Cybercrime ring GXC Team dismantled in Spain, 25-year-old leader detained

Spain’s Guardia Civil dismantled the “GXC Team” cybercrime group, arresting its 25-year-old Brazilian leader “GoogleXcoder.” The gang sold AI-powered phishing kits, Android malware, and voice-scam tools via Telegram and Russian forums, becoming a major supplier of credential theft tools in Spain.

These posts introduced a new tool that incorporates Artificial Intelligence (AI) for creating fraudulent invoices used for wire fraud and Business E-Mail Compromise (BEC). According to an FBI Report, successful business email compromise (BEC) scams (such as invoice fraud) resulted in an average loss of over 20,000 per incident, inflicting a staggering financial toll of more than .4 billion on organizations.

According to the Hunter Unit from Resecurity, previously, the “GXC Team” gained notoriety for creating a wide array of online fraud tools, ranging from compromised payment data checkers to sophisticated phishing and smishing kits. They have been considered the masterminds in this illicit field, supplying fellow cybercriminals with a suite of ready-to-use tools designed to defraud innocent consumers globally. Additionally, they offer ongoing updates and technical support for conducting fraud. Presently, the tools crafted by the “GXC Team” are capable of targeting over 300 entities, including top financial institutions, government services, postal services, cryptocurrency platforms, payment networks, and major international online marketplaces including AMEX, Amazon, Binance, Coinbase, Office 365 (Microsoft), PayPal, ING, Deutsche Bank, Postbank, DKB AG (Das kann Bank), BBBank eG (formerly Badische Beamtenbank) and multiple Spain-based banks specifically including ABANCA, Banca March, Banco de Sabadell, Grupo Caja Rural, Unicaja Banco SA, Caixa Enginyers, Banco Mediolanum, Laboral Kutxa, Eurocaja Dynamic, BBVA, and Santander.

Besides Artificial Intelligence to scale operations, in a novel approach to circumvent two-factor authentication (2FA), the perpetrators crafted malicious Android code that mimics official mobile banking applications. Victims are tricked into installing this fake app under the guise of confirming their OTP (One-Time Password), which is then intercepted and transmitted to a command-and-control (C2C) server managed by the attacker. The necessary login credentials for online banking systems are previously harvested through a phishing kit. Once the OTP is intercepted, the malicious actor can access the victim’s banking account, utilizing geographically relevant residential proxies to facilitate the unauthorized access.

To read the complete article see: Security Affairs ✨