CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

GXC Team CaaS Platform Dismantled in Spain

First reported
Last updated
3 unique sources, 3 articles

Summary

Hide ▲

Spanish authorities have dismantled the GXC Team, a crime-as-a-service (CaaS) operation. The group offered AI-powered phishing kits, Android malware, and voice-scam tools. The leader, a 25-year-old Brazilian known as “GoogleXcoder,” was arrested in San Vicente de la Barquera, Cantabria, after a year-long investigation involving six coordinated raids across Spain. The group targeted banks, transport, and e-commerce entities in multiple countries. The operation involved coordinated raids across seven Spanish regions, seizing electronic devices and cryptocurrency. The investigation is ongoing, with potential further arrests. The GXC Team's leader, known as GoogleXcoder, lived as a digital nomad, relocating between multiple homes in different Spanish provinces. The police identified six other individuals allegedly associated with the CaaS operation. The GXC Team's Telegram channels were deactivated, and digital evidence is being examined to identify other suspects. The CaaS operation emerged in 2023, offering advanced phishing kits, an SMS-stealing Android trojan, and tools for AI-supported voice scams.

Timeline

  1. 11.10.2025 17:17 3 articles · 4d ago

    Spanish Guardia Civil dismantles GXC Team CaaS operation

    The GXC Team's leader, known as GoogleXcoder, was arrested in San Vicente de la Barquera, Cantabria, after a year-long investigation involving six coordinated raids across Spain. The group targeted banks, transport, and e-commerce entities in Spain, Brazil, Slovakia, the UK, and the US. The GXC Team's phishing kits cloned more than 40 portals. The GXC Team's service catalogue included technical support and frequent updates for paying clients. The GXC Team operated under the name 'Steal everything from grandmas' on one of its Telegram channels. The GXC Team's leader frequently moved between provinces, using stolen identities and fraudulent payment cards to remain undetected. The Guardia Civil's Cybercrime Unit, with support from Brazil's Federal Police and Group-IB, continues to examine the digital evidence as the investigation remains ongoing.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

AI-Driven Phishing Campaign Targeting U.S. Organizations

A sophisticated phishing campaign targeting U.S. organizations uses AI-generated SVG files to evade security defenses. The attack leverages compromised business email accounts to send phishing messages, redirecting users to fake login pages to harvest credentials. The campaign employs advanced obfuscation techniques, including business-related language and complex code structures, to disguise malicious intent. The phishing messages use a self-addressed email tactic to bypass basic detection heuristics. The SVG files, which are text-based and scriptable, embed JavaScript and other dynamic content to deliver interactive phishing payloads. The campaign was detected on August 28, 2025, and effectively blocked by Microsoft's security systems. The use of AI in this campaign highlights the evolving tactics of threat actors, who are increasingly adopting AI tools to craft more convincing phishing lures and automate malware obfuscation.

Open in new tab

Lighthouse and Lucid PhaaS Campaigns Target 316 Brands Across 74 Countries

The phishing-as-a-service (PhaaS) offerings Lighthouse and Lucid have been linked to over 17,500 phishing domains targeting 316 brands across 74 countries. The campaigns leverage various phishing kits and templates to impersonate brands and harvest credentials. The operations are attributed to the Chinese-speaking XinXin group and other associated actors. The phishing campaigns target a wide range of industries, including toll companies, governments, postal companies, and financial institutions. The attacks incorporate specific criteria to ensure that only intended targets can access the phishing URLs. The phishing kits offer template customization and real-time victim monitoring, with prices ranging from $88 for a week to $1,588 for a yearly subscription. The campaigns also highlight a broader trend of collaboration and innovation within the PhaaS ecosystem, with threat actors returning to email as a primary channel for harvesting stolen credentials.

Open in new tab

RaccoonO365 Phishing Network Disrupted by Microsoft and Cloudflare

The RaccoonO365 phishing network, a financially motivated threat group, was disrupted by Microsoft's Digital Crimes Unit (DCU) and Cloudflare. The operation, executed through a court order in the Southern District of New York, seized 338 domains used by the group since July 2024. The network targeted over 2,300 organizations in 94 countries, including at least 20 U.S. healthcare entities, and stole over 5,000 Microsoft 365 credentials. The RaccoonO365 network operated as a phishing-as-a-service (PhaaS) toolkit, marketed to cybercriminals via a subscription model on a private Telegram channel. The group used legitimate tools like Cloudflare Turnstile and Workers scripts to protect their phishing pages, making detection more challenging. The mastermind behind RaccoonO365 is believed to be Joshua Ogundipe, who received over $100,000 in cryptocurrency payments. The group is also suspected to collaborate with Russian-speaking cybercriminals. Cloudflare executed a three-day 'rugpull' against RaccoonO365, banning all identified domains, placing interstitial 'phish warning' pages, terminating associated Workers scripts, and suspending user accounts to prevent re-registration.

Open in new tab

SlopAds Fraud Ring Exploits 224 Android Apps for Ad Fraud

A sophisticated ad fraud operation, SlopAds, exploited 224 Android apps to generate 2.3 billion daily ad bids. The apps, downloaded 38 million times across 228 countries, used steganography and hidden WebViews to create fraudulent ad impressions and clicks. The fraud was conditional, activating only if the app was installed via an ad click. Google removed the offending apps from the Play Store and updated Google Play Protect to warn users. The operation leveraged AI-themed services and a complex command-and-control infrastructure. The fraudulent behavior was designed to evade detection by blending malicious traffic into legitimate campaign data. The SlopAds campaign was discovered by HUMAN's Satori Threat Intelligence team, which identified the apps as 'AI slop' due to their mass-produced appearance and AI-themed services. The apps used Firebase Remote Config to download an encrypted configuration file containing URLs for the ad fraud malware module, cashout servers, and a JavaScript payload. The campaign included numerous command-and-control servers and more than 300 related promotional domains, suggesting the threat actors planned further expansion.

Open in new tab

GPUGate Malware Campaign Targets IT Firms in Western Europe

A sophisticated malware campaign, codenamed GPUGate, targets IT and software development companies in Western Europe, with recent expansions to macOS users. The campaign leverages Google Ads, SEO poisoning, and fake GitHub commits to deliver malware, including the Atomic macOS Stealer (AMOS). The attack began in December 2024 and uses a 128 MB Microsoft Software Installer (MSI) to evade detection. The malware employs GPU-gated decryption and various techniques to avoid analysis and detection. The end goal is information theft and delivery of secondary payloads. The threat actors have native Russian language proficiency and use a cross-platform approach. The campaign has expanded to target macOS users through fake GitHub repositories. These repositories impersonate popular tools and use SEO poisoning to distribute the Atomic Stealer malware. The threat actors use multiple GitHub usernames to evade takedowns and deploy malware via Terminal commands. Similar tactics have been observed in previous campaigns using malicious Google Ads and public GitHub repositories. The AMOS malware now includes a backdoor component for persistent, stealthy access to compromised systems. The campaign impersonates over 100 software solutions, including 1Password, Dropbox, Confluence, Robinhood, Fidelity, Notion, Gemini, Audacity, Adobe After Effects, Thunderbird, and SentinelOne. The fake GitHub pages were created on September 16, 2025, and were immediately submitted for takedown. The campaign has been active since at least April 2023, with previous similar campaigns observed in July 2025.

Open in new tab