In a significant win against cybercrime, Spain’s Guardia Civil dismantled the “GXC Team” and arrested its 25-year-old Brazilian leader, known online as “GoogleXcoder.” This group was a major player in the world of online fraud, specializing in creating and selling sophisticated tools designed for scams. They used platforms like Telegram and Russian forums to sell their kits, which included AI-powered phishing kits, Android malware, and voice-scam tools. These tools were used to steal credentials and financial information from individuals and businesses worldwide, with a significant number of victims located in the U.K. and various EU countries. The group’s criminal activities earned them enough money to allow their leader to live as a “digital nomad,” constantly moving to evade law enforcement.
The “GXC Team” was identified by Resecurity’s Hunter Unit as a prolific creator of online fraud tools. They were known for a wide range of products, from compromised payment data checkers to advanced phishing and smishing kits. One of their most notable tools was “Business Invoice Swapper,” an AI-powered tool designed for wire fraud and business email compromise (BEC). The tool, which was offered on a rental basis or for a one-time fee, would automatically create fraudulent invoices after the operator input a list of compromised email accounts. This allowed criminals to conduct scams with devastating financial impact, as an FBI report noted that the average loss from a BEC scam was over $120,000.
The “GXC Team” used highly sophisticated methods to carry out their crimes. To bypass two-factor authentication (2FA), they created malicious Android apps that mimicked official mobile banking apps. Victims were tricked into downloading these fake apps, which would then intercept their One-Time Passwords (OTPs) and send them to the attacker. In addition to these advanced techniques, the group also specialized in identity theft. They created fake government websites, such as those impersonating Australia’s “my.gov.au” and Spain’s “GOB.ES” portals, to trick citizens into providing sensitive personal and financial information. This demonstrated their commitment to using deception to exploit unsuspecting individuals.
The Civil Guard’s Central Operational Unit (UCO) launched a complex and long-term investigation to track down “GoogleXcoder.” The suspect was previously unknown to law enforcement and evaded detection by frequently relocating and using fake identities. Authorities spent over a year conducting forensic and cryptocurrency analysis, which ultimately linked six individuals to the criminal network. The investigation culminated in six raids across Spain, during which police seized electronic devices containing phishing kits and other evidence. The raids led to the arrest of the group’s leader in San Vicente de la Barquera.
With “GoogleXcoder” in custody, law enforcement seized devices and recovered stolen funds, but the investigation is far from over. Telegram channels used by the group have been deactivated, and authorities are continuing to analyze the seized digital evidence. This analysis may lead to further arrests and provide a deeper understanding of the group’s operations. The successful dismantling of the “GXC Team” serves as a powerful example of how international collaboration and advanced investigative techniques are essential in the ongoing fight against digital crime.
Reference:
