On April 17, 2024, London’s Metropolitan Police had announced the disruption of LabHost, which is described in an update by Chainalysis as a “notorious” phishing-as-a-service (PhaaS) provider that enabled cybercriminals to “breach the bank accounts of victims around the world, following an operation conducted in tandem with international law enforcement and industry partners.”
Active since 2021, LabHost is believed to have “enabled thousands of phishing attacks, which means that this successful law enforcement operation has made the internet a safer place,” the team at Chainalysis noted in a blog post.
LabHost charged cybercriminals a monthly fee “for access to their phishing tools, and accepted cryptocurrency for payment.”
As such, Chainalysis says that it can analyze LabHost’s on-chain activity.
Chainalysis has also provided a primer on LabHost’s operations and role in cybercrime.
As noted in a blog post, LabHost is a PhaaS provider that sells “phishing kits,” which cybercriminals use to “build fake web pages imitating those of banks.”
These fake sites are designed “to trick the banks’ customers into entering their login information for the cybercriminals to steal.”
According to Bleeping Computer, LabHost has also “provided web hosting infrastructure to keep phishing pages online, email campaign tools for targeting victims with spam driving them to the phishing pages, and even tools for circumventing two-factor authentication.”
LabHost charged a monthly fee “for these tools, with varied offerings at different pricing tiers.”
LabHost’s popularity grew in 2023 when it “rolled out high-powered phishing kits for Canadian banks specifically.”
However, its tools enabled cybercriminals “to target bank customers all over the world, as well as users of shipping services and apps like Spotify.”
According to the Metropolitan Police’s update on this operation, cybercriminals used LabHost to spin up “more than 40,000 phishing sites, and the service boasted more than 2,000 registered users.”
The agency also says that cybercriminals using LabHost have “stolen over 480,000 credit card numbers, 64,000 PIN numbers, and over 1 million passwords for various online services.”
Since becoming active in August 2021, LabHost’s identified cryptocurrency wallets have received “over $1.1 million worth of cryptocurrency across thousands of transfers, with payments coming in Bitcoin, Etherum, Litecoin, and Monero.”
LabHost’s incoming payments in Bitcoin specifically “are visible on the Chainalysis Investigations graph.”
We can assume that most of that represents cybercriminals “paying their monthly fee for the use of LabHost’s phishing tools.”
LabHost then sent most of those funds “to a few mainstream exchanges, presumably to be cashed out, as well as to a popular mixer, likely to launder the funds and obfuscate their origins.”
Chainalsysis notes that we can see “some of this activity on the Chainalysis Investigations graph.”
We can see similar patterns in LabHost’s Ethereum activity as well, “though without the usage of mixers.”
Like many cybercriminal organizations, LabHost utilized “a range of third-party services and infrastructure providers. We can see on-chain evidence of this on the Chainalysis Investigations graph.”
We can also see LabHost sending funds “to two types of service providers: A payment processor that facilitates the crypto payments for businesses (also known as a merchant services provider), and two infrastructure-as-a-service providers.”
While Chainalysis says it can’t share “the exact nature of all of the infrastructure providers LabHost transacted with, other criminal organizations have utilized these services for web hosting, email tools, proxy services, and more.”
It’s possible that LabHost did the same.
Finally, blockchain analysis also reveals “that many of the cybercriminals who used LabHost also appear to have been customers of iSpoof, another illicit provider of tools used for fraud that was shut down by the Metropolitan Police and other law enforcement agencies in 2022.”
The Chainalysis Investigations graph “shows several wallets that transacted with both iSpoof and LabHost.”
The 20 wallets shown transacting “with iSpoof and LabHost, who we can assume are almost certainly involved in online fraud, have collectively sent and received over $5.3 million worth of Bitcoin, suggesting that their criminal activity is extensive and lucrative.”
As mentioned in the update, scams are perhaps “the biggest threat to consumers in the entire crypto crime ecosystem.”
This case shows that cryptocurrency’s role in scams “extends beyond threat actors promoting crypto Ponzi schemes, or seeking to take funds from users’ crypto wallets.”
Victims whose bank accounts “were compromised in LabHost-supported phishing attacks likely had no idea the crime against them had a cryptocurrency nexus, but in many cases, the cybercriminals involved likely wouldn’t have been able to access LabHost’s tools without paying in crypto.”
Crypto can play a crucial role in “virtually all forms of crime, even in non-obvious cases.”
Thanks to the efforts of the Metropolitan Police and the other agencies involved in this disruption, LabHost is one “crypto-adjacent” criminal organization “that has been severely hampered.”