In a groundbreaking collaborative effort, Europol and Ameripol joined forces to dismantle a widespread phishing-as-a-service network that had impacted more than 480,000 individuals globally. The operation, dubbed “Operation Kaerb,” specifically targeted a criminal organization that specialized in unlocking stolen mobile phones through phishing attacks, with over 1.2 million devices being unlocked by the criminals, predominantly operating in Spain and Latin America.
From the 10th to the 17th of September, law enforcement agencies in Spain, Argentina, Chile, Colombia, Ecuador, and Peru conducted a series of coordinated raids, resulting in the arrest of 17 individuals and the confiscation of 921 items, including mobile phones, vehicles, and weapons.
At the heart of this operation was an Argentinian individual who ran a phishing platform that had been in operation since 2018. He established a lucrative business by selling access to the platform to “unlockers,” individuals who provided phone unlocking services to those in possession of stolen mobile phones.
This phishing platform operated under a phishing-as-a-service (PhaaS) model, offering accessible tools to cybercriminals with minimal technical skills. The “unlockers” paid for access to the platform, including additional features such as phishing SMS and email templates.
The phishing attacks orchestrated by this criminal group targeted mobile phone owners who had activated “Lost Mode” on their devices. Victims, primarily from European and Latin American countries, were manipulated through phishing messages requesting credentials to regain access to their phones. This exploitation of emotional vulnerability made it easier for criminals to steal sensitive information and unlock the phones, wiping any connection to the legitimate owners.
The success of Operation Kaerb can be attributed to the collaboration between Europol’s European Cybercrime Centre (EC3) and Ameripol’s Specialized Cybercrime Centre, marking the first joint operation between the two agencies. Europol had been investigating the phishing network since 2022 based on intelligence provided by cybersecurity firm Group-IB. The agency worked closely with affected countries, providing crucial information and coordinating the operation’s execution.
The phishing platform, named iServer, had been operational for over five years, primarily targeting Spanish-speaking countries and expanding into Europe. What distinguished iServer was its automation, allowing criminals without advanced hacking skills to operate the platform. Through a web-based interface, users could create phishing pages and distribute malicious links via SMS.
After the victim clicked on the link, a “redirector” filtered out ineligible users, directing approved individuals to a final phishing page disguised as a legitimate mobile service site. The platform collected login credentials, enabling criminals to unlock stolen phones by obtaining details like IMEI numbers, owner information, and OTPs.
This model of crimeware-as-a-service is part of a broader trend facilitating cybercriminal activities by providing all necessary tools. PhaaS platforms like iServer empower individuals with little technical expertise to execute sophisticated phishing attacks, posing a significant threat in regions where cybercrime is increasing, such as Latin America.
Operation Kaerb’s dismantling of the iServer platform represents a significant victory against cybercriminals exploiting PhaaS models. However, as the cybersecurity landscape evolves, new threats arise, underscoring the ongoing need for vigilance from both public and private sectors. The fight against global cybercrime continues, emphasizing the importance of collaborative efforts and proactive measures to safeguard against emerging threats.