The Australian Federal Police (AFP) has reported that a coordinated international police operation has resulted in the arrest of five individuals across Australia and 32 overseas, following the takedown of a cybercrime platform known as 'LabHost'. The platform was allegedly used by cybercriminals to steal personal credentials from victims worldwide, including over 94,000 Australians.

In a joint update with the Victoria Police, Queensland Police Service, New South Wales Police Force and Western Australia Police Force, the AFP outlined that Australian offenders were among 10,000 cybercriminals globally who had used LabHost to trick victims into providing their personal information, such as online banking logins, credit card details and passwords, through persistent phishing attacks sent via texts and emails.

The Australian arm of the investigation, led by the AFP's Joint Policing Cybercrime Coordination Centre (JPC3), involved more than 200 officers from the AFP and state and territory police. The JPC3 successfully took down 207 criminal servers used to host fraudulent phishing websites created by LabHost.

"LabHost alone had the potential to cause $28 million in harm to the Australians through the sale of stolen Australian credentials," said AFP Acting Assistant Commissioner Cyber Command Chris Goldsmid. He added, "In addition to financial losses, victims of phishing attacks are subject to ongoing security risks and criminal offending, including identity takeovers, extortion and blackmail."

LabHost, originating in Canada in 2021, targeted North America before expanding to the United Kingdom (UK) and Ireland, and eventually going global. At the time of the global police takedown, LabHost had more than 40,000 phishing domains and over 10,000 active global cybercriminals exploiting its technology to victimise individuals.

The platform was marketed as a 'one-stop-shop' for phishing, enabling cybercriminals to replicate more than 170 fraudulent websites of reputable banks, government entities, and other major organisations. Cybercriminals could sign up to LabHost for as little as $270 per month and were provided with complete 'phishing kits'.

"LabHost is yet another example of the borderless nature of cybercrime and the takedown reinforces the powerful outcomes that can be achieved through a united, global law enforcement front," Goldsmid said. "Australians who have used LabHost to steal data should not expect to remain anonymous. Authorities have obtained a vast amount of evidence during this investigation and we are working to identify anyone who has used this platform to target innocent victims."

The operation, codenamed Operation Nebulae, has allegedly identified more than 100 suspects in Australia who used LabHost to target victims. Globally, the Europol-coordinated investigation resulted in 70 simultaneous search warrants executed in multiple countries to take down the platform's alleged administrators, users, and infrastructure.

Victoria Police Detective Superintendent Tim McKinney said: "Cybercrimes such as phishing may be borderless and virtual in nature, but their impact on victims is real and can be devastating." He added, "If you have used this platform to claim to be a legitimate trusted website for the purpose of conducting fraudulent activity and are under the impression that police will not thoroughly investigate, you are mistaken."

NSW Police Force State Crime Command's Cybercrime Squad Commander, Acting Detective Superintendent, Gillian Lister, said: "The NSWPF works not only with the AFP, but multi-jurisdictional policing units across the world, to actively target cybercrime offenders and destroy their criminal networks and prevent further victimisation - and that's what we've done through this operation."

WA Police Force Detective Superintendent, Peter Foley, said: "If you think you're operating anonymously, think again. We will continue to work with our law enforcement partners to ensure anyone bringing harm to the community is brought to justice."

Last year, Scamwatch received more than 108,000 reports of phishing attacks, totalling nearly $26 million in losses. LabHost alone had the potential to cause $28 million in harm to Australians through the sale of stolen credentials.