In an unprecedented move, Europol and Ameripol worked together to dismantle a phishing-as-a-service network affecting over 480,000 victims worldwide.
The operation, dubbed “Operation Kaerb,” targeted a criminal group that specialized in unlocking stolen mobile phones through phishing attacks. Investigators confirmed that over 1.2 million devices had been unlocked, with criminals primarily operating in Spain and Latin America.
From September 10 to 17, law enforcement in Spain, Argentina, Chile, Colombia, Ecuador, and Peru executed a series of raids, resulting in 17 arrests and the seizure of 921 items, including mobile phones, vehicles, and even weapons.
The man at the center of this operation, an Argentinian national, ran a phishing platform that had been active since 2018. He built a business on selling access to the platform to “unlockers”—criminals who provide phone unlocking services to those in possession of stolen mobile phones.
Phishing-as-a-Service Model
This wasn’t just any phishing scheme. The platform operated as a phishing-as-a-service (PhaaS) model, offering easy access to low-skilled cybercriminals. “Unlockers” paid for access and additional features like phishing SMS and email templates.
Phishing attacks generally involve tricking victims into giving up sensitive information by pretending to be a legitimate service. In this case, attackers targeted mobile phone owners who had activated “Lost Mode” on their devices. Victims, often from European and Latin American countries, received phishing messages urging them to provide credentials to regain access to their phones.
The attack exploited the emotional vulnerability of the victims, making it easier for criminals to steal sensitive data. Once the credentials were in hand, criminals would unlock the phones, essentially wiping any connection to the legitimate owner.
Europol and Ameripol’s Role
The international success of this operation can be credited to the cooperation between Europol’s European Cybercrime Centre (EC3) and Ameripol’s Specialized Cybercrime Centre. This marks the first joint operation between the two agencies, and it highlights the growing need for cross-border cybersecurity initiatives.
Europol had been investigating the phishing network since 2022 after receiving intelligence from Group-IB, a cybersecurity firm. The organization worked closely with the affected countries, providing them with vital information and coordinating the operation from start to finish.
During the week of the raids, Europol deployed experts to both Argentina and Spain, ensuring local authorities had the necessary support to take down the network. In coordination with Ameripol, law enforcement dismantled the infrastructure, seized the iServer domain used to host the phishing attacks, and apprehended the network’s key players.
How the Phishing Network Worked
The phishing platform, called iServer, had been operational for over five years, primarily serving Spanish-speaking countries but expanding into Europe as well. What set iServer apart was its automation. Criminals didn’t need advanced hacking skills to operate the platform. The web-based interface made it simple for users to create phishing pages and send malicious links via SMS.
After the victim clicked the link, a “redirector” filtered out users who didn’t meet certain criteria. Those who passed were sent to a final phishing page disguised as a legitimate mobile service site. The platform collected login credentials, which the criminals then used to unlock the stolen phones.
Unlockers were able to gather details like IMEI numbers, owner information, and even OTP (one-time passwords) to bypass security features like Lost Mode. Once unlocked, the phones could be resold without any trace of the original owner, effectively making it impossible for victims to recover their devices.
Crimeware-as-a-Service: The New Threat Model
The iServer platform is part of a larger trend known as “crimeware-as-a-service.” These platforms lower the barrier to entry for cybercriminals by providing all the tools they need to commit digital crimes. PhaaS platforms like iServer make it easier for criminals with little technical skill to execute sophisticated phishing attacks.
This is particularly concerning in regions like Latin America, where cybercrime is on the rise. By selling access to these platforms, individuals can profit without having to understand the technical side of phishing or hacking. It’s a growing concern for cybersecurity professionals as these platforms democratize access to high-impact cybercrime.
Operation Kaerb has struck a significant blow to cybercriminals exploiting phishing-as-a-service models. Yet, as the cybersecurity landscape continues to evolve, new threats will emerge. The dismantling of the iServer platform represents a victory, but it’s just a step in a much larger fight. The global cybercrime ecosystem continues to grow, and with it, the need for ongoing vigilance from both the public and private sectors.