The Australian Federal Police (AFP) announced the arrest of five Australians among 37 individuals globally, linked to an alleged phishing scam that impacted tens of thousands. The scam, facilitated through the platform LabHost, involved 10,000 cybercriminals worldwide, deceiving victims into disclosing sensitive information such as banking logins, credit card details, and passwords.
The operation particularly affected 94,000 Australians, with arrests made in Melbourne and Adelaide. The individuals apprehended were reportedly active users of LabHost and have been charged with cybercrime offenses.
According to the AFP, LabHost functioned as a comprehensive phishing hub, marketed as a “one-stop-shop” for orchestrating phishing attacks. These attacks often involved sending emails and texts with links to counterfeit websites that mimicked over 170 legitimate entities, including major banks and government organizations. This misled victims into believing they were accessing genuine sites.
By following these fraudulent links, victims inadvertently provided cybercriminals access to critical data like one-time pins and security credentials. This information was then exploited to gain unauthorized access to financial institutions and other enterprises, leading to substantial financial theft from victims’ accounts.
Originally established in Canada to target North American users, LabHost expanded its operations internationally, including the United Kingdom, Ireland, and beyond, with Australian users ranking among the top three nationalities on the platform. Users of LabHost paid $270 monthly for phishing kits, which included tools and services for setting up phishing sites and managing campaigns.
The AFP highlighted that LabHost’s activities could have caused an estimated $28 million in damages through the sale of stolen Australian credentials alone. The victims of these phishing schemes face not only financial losses but also enduring security threats such as identity theft, extortion, and blackmail.
Acting Assistant Commissioner Chris Goldsmid of the AFP’s Cyber Command warned LabHost users about the illusion of anonymity, stating, “We are determined to identify and apprehend those exploiting this platform to target innocent victims.”