Australian Federal Police (AFP) said there were allegedly 10,000 global cyber criminals, including Australian offenders, who used the platform, LabHost.

The platform was designed to trick victims into providing their personal information including online banking logins, credit card details and passwords through continuous scam attacks sent through texts and emails.

The alleged cyber criminals – who were charged $270 per month to access the platform – could then allegedly commit criminal offences or steal their victims’ money.

After signing up, cyber criminals received “phishing kits”, complete with a framework to host scam websites, email and text content generation and campaign overview services.

In a bid to crackdown on the cyber criminals in Australia, the AFP’s Joint Policing Cyber Crime Coordination Centre (JCP3) led an investigation codenamed Operation Nebula.

The investigation saw more than 200 officers from the AFP and state police executing 22 search warrants across five states on Wednesday, April 17.

An Adelaide man, who police alleged was a user of LabHost, was arrested and charged with cybercrime-related offences.

Two people in Queensland, two in Western Australia, three in News South Wales, and 14 in Victoria, were also arrested.

Several devices were seized and will undergo forensic examination.

AFP Acting Assistant Commissioner Cyber Command Chris Goldsmid said scamming “had become a serious threat”.

“LabHost alone had the potential to cause $28 million in harm to the Australians through the sale of stolen Australian credentials,” Assistant Commissioner Goldsmid said.

“In addition to financial losses, victims of phishing attacks are subject to ongoing security risks and criminal offending, including identity takeovers, extortion and blackmail.”

The AFP said more than 100 suspects in Australia allegedly used LabHost to target Australian victims, with further arrests – and website domain take-downs – expected in the coming weeks.

“Australians who have used LabHost to steal data should not expect to remain anonymous,” he said.

“Authorities have obtained a vast amount of evidence during this investigation and we are working to identify anyone who has used this platform to target innocent victims.”

More than 94,000 Australians have fallen victim to the scam, with Australia believed to be among the top three user countries.

Police said they also took down 207 criminal servers used for hosting fraudulent scam websites created by LabHost.

The platform was marketed as a ‘one-stop-shop’ for phishing, which stored more than 40,000 scam domains and garnered over 10,000 global active cyber criminals.

It enabled cyber criminals to copy more than 170 fraudulent websites of well-known banks, government entities and other major organisations, so unsuspecting victims would believe it was their real website.

After the website had been replicated, they would use LabHost to send texts and emails to victims, which prompted them to login to their accounts using the fraudulent link.

Once a victim had followed the link, the cyber criminals could access a range of sensitive information including one-time pins, usernames and passwords, security questions and passphrases.

The sensitive personal information collected would then be used to access legitimate company accounts such as at financial institutions, where they could then steal money from the victims.

The platform started in Canada in 2021, then launched in the United Kingdom and Ireland before it expanded globally.

Last year, Scamwatch received more than 108,000 reports of phishing attacks, totalling nearly $26 million in losses.

More Coverage

Shock claims over police station tragedy as cops blow whistle

Kathryn Bermingham, Douglas Smith

Bail blow for men charged with ‘revenge’ arson attack on vet

Isabel McMillan, Leah Smith