UK police bust worldwide million-dollar crime-as-a-service hub LabHost
The UK’s Metropolitan Police Cyber Crime Unit, with help from international law enforcement agencies including Europol and the FBI, has infiltrated one of the world’s biggest crime-as-a-service platforms.
LabHost, established in 2021, has been used by thousands of criminals, each paying a subscription of up to £300 a month, to launch phishing attacks that replicate everything from banks to healthcare agencies and postal services.
The operation, which took place between the 14th and 17th of April, saw 37 suspects arrested and 70 addresses searched both in the UK and internationally. In case you were wondering just how big a deal LabHost was, and I’ll use the past tense with some caution as historically such sites often reemerge following such law enforcement operations, it hosted more than 40,000 fraudulent phishing sites and boasted some 2,000 active criminal users.
The Met’s Cyber Crime Unit says that criminals subscribing to the worldwide membership that opened up international fraud targets were paying up to £300 a month, and at the time of the bust, LabHost had received $1,173,000 in subscription payments.
Related: UK law enforcement agency issues warning about AI-aided ransomware
LabHost in numbers
You want more numbers, you say? Detectives working the case say they have determined at least 70,000 UK individuals have been successfully ‘phished’ using LabHost sites, and worldwide it has obtained 480,00 debit and credit card numbers along with 64,000 PINs. As for service passwords, the total exceeded one million.
“As of Thursday, 18 April,” the Met Police states, “detectives have contacted up to 25,000 victims in the UK to tell them their data has been compromised.”
Dame Lynne Owens, Deputy Commissioner of the Metropolitan Police Service, said: “Online fraudsters think they can act with impunity. They believe they can hide behind digital identities and platforms such as LabHost and have absolute confidence these sites are impenetrable by policing. But this operation and others over the last year show how law enforcement worldwide can, and will, come together with one another and private sector partners to dismantle international fraud networks at source.”
Private sector partners such as Microsoft. “Today’s action led by the United Kingdom’s Metropolitan Police Service shows the impact we can have in the fight against cybercrime when we work together,” said Amy Hogan-Burney, General Manager, Cybersecurity Policy & Protection at Microsoft, which cooperated with law enforcement during the investigation.
“We must continue to work together and leverage the immense skills of industry and governments to defeat these threats,” she added.
How LabHost worked
So, how did LabHost become so dangerous? And effective? We asked Mike Newman, CEO of My1Login to explain. “Criminals would use the site’s readymade templates to execute attacks quickly, targeting internet users at scale, hoping to secure their financial information or passwords,” he said.
“When they stole their bank details, they would often be used quickly to make online purchases and commit financial fraud, but when they stole passwords, the criminals would store these and begin testing them on other sites to gain entry to more online accounts. In many cases this would be enterprise accounts, knowing how frequently internet users adopt the same passwords across both their corporate and personal accounts.”
Expert warnings about LabHost bust
“LabHost was one of the most dangerous phishing-as-a-service platforms because it lowered the barrier of entry into cybercrime and gave novice hackers access to ready-made tools to launch attacks” said Mark Robertson, CRO and Co-Founder at Acumen.
He added: “The costs to do this were low, but the returns were high, which is why it became one of the most popular platforms for criminals.”
Jake Moore, Global Cybersecurity Advisor at ESET, has 14 years previous experience investigating computer crime in the Digital Forensics Unit and Cybercrime Team in Dorset Police. “Crime-as-a-service is a very lucrative way that criminals have found to share their techniques with others willing to pay and these services are becoming more widespread on underground forums and dark websites,” he told us.
“The police are constantly targeting and disrupting criminal gangs so people who see cyber fraud as a side hustle need to be extremely careful about their choices, especially as these illegal activities can ruin people’s career prospects.”
Davey Winder
NEXT UP
Taavi Tamkivi, Founder and CEO of Salv: “Collaboration between financial institutions, or rather lack of it, has traditionally been a challenge”
We interview Taavi Tamkivi, the Founder and CEO of Salv, a regtech company on a mission to beat financial crime
Apple AI iPhones move one step closer with on-device AI experiments
Apple AI iPhones are a distinct possibility with the release of experimental language models that could run easily on a phone
Oracle Healthcare Marketplace aims to make buying health services an app-like experience
Oracle’s Healthcare Marketplace further boosts the company’s healthtech credentials and aims to provide a “B2C shopping experience” for the sector