International investigation disrupts phishing-as-a-service platform LabHost – EUROPOL

This week, law enforcement from 19 countries severely disrupted one of the world’s largest phishing-as-a-service platform, known as LabHost. This year-long operation, coordinated at the international level by Europol, resulted in the compromise of LabHost’s infrastructure.

Between Sunday 14 April and Wednesday 17 April a total of 70 addresses were searched across the world, resulting in the arrest of 37 suspects. This includes the arrest of 4 individuals in the United Kingdom linked to the running of the site, including the original developer of the service.

The LabHost platform, previously available on the open web, has been shut down.

This international investigation was led by the UK’s London Metropolitan Police, with the support of Europol’s European Cybercrime Centre (EC3) and the Joint Cybercrime Action Taskforce (J-CAT) hosted at its headquarters.

Europol has supported this case since September 2023. An operational sprint was organised at its headquarters with all the countries involved so that the national investigators could identify and develop intelligence on the users and victims in their own countries. During the action phase, a Europol specialist supported the Dutch National Police with their enforcement actions.

Commoditising phishing attacks

Cybercrime-as-a-service has become a rapidly growing business model in the criminal landscape whereby threat actors rent or sell tools, expertise, or services to other cybercriminals to commit their attacks. While this model is well established with ransomware groups, it has also been adopted in other aspects of cybercrime, such as phishing attacks.

LabHost had become a significant tool for cybercriminals around the world. For a monthly subscription, the platform provided phishing kits, infrastructure for hosting pages, interactive functionality for directly engaging with victims, and campaign overview services.

The investigation uncovered at least 40 000 phishing domains linked to LabHost, which had some 10 000 users worldwide.

With a monthly fee averaging $249, LabHost would offer a range of illicit services which were customisable and could be deployed with a few clicks. Depending on the subscription, criminals were provided an escalating scope of targets from financial institutions, postal delivery services and telecommunication services providers, among others. Labhost offered a menu of over 170 fake websites providing convincing phishing pages for its users to choose from.

What made LabHost particularly destructive was its integrated campaign management tool named LabRat. This feature allowed cybercriminals deploying the attacks to monitor and control those attacks in real time. LabRat was designed to capture two-factor authentication codes and credentials, allowing the criminals to bypass enhanced security measures.

Easily accessible, yet still a crime

Platforms such as LabHost make cybercrime more easily accessible for unskilled hackers, significantly expanding the pool of threat actors.

Yet, however user-friendly the service portrays itself to be, its malicious use constitutes an illegal activity – and the penalties can be severe.

A vast amount of data gathered throughout the investigation is now in the possession of law enforcement. This data will be used to support ongoing international operational activities focused on targeting the malicious users of this phishing platform.

The following authorities have taken part in the investigation:

• Australia: Australian Federal Police-led Joint Policing Cybercrime Coordination Centre;
• Austria: Criminal Intelligence Service (Bundeskriminalamt);
• Belgium: Federal Judicial Police Brussels (Police judiciaire fédérale Bruxelles/ Federale gerechtelijke politie Brussel);
• Finland: National Police (Poliisi);
• Ireland: An Garda Siochana;
• Netherlands: Central Netherlands Police (Politie Midden-Nederland);
• New Zealand: New Zealand Police;
• Lithuania: Lithuania Police;
• Malta: Malta Police Force (Il-Korp tal-Pulizija ta’ Malta);
• Poland: Central Office for Combating Cybercrime (Centralne Biuro Zwalczania Cyberprzestępczości);
• Portugal: Judicial Police (Polícia Judiciária);
• Romania: Romanian Police (Poliția Română);
• Spain: National Police (Policía Nacional);
• Sweden: Swedish Police Authority (Polisen);
• United Kingdom: London Metropolitan Police;
• United States: United States Secret Service (USSS) and Federal Bureau of Investigation (FBI);
• Czechia: Bureau of Criminal Police and Investigation Service;
• Estonia: Estonian Police and Border Guard Board;
• Canada: Royal Canadian Mounted Police.

The list of participating authorities was updated on 18 April 2024 at 12:14 CET.