In a landmark operation, Europol has dismantled an international crime syndicate responsible for running a phishing-as-a-service (PhaaS) platform aimed at unlocking stolen or misplaced mobile phones. The illicit service, known as iServer, is believed to have ensnared over 483,000 victims worldwide, with the most impacted countries being Chile (77,000 victims), Colombia (70,000), Ecuador (42,000), Peru (41,500), Spain (30,000), and Argentina (29,000).
Europol’s press release indicated that the victims were primarily Spanish-speaking individuals residing in European, North American, and South American nations. The operation, codenamed Kaerb, was a coordinated effort involving law enforcement and judicial bodies from Spain, Argentina, Chile, Colombia, Ecuador, and Peru.
The crackdown culminated in the arrest of an Argentine national who had been masterminding and operating the PhaaS platform since its inception in 2018. The authorities also apprehended 17 individuals, carried out 28 raids, and seized 921 items, which included mobile phones, electronic gadgets, vehicles, and firearms. To date, it is estimated that 1.2 million mobile phones have been illicitly unlocked via this service.
Group-IB, a cybersecurity firm, highlighted that while iServer functioned similarly to other phishing services, its primary distinction lay in its focus on harvesting credentials to unlock stolen devices. The platform provided low-skilled criminals, referred to as “unlockers,” with the necessary tools to siphon passwords and credentials from cloud-based mobile systems, enabling them to bypass security features like Lost Mode and unlock the phones.
The administrator behind this criminal enterprise offered the service to unlockers, who in turn utilized iServer to conduct phishing-based unlocks and also sold their capabilities to other third parties, including mobile phone thieves.
These unlockers targeted victims of phone theft by sending them fraudulent messages that tricked them into revealing critical information, such as passwords, passcodes, and two-factor authentication codes. Once obtained, these credentials were exploited to deactivate Lost Mode, unlink the devices from the rightful owners’ accounts, and facilitate the phones’ resale.
According to Group-IB, iServer automated the creation and deployment of phishing pages designed to mimic legitimate cloud-based mobile services, enhancing its effectiveness as a tool for cybercriminals.
Global Crackdown on Encrypted Communication Platform
In another significant development, Europol and the Australian Federal Police (AFP) announced the takedown of Ghost (“www.ghostchat[.]net“), an encrypted communications network used by organized crime groups worldwide. The platform, integrated into custom Android smartphones that retailed for $1,590 for a six-month subscription, allowed users to engage in a wide array of criminal activities, including trafficking, money laundering, and violent crimes.
Ghost provided its users with three layers of encryption and included features like self-destructing messages, making it a favored tool among criminal organizations. Thousands of individuals were using Ghost, exchanging roughly 1,000 messages daily, before its disruption.
The investigation into Ghost, which began in March 2022, resulted in 51 arrests across Australia, Ireland, Canada, and Italy. Among those apprehended was a 32-year-old Sydney man, accused of creating and managing the platform. Operation Kraken, a joint AFP and Europol initiative, also uncovered a drug lab in Australia, seizing firearms, drugs, and over €1 million in cash.
Authorities believe Ghost’s mastermind, Jay Je Yoon Jung, had been running the operation for nearly a decade, amassing millions of dollars in profits. The AFP revealed that they had penetrated Ghost’s infrastructure, carrying out a sophisticated software supply chain attack to access data stored on 376 active devices in Australia.
Europol noted that law enforcement’s recent efforts to dismantle encrypted communication platforms like Ghost, Phantom Secure, EncroChat, Sky ECC, and Exclu have left criminal organizations scrambling for alternative communication methods. Some have turned to lesser-known or custom-built tools, while others have reverted to mainstream apps with varying levels of security.
Germany Shuts Down 47 Cryptocurrency Exchanges
Adding to the global offensive against cybercrime, German authorities have shut down 47 cryptocurrency exchange platforms operating within the country. These services, implicated in illegal money laundering schemes, facilitated transactions for ransomware gangs, darknet markets, and botnet operators. The operation, aptly named Final Exchange, targeted platforms that had failed to implement standard Know Your Customer (KYC) protocols and anti-money laundering measures.
The Federal Criminal Police Office (Bundeskriminalamt) accused the platforms of enabling anonymous crypto transactions without requiring users to verify their identities, making them a haven for cybercriminals. Despite the takedown, no arrests have been reported thus far.
U.S. Justice Department Charges Two in $230 Million Crypto Heist
In a separate incident, the U.S. Department of Justice (DoJ) has charged two individuals—Malone Lam (20) and Jeandiel Serrano (21)—with conspiracy to steal and launder over $230 million in cryptocurrency. The duo, along with other co-conspirators, reportedly carried out a series of thefts beginning in August 2024, targeting victims’ cryptocurrency accounts and funneling the stolen assets through various exchanges and mixers.
Prosecutors allege that Lam and Serrano used the stolen funds to finance a luxurious lifestyle, spending lavishly on international travel, high-end cars, jewelry, and designer goods. According to the DoJ, the pair employed sophisticated laundering techniques, including the use of “peel chains,” pass-through wallets, and VPNs to obscure their tracks.
The arrests of Lam and Serrano underscore the growing trend of cybercriminals turning to cryptocurrency theft as a means to amass wealth and evade traditional financial oversight.