Five individuals have been arrested across Australia, and 32 overseas, following an international police takedown of a cybercrime platform used to steal personal credentials from victims around the world – including more than 94,000 people in Australia.
Australian offenders are allegedly among 10,000 cybercriminals globally who have used the platform, known as LabHost, to trick victims into providing their personal information, such as online banking logins, credit card details and passwords, through persistent phishing attacks sent via texts and emails.
As a result of the Australian arm of the investigation, led by the AFP’s Joint Policing Cybercrime Coordination Centre (JCP3), more than 200 officers from the AFP and state and territory police were yesterday involved in executing 22 search warrants across five states. This included 14 in Victoria, two in Queensland, three in NSW, one in South Australia and two in Western Australia.
A Melbourne man and an Adelaide man, who police will allege were LabHost users, were arrested during the warrants and charged with cybercrime-related offences. Three Melbourne men were also arrested by Victoria Police and charged with drug-related offences.
In addition to the takedown of the LabHost’s domain, the JPC3 took down 207 criminal servers. These servers were used to host fraudulent phishing websites created by LabHost, established with the sole intention of facilitating criminal offences against ordinary, hardworking Australians.
Phishing is a technique used by criminals to trick victims into providing personal information, such as their banking logins, credit card details and passwords, often through fraudulent links sent to them via texts and emails, in order to commit criminal offences or steal their money.
The AFP alleges LabHost was marketed as a ‘one-stop-shop’ for phishing, enabling cybercriminals to replicate more than 170 fraudulent websites of reputable banks, government entities and other major organisations, to trick unsuspecting victims into believing they were the legitimate websites.
Once cybercriminals had replicated a website, they would use LabHost to send texts and emails to victims, prompting them to login to their accounts via the fraudulent link.
When victims followed the link, cybercriminals could obtain a range of sensitive information, such as one-time pins, usernames and passwords, security questions and passphrases.
Cybercriminals could then use victims’ personal information to access legitimate enterprises, such as financial institutions, where they could steal funds from victims’ bank accounts.
LabHost originated in Canada in 2021, targeting North America, and expanded to the United Kingdom (UK) and Ireland, before going global. Australian criminals are believed to be among its top three user countries.
At the time of the global police takedown, LabHost had more than 40,000 phishing domains and more than 10,000 global active cybercriminals using its technology to exploit victims.
Cybercriminals could sign up to LabHost for as little as $270 per month. In exchange, cybercriminals were provided with complete ‘phishing kits’, including the infrastructure to host phishing websites, email and text content generation and campaign overview services, enabling them to effectively exploit their victims.
The Australian arm of the investigation, codenamed Operation Nebulae, has allegedly identified more than 100 suspects in Australia who use LabHost to target Australian victims.
Globally, the Europol-coordinated investigation resulted in 70 simultaneous search warrants executed in multiple countries, to take down the platform’s alleged administrators, users and infrastructure. This included the arrest of 37 offenders, including four individuals based in the UK linked to the running of the site, including the original developer of the platform.
Global activity will continue over the coming weeks and further arrests and website domain takedowns are anticipated in Australia and overseas.
A number of devices were seized during the warrants in Australia and will undergo forensic examination.
AFP Acting Assistant Commissioner Cyber Command, Chris Goldsmid said phishing had become a serious threat, with Scamwatch last year receiving more than 108,000 reports of phishing attacks, totaling nearly $26 million in losses.
“LabHost alone had the potential to cause $28 million in harm to the Australians through the sale of stolen Australian credentials,” Acting Assistant Commissioner Goldsmid.
“In addition to financial losses, victims of phishing attacks are subject to ongoing security risks and criminal offending, including identity takeovers, extortion and blackmail.
“LabHost is yet another example of the borderless nature of cybercrime and the takedown reinforces the powerful outcomes that can be achieved through a united, global law enforcement front.
“Australians who have used LabHost to steal data should not expect to remain anonymous. Authorities have obtained a vast amount of evidence during this investigation and we are working to identify anyone who has used this platform to target innocent victims.”
NSW Police Force State Crime Command’s Cybercrime Squad Commander, Acting Detective Superintendent Gillian Lister, said cybercrime was a borderless issue that we must come together to tackle.
“The NSWPF works not only with the AFP, but multi-jurisdictional policing units across the world, to actively target cybercrime offenders and destroy their criminal networks and prevent further victimisation – and that’s what we’ve done through this operation,” Acting Det Supt Lister said.
WA Police Force Detective Superintendent Peter Foley said the message was clear; Western Australia was not a safe place for cybercriminals to operate out of.
“If you think you’re operating anonymously, think again. We will continue to work with our law enforcement partners to ensure anyone bringing harm to the community is brought to justice,” Detective Superintendent Foley said.
If you are a victim of cybercrime, report it to police using Report Cyber at cyber.gov.au.
If you are concerned that your identity has been compromised, contact the national identity and cyber support service IDCARE at www.idcare.org.
