Authorities take down LabHost, phishing-as-a-service platform

Law enforcement from 19 countries severely disrupted one of the world’s largest phishing-as-a-service platform, known as LabHost. This year-long operation, coordinated at the international level by Europol, resulted in the compromise of LabHost’s infrastructure.

International investigation disrupts phishing-as-a-service platform LabHost

Between Sunday 14 April and Wednesday 17 April a total of 70 addresses were searched across the world, resulting in the arrest of 37 suspects. This includes the arrest of 4 individuals in the United Kingdom linked to the running of the site, including the original developer of the service.

The LabHost platform, previously available on the open web, has been shut down.

This international investigation was led by the UK’s London Metropolitan Police, with the support of Europol’s European Cybercrime Centre (EC3) and the Joint Cybercrime Action Taskforce (J-CAT) hosted at its headquarters.

Europol has supported this case since September 2023. An operational sprint was organised at its headquarters with all the countries involved so that the national investigators could identify and develop intelligence on the users and victims in their own countries. During the action phase, a Europol specialist supported the Dutch National Police with their enforcement actions.

LabHost: Cybercriminals’ one-stop platform for phishing kits and engagement tools

Cybercrime-as-a-service has become a rapidly growing business model in the criminal landscape whereby threat actors rent or sell tools, expertise, or services to other cybercriminals to commit their attacks. While this model is well established with ransomware groups, it has also been adopted in other aspects of cybercrime, such as phishing attacks.

LabHost had become a significant tool for cybercriminals around the world. For a monthly subscription, the platform provided phishing kits, infrastructure for hosting pages, interactive functionality for directly engaging with victims, and campaign overview services.

The investigation uncovered at least 40,000 phishing domains linked to LabHost, which had some 10,000 users worldwide.

With a monthly fee averaging $249, LabHost would offer a range of illicit services which were customisable and could be deployed with a few clicks. Depending on the subscription, criminals were provided an escalating scope of targets from financial institutions, postal delivery services and telecommunication services providers, among others. Labhost offered a menu of over 170 fake websites providing convincing phishing pages for its users to choose from.

What made LabHost particularly destructive was its integrated campaign management tool named LabRat. This feature allowed cybercriminals deploying the attacks to monitor and control those attacks in real time. LabRat was designed to capture two-factor authentication codes and credentials, allowing the criminals to bypass enhanced security measures.

LabHost’s friendly image masks legal risks

Platforms such as LabHost make cybercrime more easily accessible for unskilled hackers, significantly expanding the pool of threat actors.

Yet, however user-friendly the service portrays itself to be, its malicious use constitutes an illegal activity – and the penalties can be severe.

A vast amount of data gathered throughout the investigation is now in the possession of law enforcement. This data will be used to support ongoing international operational activities focused on targeting the malicious users of this phishing platform.