Law enforcement agencies in the United Kingdom have disrupted a large-scale cybercrime group that ran a phishing-as-a-service operation known as LabHost, arresting nearly 40 people and taking down the LabHost infrastructure.
LabHost began operations in 2021 and authorities say that the group’s customers hit nearly 70,000 victims in the U.K. alone, and many more globally. As part of the disruption carried out this week, authorities sent messages to 800 LabHost users telling them that they are part of the investigation.
“We’ve shown them we know how much they’ve paid to LabHost, how many different sites they’ve accessed and how many lines of data they’ve received. Many of these individuals will remain the focus of investigation over the coming weeks and months,” the Metropolitan Police said in a release.
The LabHost platform was one of many such operations that offered users a number of services, including the ability to replicate the login pages for popular brands, allowing them to capture credentials from victims. Users could choose from a selection of pre-made templates or request customized ones. LabHost also offered users the ability to employ its custom LabRat malware tool, which can proxy connections between the victim and the targeted phished organization, allowing users to steal victims’ 2FA codes. At the time of this week’s disruption, law enforcement officials estimated that LabHost had about 2,000 active users.
The takedown operation was a joint effort between the Metropolitan Police, Europol, the National Crime Agency, and the City of London Police, along with other agencies. A number of technology companies also worked on the operation, including Microsoft, Trend Micro, Intel 471, Chainalysis, and the Shadowserver Foundation.
“This operation again demonstrates that UK law enforcement has the capability and intent to identify, disrupt and completely compromise criminal services that are targeting the UK on an industrial scale,” said Adrian Searle, Director of the National Economic Crime Center in the National Crime Agency.
Authorities said they arrested 37 people in this week’s operation, and are continuing to investigate other suspects. The LabHost takedown is the latest in a series of such operations by European law enforcement authorities targeting fraud, phishing, and ransomware groups in recent months. The largest of those operations was the takedown of the LockBit ransomware group and its infrastructure in February. That operation targeted LockBit’s operators as well as its infrastructure and also seized about 200 cryptocurrency accounts associated with its operators. Two suspected LockBit operators were arrested at the time, as well.
The LockBit and LabHost takedowns are prime examples of the cooperative efforts between law enforcement and security companies that are required to disrupt modern cybercrime operations. Many of these groups are transnational and they target victims around the world, requiring cooperation among agencies in many different countries, as well as work by threat intelligence and research teams at tech companies behind the scenes.
“Fraud is an international crime demanding a global approach. This operation is a fantastic demonstration of law enforcement agencies around the world coming together to crack down on criminals trying to take advantage of people in the UK,” said Security Minister Tom Tugendhat.