Spain Dismantles Major Banking Phishing Network: The Fall of the GXC Team

Breached Company

Breached Company

5 min read
Spain Dismantles Major Banking Phishing Network: The Fall of the GXC Team
Photo by Sam Williams / Unsplash

Digital Nomad Behind Multi-Million Dollar Credential Theft Operation Arrested

Spain's Civil Guard has successfully dismantled one of the most sophisticated phishing operations in the Spanish-speaking world, arresting the 25-year-old Brazilian mastermind behind the GXC Team and disrupting a Crime-as-a-Service empire that facilitated millions of dollars in theft across multiple continents.

The Investigation: Operation Big Bang

On October 9, 2025, Spain's Civil Guard announced the culmination of a complex investigation that began in 2023, targeting the developer known as "GoogleXcoder" who provided comprehensive phishing services to other criminals by designing and marketing kits capable of cloning banking websites and government entities.

The investigation concluded with six raids across different Spanish localities and the arrest of the main phishing kit provider, in addition to identifying six individuals directly related to the use of these services.

La Guardia Civil desmantela una red de phishing bancario y detiene al principal desarrollador de kits de robo de credenciales en España
Logo Guardia Civil y Ministerio del Interior. Accede a página principal

The Architect: GoogleXcoder

The arrested individual, a 25-year-old Brazilian, was considered the main provider of tools for massive credential theft in the Spanish-speaking environment. What made this cybercriminal particularly elusive was his lifestyle as a "digital nomad" with his family, constantly moving between different provinces in Spain and using phone lines and payment cards registered under spoofed identities to avoid detection.

The primary arrest took place in San Vicente de la Barquera, Cantabria, where authorities seized electronic devices containing phishing kits for all the impersonated entities, the suspect's personal accounts, and conversations with dozens of cyber scammers.

The Crime-as-a-Service Empire

The GXC Team operated a sophisticated Crime-as-a-Service (CaaS) platform that revolutionized the phishing landscape through several innovations:

AI-Powered Tools

The operation offered AI-powered phishing kits, Android malware, and voice-scam tools via Telegram and a Russian-speaking hacker forum. Their most advanced offering was an AI-powered tool called "Business Invoice Swapper," designed for wire fraud and Business Email Compromise scams, which was rented for $2,000 per week or $15,000 as a one-time purchase.

Comprehensive Service Package

GoogleXcoder's services included personalization, technical support, and updates, consolidating a professionally structured criminal operation. Cybercriminals contacted GoogleXcoder through Telegram, hired his services for hundreds of euros per day, and exploited these tools extensively.

Android Malware Integration

What set the GXC Team apart was their innovative method of combining phishing kits with SMS OTP stealer malware - victims were persuaded to download a malicious Android banking app that, once installed, requested permissions to become the default SMS app, enabling it to intercept OTPs and other messages which were then sent to a Telegram bot controlled by the attackers.

Scale and Impact

The reach of the GXC Team's operations was staggering:

Group-IB tracking revealed that GXC Team was targeting banks, transport, and e-commerce entities in Spain, Slovakia, the UK, the US, and Brazil, with their phishing kits replicating the websites of tens of Spanish and international institutions and powering at least 250 phishing sites.

The group's tools were capable of targeting more than 300 entities globally, including major financial institutions across Europe and the U.S. such as Santander, BBVA, Deutsche Bank, and AMEX, as well as international platforms like Amazon, Binance, Coinbase, and Microsoft's Office 365.

Since 2023, successive phishing campaigns impersonated major public organizations and Spain's most important banking entities to deceive victims and obtain their personal data, resulting in a significant number of complaints from affected individuals, millions of euros stolen, and growing public alarm.

"Steal Everything from Grandmothers"

The brazenness of the operation was perhaps best exemplified by the criminals' attitude toward their victims. One of the messaging groups used by these criminals to execute scams was called "Steal everything from grandmothers," demonstrating the extent of their sense of impunity.

The Forensic Challenge

The forensic analysis of seized devices and cryptocurrency transactions took more than a year due to its complexity, but ultimately allowed investigators to reconstruct the entire criminal network and identify six people directly related to the use of these services.

Following the investigation led by Court of Instruction number 1 of San Vicente de la Barquera, the operation concluded with six raids in homes across Valladolid, Zaragoza, Barcelona, Palma de Mallorca, San Fernando, and La Línea de la Concepción, where electronic devices were seized and funds linked to money stolen from victims were recovered from various digital platforms.

International Collaboration

The investigation benefited from collaboration with Brazil's Federal Police and cybersecurity firm Group-IB. Group-IB had been tracking the GXC Team since January 2023, providing crucial intelligence that helped Spanish authorities build their case.

Ongoing Investigation

The investigation remains open with additional actions not ruled out. Telegram channels have already been deactivated and seized digital evidence is being analyzed, which could lead to new identifications or arrests.

Implications for Cybersecurity

The dismantling of the GXC Team represents a significant victory against the professionalization of digital fraud. The operation highlights several concerning trends:

  1. Democratization of Cybercrime: By offering turnkey solutions, operations like GXC Team lower the technical barrier for conducting sophisticated attacks, enabling less skilled criminals to launch effective phishing campaigns.
  2. AI Integration: The use of artificial intelligence in phishing tools represents an escalation in the sophistication of social engineering attacks, making them harder to detect and more convincing to victims.
  3. Multi-Vector Attacks: The combination of web-based phishing with mobile malware creates a comprehensive attack ecosystem that can bypass multiple security layers, including two-factor authentication.
  4. Global Reach, Local Impact: While based in Spain, the GXC Team's tools enabled attacks across multiple continents, demonstrating how cybercrime infrastructure can have worldwide implications.

The successful takedown of this operation demonstrates the importance of international cooperation between law enforcement agencies and private cybersecurity firms in combating sophisticated cybercrime networks. However, with the investigation still ongoing and the Crime-as-a-Service model continuing to evolve, the fight against phishing and credential theft remains far from over.

Read more

Qantas Data Breach: 5 Million Customer Records Leaked as Scattered Lapsus$ Hunters Escalate Global Extortion Campaign

Qantas Data Breach: 5 Million Customer Records Leaked as Scattered Lapsus$ Hunters Escalate Global Extortion Campaign

Major Airline Falls Victim to Sophisticated Cybercrime Coalition in Year-Long Supply Chain Attack Australia's flagship carrier Qantas Airways has become the latest high-profile victim of an aggressive extortion campaign orchestrated by Scattered Lapsus$ Hunters, a notorious cybercriminal coalition that has targeted dozens of Fortune 500 companies in what

By Breached Company