UK law enforcement busts online phishing marketplace

UK law enforcement has infiltrated “LabHost,” a fraudulent online service used by more than 10,000 cybercriminals to create phishing websites and trick victims into revealing personal information. Law enforcement agencies from 19 countries coordinated to disrupt the criminal network.

Between April 14 and April 17, through a joint operation led by the Metropolitan police, Labhost’s existing services were disrupted with a seizure notice, and a total of 37 arrests were made by the UK as well as international law enforcement agencies.

LabHost is a service which was set up in 2021 by a criminal cyber network,” said Met in a statement. “On Wednesday, 17 April LabHost and its linked fraudulent sites were disrupted and existing information was replaced with a message stating law enforcement has seized the services.”

The international operation also led to five arrests across Australia by the Australian Federal Police (AFP). The service impacted over 94,000 people in the country.

The AFP also took down 207 criminal servers. These servers were used to host fraudulent phishing websites created by LabHost, established with the sole intention of facilitating criminal offenses against ordinary, hardworking Australians, AFP said in a statement.

Users were able to log on and choose from existing sites or request bespoke pages replicating those of trusted brands including banks, healthcare agencies, and postal services, Met added in the statement.

International support for a coordinated takedown

The operation, according to the statement, had begun in June 2022 after Met detectives received intelligence on LabHost from Cyber Defence Alliance (CDA), an international non-profit for cyber threat intelligence.

“Once the scale of site and the linked fraud became clear the Met’s Cyber Crime Unit joined forces with the National Crime Agency, City of London Police, Europol, Regional Organised Crime Units (ROCUs) across the country and other international police forces to take action,” Met added.

Other private platforms that supported law enforcement to bring down the platform included Chainalysis, Intel 471, Microsoft, The Shadowserver Foundation, and Trend Micro.

The 37 arrests, that were made in Essex and London, as well as Manchester and Luton airports, included searching of 70 addresses in the UK and across the world, according to the statement.

On disruption, the existing information on the site was pulled down and replaced with a notice that said law enforcement had seized the service.

Operations targeted at least 70,000 victims

After setting up shop in 2021, LabHost gained prominence, creating about 40000 fraudulent websites for phishing and picking up 2000 subscriptions by the beginning of 2024. Users paid a monthly subscription fee that ranged between $249 (£200) and $373 (£300) a month for a “WorldWide” membership that allowed targeting victims globally.

According to the statement, LabHost has received just under $1,173,000 (£1 million) from subscriptions, hinting most of the users registered in late 2023 or early 2024.

Many users have been arrested in this week’s takedown, while a significant other was warned of an imminent arrest. “Shortly after the platform was disrupted, 800 users received a message telling them we know who they are and what they’ve been doing,” Met added. “We’ve shown them we know how much they’ve paid to LabHost, how many different sites they’ve accessed, and how many lines of data they’ve received.”

Detectives confirmed that a total of 70,000 individual UK victims were targeted by LabHosts, giving the service access to 480,000 card numbers and 64,000 PINs. The fraudulent actor also obtained more than one million passwords to websites and other online services.

Law enforcement has advised citizens to stay vigilant and refrain from agreeing to deals and offers immediately, sending over money online without checking credentials, using untrusted payment methods, sharing financial details, and visiting websites through email links.

“You are more likely to be a victim of fraud than any other crime,” Dame Lynne Owens, Deputy Commissioner of the Metropolitan Police Service, said in a statement. “In addition to the financial impact, it undermines the public’s confidence in the tools and technology they need to use in daily life. Our collective approach should ensure suspects feel that same level of distrust in their own criminal environment.”