LabHost phishing service with 40,000 domains disrupted, 37 arrested

LabHost service with 40,000 phishing domains disrupted, 37 arrested

The LabHost phishing-as-a-service (PhaaS) platform has been disrupted in a year-long global law enforcement operation that compromised the infrastructure and arrested 37 suspects, among them the original developer.

The phishing platform launched in 2021 and enabled cybercriminals paying a monthly subscription fee to launch effective attacks using a variety of phishing kits for banks and services in North America.

LabHost also offered infrastructure for hosting phishing pages and automatic phishing email generation and distribution, allowing low-skilled cybercriminals an easy way to carry out attacks.

In February 2024, digital security company Fortra warned that LabHost was growing into a popular PhaaS platform, surpassing other established players on the market.

The recent international law enforcement operation coordinated by Europol started roughly a year ago and involved police forces and special investigators in 19 countries, as well as partners from the private sector like Microsoft, Trend Micro, Chainalysis, Intel 471, and The Shadowserver Foundation.

"The investigation uncovered at least 40 000 phishing domains linked to LabHost, which had some 10 000 users worldwide," reads Europol's announcement.

"With a monthly fee averaging $249, LabHost would offer a range of illicit services which were customizable and could be deployed with a few clicks."

Europol highlights a particularly powerful tool called LabRat that made the service stand out from the competition. LabRat is a real-time phishing management tool that enabled attackers to capture two-factor authentication (2FA) tokens and bypass account protections.

Seizure banner on LabHost's main pageSeizure banner on LabHost's main page

Between April 14 and 17, 2024, police forces worldwide performed simultaneous searches at 70 addresses, arresting 37 individuals suspected to be connected to the LabHost service.

The Australian Joint Policing Cybercrime Coordination Centre (JPC3) also took down 207 servers that hosted phishing websites created through the LabHost service.

In the UK, the Metropolitan Police announced they arrested four individuals involved in running the service's website along with "the original developer of the platform".

Until LabHost's takedown, the authorities estimated that the cybercrime service's operators had received $1,173,000 from user subscriptions.

Shortly after the law enforcement agents took control of its infrastructure, messages were sent to 800 users to warn them they will be the subjects of upcoming investigations.

Investigators have also established that LabHost has stolen approximately 480,000 credit cards, 64,000 PINs, and one million passwords for various online accounts.

It is worth noting that LabHost experienced a massive outage last year at the beginning of October, prompting many to say that the platform was likely exit scamming.

However, the service returned to full operations on December 6, 2023. It unclear if the outage was connected to the law enforcement activity.