MADRID— Spanish law enforcement has announced the arrest of a prolific international cybercrime ring, the “GXC Team,” culminating in the arrest of its 25-year-old Brazilian leader. The group specialized in the sale of sophisticated, ready-to-use tools, including advanced AI-powered phishing kits, which it marketed to criminals across the dark web and Telegram, effectively running a global “Crime-as-a-Service” operation that targeted financial institutions and government agencies across more than 300 entities.
The operation, led by the Spanish Guardia Civil, marks a victory against the professionalization of digital fraud, which has increasingly relied on ready-made software sold by outfits like the GXC Team to scale illicit schemes.
“The suspect, known by the alias ‘GoogleXcoder,‘ maintained a shadow existence as a ‘digital nomad,’ frequently relocating to evade detection while his malicious software extracted millions from unsuspecting victims globally.”
A Digital Nomad and a Global Market for Crime
The arrested leader, identified by his online alias “GoogleXcoder,” was described by police as a developer of CaaS, or Crime-as-a-Service, tools. Despite his youth, the 25-year-old Brazilian had become a key supplier of credential theft software in Spain and across the European Union. According to authorities, he lived a clandestine life as a “digital nomad” with his family, constantly moving between different provinces in Spain and using phone lines and payment cards registered under spoofed identities to avoid detection by law enforcement agencies. The investigation, which relied on complex tracking and forensic analysis over a year, led to the leader’s apprehension in San Vicente de la Barquera and the identification of six other individuals linked to the network.
The Arsenal: AI and Android Bypass Tools
The GXC Team generated substantial revenue by creating and renting out cutting-edge fraud tools to other criminals. Their most advanced offering was an AI-powered kit named “Business Invoice Swapper.” This tool was designed to facilitate wire fraud and Business E-Mail Compromise (BEC) scams by using AI to scan compromised emails, identify messages with invoices, and automatically replace the legitimate banking details (IBAN and BIC codes) with those of the perpetrators.
This tool was offered for rent starting from $2,000 (₹1.77 lakh) per week. Additionally, the team developed malicious Android code that mimicked official mobile banking apps. This was used to trick victims into installing a fake app to “confirm” a One-Time Password (OTP), allowing the criminals to intercept the 2FA codes and gain unauthorized access to banking accounts.
FCRF Launches CCLP Program to Train India’s Next Generation of Cyber Law Practitioners
Targeting Banks and Government Identity
The GXC Team’s criminal ambition was vast, with its tools capable of targeting more than 300 entities globally. The list of targets included major financial institutions across Europe and the U.S. (like Santander, BBVA, Deutsche Bank, and AMEX), as well as international platforms like Amazon, Binance, Coinbase, and Microsoft’s Office 365. Victims were predominantly located across the U.K. and various E.U. member states. Beyond financial fraud, the group also specialized in identity theft. They crafted sophisticated phishing pages that impersonated official government websites, including the Australian my.gov.au portal and the Spanish GOB.ES site, with the sole purpose of stealing citizens’ personal information and credentials.
The Operation and Recovery of Stolen Funds
The complex investigation led by the Cybercrime Department of the Central Operational Unit (UCO) of the Civil Guard culminated in six coordinated raids across Spain. The officers successfully arrested “GoogleXcoder” and seized electronic devices containing the source code for the phishing kits, personal accounts, and internal communications chats. In a key success for the investigation, authorities were also able to recover funds stolen from victims that had been stored on various digital platforms, following a year-long forensic and cryptocurrency analysis. The group’s main Telegram channels have since been deactivated, and the analysis of the seized digital evidence is ongoing, with police noting that further action, including more arrests, is not ruled out.
