LabHost service with 40,000 phishing domains disrupted, 37 arrested

The LabHost phishing-as-a-service (PhaaS) platform has been disrupted in a year-long global law enforcement operation that compromised the infrastructure and arrested 37 suspects, among them the original developer.

The phishing platform launched in 2021 and enabled cybercriminals paying a monthly subscription fee to launch effective attacks using a variety of phishing kits for banks and services in North America.

LabHost also offered infrastructure for hosting phishing pages and automatic phishing email generation and distribution, allowing low-skilled cybercriminals an easy way to carry out attacks.

In February 2024, digital security company Fortra warned that LabHost was growing into a popular PhaaS platform, surpassing other established players on the market.

The recent international law enforcement operation coordinated by Europol started roughly a year ago and involved police forces and special investigators in 19 countries, as well as partners from the private sector like Microsoft, Trend Micro, Chainalysis, Intel 471, and The Shadowserver Foundation.

"The investigation uncovered at least 40 000 phishing domains linked to LabHost, which had some 10 000 users worldwide," reads Europol's announcement.

"With a monthly fee averaging $249, LabHost would offer a range of illicit services which were customizable and could be deployed with a few clicks."

Europol highlights a particularly powerful tool called LabRat that made the service stand out from the competition. LabRat is a real-time phishing management tool that enabled attackers to capture two-factor authentication (2FA) tokens and bypass account protections.

Seizure banner on LabHost's main page
Seizure banner on LabHost's main page
BleepingComputer

Between April 14 and 17, 2024, police forces worldwide performed simultaneous searches at 70 addresses, arresting 37 individuals suspected to be connected to the LabHost service.

The Australian Joint Policing Cybercrime Coordination Centre (JPC3) also took down 207 servers that hosted phishing websites created through the LabHost service.

In the UK, the Metropolitan Police announced they arrested four individuals involved in running the service's website along with "the original developer of the platform".

Until LabHost's takedown, the authorities estimated that the cybercrime service's operators had received $1,173,000 from user subscriptions.

Shortly after the law enforcement agents took control of its infrastructure, messages were sent to 800 users to warn them they will be the subjects of upcoming investigations.

Investigators have also established that LabHost has stolen approximately 480,000 credit cards, 64,000 PINs, and one million passwords for various online accounts.

It is worth noting that LabHost experienced a massive outage last year at the beginning of October, prompting many to say that the platform was likely exit scamming.

However, the service returned to full operations on December 6, 2023. It unclear if the outage was connected to the law enforcement activity.

Related Articles:

New MFA-bypassing phishing kit targets Microsoft 365, Gmail accounts

Cybercriminals pose as LastPass staff to hack password vaults

Firebird RAT creator and seller arrested in the U.S. and Australia

New Darcula phishing service targets iPhone users via iMessage

Ukraine arrests hackers trying to sell 100 million stolen accounts