13.10.2025
2 min
511
The Spanish Guardia Civil has dismantled the GXC Team criminal group and arrested its alleged leader, a 25-year-old Brazilian man known as “GoogleXcoder.” The operation shut down a crime-as-a-service (CaaS) platform that supplied AI phishing kits, Android malware, and phone scam tools, and allowed the recovery of stolen cryptocurrency and the closure of Telegram channels used to spread the schemes.
According to investigators and Group–IB analysts, GXC Team created and sold fake websites for dozens of Spanish and international institutions; the platform supported at least ~250 phishing pages in the detected activity alone. The team also developed at least nine Android malware families that intercepted SMS and one-time passwords (OTPs) — allowing them to hijack accounts and confirm fraudulent transactions. Police coordinated raids on May 20 in several provinces (Cantabria, Valladolid, Zaragoza, Barcelona, Palma de Mallorca, San Fernando and La Línea de la Concepción), seized electronic media containing the source code of the phishing kits, customer communications and financial reports, and confiscated some of the stolen funds. Telegram channels through which services were sold and criminal campaigns were advertised were closed (including a channel with the provocative name “Steal everything from grandmothers”). The investigation lasted for over a year and included analysis of crypto transfers to track the network of customers and intermediaries.
The group really looked like a “criminal platform” — instead of one-off projects, it offered a full range: phishing website templates, technical support, campaign setup, and tools to bypass two-factor authentication. Group–IB and Guardia Civil documented that GXC’s clients were operators of attacks against banks, transport, and e-commerce in various countries (Spain, Slovakia, the UK, the US, Brazil). Forensic examinations and blockchain analysis helped to “unfold the picture” of financial flows and identify at least six people involved in using the platform’s services.
The Spanish police operation is a significant blow to the infrastructure that supplied tools for mass phishing campaigns and OTP interception, but the investigation is ongoing, and further arrests are possible. Organizations and users should strengthen their protection: verify the source of SMS/emails with links, use hardware keys or passkeys instead of SMS-2FA, regularly update Android devices, and apply multi-layered solutions for phishing detection. Closing channels and extracting code significantly complicate the activities of attackers, but the demand for CaaS services remains a threat – therefore, prevention and operational cooperation between the industry and law enforcement remain key.
