Years ago, simple scams like “Nigerian letters” offering vast sums of money were the subject of jokes. Today, however, cyber fraud has taken a giant leap forward, often orchestrated by sprawling international networks and organised crime.
These operations function like well-oiled machines with distinct roles: some criminals breach systems, others create virtual environments such as phishing websites, while another group devises ways to quickly and effectively drain bank accounts using stolen data. Finally, specialist teams help launder the illicitly obtained funds.
Dedicated platforms now allow criminals to purchase phishing services, denial-of-service attacks, ransomware and other malware as a service.
Over a million victims
One of the largest operations of its kind, LabHost, focused specifically on facilitating phishing scams. It was dismantled in April 2024 during the international police operation PhishOFF, with significant contributions from the Estonian police.
Coordinated by Europol, the five-day raid resulted in the arrest of 37 organisers of phishing scams worldwide. The operation involved 18 countries, primarily in Europe, but also included the United States, Canada, Australia and New Zealand.
Launched in 2021, LabHost was a public platform offering pre-built fake websites, phishing systems and distribution solutions (via SMS or email) while also selling stolen data collected on its platform. Thousands of regular criminal clients purchased access to phishing packages to execute their schemes. These packages included fake websites mimicking major banks and services across dozens of countries, enabling fraudsters to steal authentication details and money from victims’ bank accounts.
Higher-tier packages cost between €230 and €350 per month, with quarterly and annual subscriptions also available. Payments were made in cryptocurrency, and LabHost reportedly earned around €1 million from its services, but the financial damage to victims was far greater. The platform handled the most tedious and time-consuming aspects of cybercrime; its administrators offered technical support to criminals through a dedicated Telegram channel.
The international investigation uncovered at least 66,000 websites used by nearly 10,000 criminals to steal data or money. Globally, over a million people have fallen victim to scams that have been executed through this platform. LabHost facilitated the theft of 480,000 bank card details, 64,000 PIN codes and over a million passwords. Stolen funds were transferred between various bank accounts to obscure their origins before being withdrawn as cash. In Estonia alone, up to 30 criminals used LabHost for phishing attacks, with around 10 of the most active offenders arrested in different countries.
Hannes Kelt, head of the cyber and economic crimes unit at the North Prefecture of the Estonian police, explained that his team began investigating a wave of phishing links exploiting the names of banks operating in Estonia a few years ago. “Collecting evidence and analysing the data led us to LabHost. We brought in other countries, which also launched investigations, and the result was the closure of one of the largest platforms of its kind,” Kelt said.
Criminals deterred with three software tools
The unit led by Hannes Kelt was tasked with discouraging and deterring criminals operating on the LabHost platform; the team used three software tools. The first tool was designed to neutralise all phishing websites actively used for scams. After months of information gathering and analysis, all fraudulent environments and the thousands of associated phishing sites were shut down in April 2024.
Simultaneously, raids led to the arrest of dozens of crime organisers. However, the platform has been used by thousands of lower-level criminals worldwide. To target these individuals, experts from the North Prefecture developed a second programme resembling a social media or content-sharing platform.
Much like year-end summaries sent by commercial platforms (“2024 Wrapped”), which show users the pictures they have shared, the posts they have made, or the music they have listened to most, 700 of the most active scammers using fraudulent platforms received a similarly detailed report from the police about their activities. At the end of the report was a recommendation to contact the police and confess their crimes as soon as possible – many did.
Another 1,500 less active criminals received written summaries of their activities, reminding them that operating on fraudulent platforms does not guarantee anonymity or protection.
The third tool was used within the criminals’ communication platforms. A chatbot operating in these environments was taken over, and police information was disseminated through their chats. For example, criminals received videos and messages showing arrests and examples of evidence gathered from the platform, aiming to amplify the police’s message and demonstrate that even encrypted communication platforms do not provide complete anonymity.
“This type of deterrence is particularly effective for less experienced criminals to nudge them back onto the right path early on. Overall, the operation was very successful, as even LabHost’s key figures acknowledged in the end, warning their clients themselves and advising them to go into hiding and destroy their devices,” Kelt explained.
The fight continues
Kelt emphasised that international operations of this scale require excellent cooperation and coordination. “Through joint efforts, we shut down a platform that enabled thousands of scammers to operate. Unfortunately, this was not the only such platform, and police efforts to stop fraudsters continue. Fraud is a global crime, and even shutting down a major platform doesn’t provide a permanent solution, as criminals remain highly motivated to develop and use new methods of fraud.”
CERT-EE, the Information System Authority’s incident handling unit, identifies hundreds of phishing and scam sites every month. CERT-EE blocks access to these sites, notifies web hosts and shares information with its international partners. Over recent years, tripartite cooperation with the police and banks operating in Estonia has become so effective that detected phishing sites can now be taken down in just minutes, halting data theft swiftly.
In recognition of its contributions to the preparation of PhishOFF, the Cyber and Economic Crimes Unit at the North Prefecture of the Estonian Police and Border Guard Board received Europol’s award for the most innovative police operation in 2024.
Last updated: 17.02.2025
