AFP logo at EBB Canberra

News Centre

Our latest media releases, podcasts and stories
18 April 2024, 9:21am
Media Release

Global sting sees Australian offenders arrested for cybercrime and phishing attacks

This is a joint release between the Australian Federal Police, Victoria Police, Queensland Police Service, New South Wales Police Force and Western Australia Police Force.

Editor’s note: Footage, images, audio and an infographic are available via Hightail

Five individuals have been arrested across Australia, and 32 overseas, following an international police takedown of a cybercrime platform used by cybercriminals to steal personal credentials from victims around the world, including more than 94,000 people in Australia.

Australian offenders are allegedly among 10,000 cybercriminals globally who have used the platform, known as LabHost, to trick victims into providing their personal information, such as online banking logins, credit card details and passwords, through persistent phishing attacks sent via texts and emails.

As a result of the Australian arm of the investigation, led by the AFP’s Joint Policing Cybercrime Coordination Centre (JCP3), more than 200 officers from the AFP and state and territory police were yesterday (17 April, 2024) involved in executing 22 search warrants across five states. This included 14 in Victoria, two in Queensland, three in NSW, one in South Australia and two in Western Australia.

A Melbourne man and an Adelaide man, who police will allege were LabHost users, were arrested during the warrants and charged with cybercrime-related offences. Three Melbourne men were also arrested by Victoria Police and charged with drug-related offences.

In addition to the takedown of the LabHost’s domain, the JPC3 took down 207 criminal servers. These servers were used to host fraudulent phishing websites created by LabHost, established with the sole intention of facilitating criminal offences against ordinary, hardworking Australians.

Phishing is a technique used by criminals to trick victims into providing personal information, such as their banking logins, credit card details and passwords, often through fraudulent links sent to them via texts and emails, in order to commit criminal offences or steal their money.

The AFP alleges LabHost was marketed as a ‘one-stop-shop’ for phishing, enabling cybercriminals to replicate more than 170 fraudulent websites of reputable banks, government entities and other major organisations, to trick unsuspecting victims into believing they were the legitimate websites.

Once cybercriminals had replicated a website, they would use LabHost to send texts and emails to victims, prompting them to login to their accounts via the fraudulent link.

When victims followed the link, cybercriminals could obtain a range of sensitive information, such as one-time pins, usernames and passwords, security questions and passphrases.

Cybercriminals could then use victims’ personal information to access legitimate enterprises, such as financial institutions, where they could steal funds from victims’ bank accounts.

LabHost originated in Canada in 2021, targeting North America, and expanded to the United Kingdom (UK) and Ireland, before going global. Australian criminals are believed to be among its top three user countries.

At the time of the global police takedown, LabHost had more than 40,000 phishing domains and more than 10,000 global active cybercriminals using its technology to exploit victims.

Cybercriminals could sign up to LabHost for as little as $270 per month. In exchange, cybercriminals were provided with complete ‘phishing kits’, including the infrastructure to host phishing websites, email and text content generation and campaign overview services, enabling them to effectively exploit their victims.

The Australian arm of the investigation, codenamed Operation Nebulae, has allegedly identified more than 100 suspects in Australia who use LabHost to target Australian victims.

Globally, the Europol-coordinated investigation resulted in 70 simultaneous search warrants executed in multiple countries, to take down the platform’s alleged administrators, users and infrastructure. This included the arrest of 37 offenders, including four individuals based in the UK linked to the running of the site, including the original developer of the platform.

Global activity will continue over the coming weeks and further arrests and website domain takedowns are anticipated in Australia and overseas.

A number of devices were seized during the warrants in Australia and will undergo forensic examination.

AFP Acting Assistant Commissioner Cyber Command Chris Goldsmid said phishing had become a serious threat, with Scamwatch last year receiving more than 108,000 reports of phishing attacks, totaling nearly $26 million in losses.

“LabHost alone had the potential to cause $28 million in harm to the Australians through the sale of stolen Australian credentials,” Acting Assistant Commissioner Goldsmid.

“In addition to financial losses, victims of phishing attacks are subject to ongoing security risks and criminal offending, including identity takeovers, extortion and blackmail.

“LabHost is yet another example of the borderless nature of cybercrime and the takedown reinforces the powerful outcomes that can be achieved through a united, global law enforcement front.

“Australians who have used LabHost to steal data should not expect to remain anonymous. Authorities have obtained a vast amount of evidence during this investigation and we are working to identify anyone who has used this platform to target innocent victims.”

Victoria Police Detective Superintendent Tim McKinney said that although cybercrimes were increasing in both scale and frequency, those who committed offences such as these in the belief they can do so anonymously are mistaken.

“Cybercrimes such as phishing may be borderless and virtual in nature, but their impact on victims is real and can be devastating.

“If you have used this platform to claim to be a legitimate trusted website for the purpose of conducting fraudulent activity and are under the impression that police will not thoroughly investigate, you are mistaken.

“If you commit cybercrime with the sole intent of scamming everyday Australians, know that alongside our national and international law enforcement partners, we will continue to pursue cybercriminals for their reckless actions wherever they may be located in the world.”

Queensland Police Service Detective Superintendent Craig McGrath said as cybercrimes continued to rise, the impact on the Australian community was undeniable, so we must work together to meet the challenge.

“The Queensland police service is committed to working with our partners to ensure community safety,” Detective Superintendent McGrath said.

NSW Police Force State Crime Command’s Cybercrime Squad Commander, Acting Detective Superintendent Gillian Lister, said cybercrime was a borderless issue that we must come together to tackle.

“The NSWPF works not only with the AFP, but multi-jurisdictional policing units across the world, to actively target cybercrime offenders and destroy their criminal networks and prevent further victimisation – and that’s what we’ve done through this operation,” Acting Det Supt Lister said.  

WA Police Force Detective Superintendent Peter Foley said the message was clear; Western Australia was not a safe place for cybercriminals to operate out of.

“If you think you’re operating anonymously, think again. We will continue to work with our law enforcement partners to ensure anyone bringing harm to the community is brought to justice,” Detective Superintendent Foley said.

The JPC3 brings together Australian law enforcement and key industry and international partners to fight cybercrime and prevent harm and financial loss to the Australian community.

We are committed to equipping all Australians with the knowledge and resources to protect themselves against cybercrime.

Watch our cybercrime prevention videos and protect yourself from being a victim of cybercrime.

If there is an immediate threat to life or risk of harm, call 000.

If you are a victim of cybercrime, report it to police using Report Cyber at cyber.gov.au.

If you are concerned that your identity has been compromised, contact the national identity and cyber support service IDCARE at www.idcare.org.

If you, or someone you know needs help, we encourage you to contact Lifeline on 13 11 14 or Beyondblue on 1300 224 636, who provide 24/7 support services.

AFP Media

Journalists can contact us Monday to Friday from 6.30 am to 6 pm Canberra time. Outside those hours, a rostered officer is on call.

Connect with us

Follow our social media channels to learn more about what the AFP does to keep Australia safe