Spanish authorities have arrested a 25-year-old Brazilian national accused of leading the “GXC Team” – a Crime-as-a-Service (CaaS) operation that sold phishing kits, Android malware and AI-based tools to cybercriminals worldwide.
The Guardia Civil said the suspect, known online as “GoogleXcoder,” was detained in San Vicente de la Barquera, Cantabria, after a year-long investigation involving six coordinated raids across Spain.
The operation targeted one of the country’s most active phishing networks, blamed for millions of euros in financial losses.
Sophisticated Phishing Operation
Operating since 2023, the GXC Team allegedly offered complete phishing services through Telegram channels and underground forums.
Clients could purchase customized kits designed to clone banking and government websites, allowing them to deceive users and steal credentials.
The group’s service catalogue reportedly included:
-
Advanced phishing kits cloning more than 40 portals
-
An Android Trojan disguised as a banking app to intercept one-time passcodes
-
AI-powered tools for automated voice scams
-
Technical support and frequent updates for paying clients
“The arrest of GoogleXcoder neutralizes a key enabler of this criminal ecosystem and significantly disrupts the supply of tools used in widespread banking fraud schemes,” explained Group-IP, a cybersecurity firm that assisted in the investigation.
Read more on cybercrime trends in Europe: European Vulnerability Database Launches Amid US CVE Chaos
Global Reach and Continuing Investigation
Authorities say the group’s tools were used in attacks targeting banks, transportation firms and e-commerce platforms in Spain, Brazil, Slovakia, the UK and the US.
One of the Telegram channels used by the group operated under the name “Steal everything from grandmas,” Group-IB noted.
Investigators described the suspect as a “digital nomad” who frequently moved between provinces, using stolen identities and fraudulent payment cards to remain undetected.
Searches in Valladolid, Zaragoza, Barcelona, Palma de Mallorca, San Fernando and La Línea de la Concepción led to the seizure of electronic devices containing source code, client communications and cryptocurrency records.
Six suspected accomplices were identified, and authorities have begun disabling the group’s online infrastructure.
The Guardia Civil’s Cybercrime Unit, with support from Brazil’s Federal Police and Group-IB, continues to examine the digital evidence as the investigation remains ongoing.
