enforcement agencies have announced the dismantling of an international criminal network that used a phishing platform to unlock stolen or lost cellphones.
A phishing-as-a-service (PhaaS) platform called iServer is estimated to have affected more than 483,000 victims worldwide, primarily from Chile (77,000), Colombia (70,000), Ecuador (42,000), Peru ( 41,500), Spain (30,000), Argentina (29,000).
“The victims are mostly Spanish-speaking citizens from Europe, North and South America,” Europol said said in a statement to the press.
Law enforcement and judicial authorities from Spain, Argentina, Chile, Colombia, Ecuador and Peru took part in the action, which was named Operation Kaerb.
In accordance with joint exercises which took place from September 10 to 17, an Argentine citizen responsible for the development and operation of the PhaaS service since 2018 was arrested.
In total, 17 arrests, 28 searches and 921 items were confiscated during the operation, including mobile phones, electronic devices, vehicles and weapons. It is estimated that around 1.2 million mobile phones have been unlocked to date.
“While iServer was essentially an automated phishing platform, its special focus on collecting credentials to unlock stolen phones sets it apart from typical phishing-as-a-service offerings,” Group-IB. said.
According to the Singaporean company, iServer offered a web interface that allowed low-level criminals known as “unlockers” to extract device passwords, user credentials from cloud-based mobile platforms, essentially allowing them to bypass Lost Mode and unlock devices.
The administrator of the crime syndicate advertised access to these unlocking programs, which in turn used iServer not only to perform phishing unlocks, but also to sell its offerings to third parties, such as phone thieves.
Unlockers are also responsible for sending fake messages to victims of phone theft that aim to collect data that allows access to those devices. This is achieved by sending SMS messages that encourage recipients to find their lost phone by clicking on a link.
This starts a redirect chain that eventually leads the victim to a landing page where they are prompted to enter their credentials, device passcode, and two-factor authentication (2FA) codes, which are then used to gain unauthorized access to the device, turn off lost mode, and unlock device from the owner’s account.
“iServer automates the creation and delivery of phishing pages that mimic popular cloud-based mobile platforms with several unique implementations that increase its effectiveness as a cybercrime-fighting tool,” Group-IB said.
Ghost Platform stops at Global Action
The development comes after Europol and the Australian Federal Police (AFP) discovered the dismantling of an encrypted communications network called Ghost (“www.ghostchat(.)net“), which have contributed to serious and organized crime around the world.
The platform, which was bundled into a custom Android smartphone for about $1,590 for a six-month subscription, was used to carry out a wide range of illegal activities, such as human trafficking, money laundering and even acts of extreme violence. It is simply the latest addition to a list with similar services like Phantom Secure, EncroChat, Sky ECC and Exclu, which were shut down for similar reasons.
“The solution used three encryption standards and offered the ability to send a message followed by a specific code that would cause all messages on the target phone to self-destruct,” Europol said. said. “This has enabled criminal networks to communicate securely, evade detection, resist forensic measures and coordinate their illicit operations across borders.”
Several thousand people are believed to have used the platform, with around 1,000 messages being exchanged through the service each day before it crashed.
The investigation, which began in March 2022, resulted in the arrest of 51 suspects: 38 in Australia, 11 in Ireland, one in Canada and one in Italy, who belong to the Italian mafia group Sacra Corona Unita.
The list is headed by a 32-year-old man from Sydney, New South Wales, who was accused of creating and running Ghost as part of Operation Kraken, along with several others who were accused of using the platform to trade cocaine and cannabis. , distribution of drugs and preparation of a fake terrorist plot.
It is believed that the administrator, Jae Jae Yoon Jung, launched criminal enterprise nine years ago, bringing him millions of dollars in illegal profits. He was detained at his home in Narva. The operation also led to the dismantling of a drug laboratory in Australia, as well as the seizure of weapons, drugs and €1 million in cash.
AFP said he infiltrated the platform’s infrastructure to mount an attack on the software supply chain by altering the software update process to access content stored on 376 active phones located in Australia.
“The landscape of encrypted communications is becoming increasingly fragmented as a result of recent law enforcement actions targeting platforms used by criminal networks,” Europol noted.
“Criminal actors are responding by now turning to a variety of lesser-known or purpose-built communication tools that offer varying degrees of security and anonymity. In doing so, they look for new technical solutions and also use popular communication programs to diversify their options. methods”.
The law enforcement agency, further stressing the need to access communications between suspects to combat serious crimes, called upon private companies to ensure their platforms do not become safe havens for criminals and provide ways to legally access data “under judicial supervision and with full respect for fundamental rights”.
Germany has destroyed 47 cryptocurrency exchanges
The move also coincides with Germany’s seizure of 47 cryptocurrency exchange services located in the country that provided illegal money-laundering activities to cybercriminals, including ransomware groups, darknet dealers, and botnet operators. The operation received a code name Final exchange.
The services have been accused of failing to comply with Know Your Customer (KYC) or anti-money laundering programs and of deliberately concealing the source of proceeds of crime, aiding cybercrime to flourish. No arrests were publicly announced.
“Exchange services allowed for barter transactions without going through the registration process and without checking identity documents,” the Federal Criminal Police Office (aka Bundeskriminalamt) said in a statement. said. “The proposal aimed to quickly, easily and anonymously exchange cryptocurrencies for other cryptocurrencies or digital currencies to hide their origin.”
US Department of Justice Charges Two in $230 Million Cryptocurrency Fraud
Completing law enforcement efforts to combat cybercrime, the US Department of Justice said two suspects were arrested and charged with conspiring to steal and launder more than $230 million in cryptocurrency from an unnamed victim in Washington, DC.
Malone Lam, 20, and Jandiel Serrano, 21, and other co-conspirators are believed to have committed the cryptocurrency thefts since at least August 2024, accessing victims’ accounts, which were then laundered through various exchanges and mixing services.
The ill-gotten gains were then used to finance an extravagant lifestyle, such as international travel, nightclubs, luxury cars, watches, jewelry, designer handbags and rentals in Los Angeles and Miami.
“They laundered the proceeds, including by moving funds through various mixers and exchanges, using ‘clearing chains’, end-to-end wallets and virtual private networks (VPNs) to disguise their true identities,” the Justice Department said. said.
