One of the most used phishing-as-a-service platforms, LabHost, has been taken down by an international group of law enforcement authorities coordinated by Europol. Fortra has closely monitored LabHost and has mitigated tens of thousands of phishing attacks carried out by cybercriminals using the platform in recent years. LabHost is estimated to have obtained 480,000 card numbers, 64,000 PIN numbers, and no less than one million account passwords. Earlier this year, we published a detailed profile on LabHost.
37 suspects have been arrested as part of the international operation led by Europol, including the original developer of the LabHost service. The LabHost platform is currently unavailable.
Cybercriminals subscribed to LabHost were sent individualized, 90-second “LabHost Wrapped” videos informing them of the takedown operation as well as noting evidence gathered by law enforcement including:
- When the individual first subscribed to LabHost
- How long they’ve been a subscriber
- How much they’ve paid to LabHost
- The number of IP addresses they’ve used to access LabHost
- The domains they’ve used
- The countries and organizations they’ve targeted
LabHost's Telegram bot was also repurposed in the operation to send messages to LabHost users encouraging them to confess and turn themselves into their local police authorities.
Early on, LabHost administrators issued a statement seeking to minimize the situation by suggesting this was an act of revenge by a former developer.
However, they issued a final statement when it became clear this was a large-scale law enforcement operation. According to this statement, LabHost is down for good and will not return.
In the immediate aftermath of the takedown, Frappo (a similar service referenced by LabHost in their final statement), has experienced instability and has temporarily shut down their communication channels. It is not yet clear if this is due to a rush of users, DDoS, or other causes.
