Spanish law enforcement recently dismantled an advanced AI-driven phishing network and arrested the mastermind developer known as “GoogleXcoder.”
This operation marks a significant victory in the fight against banking credential theft in Spain.
Cybercriminals Target Banks and Government Agencies
Since 2023, Spain faced a surge in sophisticated phishing campaigns. Criminal groups impersonated major banks and public agencies, using convincing fake websites to trick thousands of victims into revealing personal and banking information.
These attacks led to millions of euros in stolen funds and growing public alarm. In response, the Civil Guard’s Cybercrime Department began investigating, determined to target not only the direct perpetrators but also those behind the tools enabling these crimes.
Detectives soon uncovered the role of “GoogleXcoder,” a 25-year-old Brazilian developer living in Spain.
Operating under a Crime as a Service (CaaS) model, he sold ready-to-use phishing kits to hundreds of criminals across Spanish-speaking countries.
These kits could instantly clone the websites of banks and government agencies, allowing anyone to launch phishing attacks with minimal technical skill.
Services included customizations, updates, and full technical support, creating a professional criminal business.
Most contacts happened via the messaging app Telegram, where criminals paid hundreds of euros per day for access to these tools.
One Telegram group, notably called “Stealing Everything from Grandmas,” highlighted how brazen and organized these schemes had become.
In a single day, dozens of institutions were impersonated, deceiving thousands and costing victims millions.
Locating “GoogleXcoder” was challenging: he routinely changed locations around Spain, used spoofed identities for phone and payments, and maintained a digital nomad lifestyle.
The breakthrough came at San Vicente de la Barquera, Cantabria, where police arrested him and seized electronic devices containing his phishing kits, personal accounts, and messages with other fraudsters.
Forensic experts are now examining the devices and cryptocurrency transactions, reconstructing the network and identifying six individuals who used these phishing services.
The justice operation included raids in Valladolid, Zaragoza, Barcelona, Palma de Mallorca, San Fernando, and La Línea de la Concepción, recovering more stolen funds and digital evidence.
With Telegram channels deactivated and ongoing analysis, further arrests may follow.
Collaboration between the Brazilian Federal Police and cybersecurity firm Group IB played a vital role in this cross-border case.
The investigation continues as authorities work to identify and stop other members of the internet-based phishing network. For press inquiries, contact the Central Operations Unit at 91 503 13 27.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
