Multi-agency law enforcement operation infiltrates ‘LabHost’ fraud platform

‘LabHost’ is a service established in 2021 by a criminal cyber network. It enabled the creation of ‘phishing’ websites designed to trick victims into revealing personal information such as e-mail addresses, passwords and bank details.

Users were able to log on and choose from existing sites or request bespoke pages replicating those of trusted brands including banks, healthcare agencies and postal services.

Law enforcement work began in June 2022 after detectives received crucial intelligence about ‘LabHost’ activity from the Cyber Defence Alliance. Once the scale of the site and the linked fraud became clear, the Metropolitan Police Service’s Cyber Crime Unit joined forces with the National Crime Agency, the City of London Police, Europol, Regional Organised Crime Units across the country and other international police forces to take action.

Partners including Chainalysis, Intel 471, Microsoft, The Shadowserver Foundation and Trend Micro have also been at the centre of law enforcement efforts aimed at bringing down this platform.

Between 14-17 April, a total of 37 suspects were arrested across the UK and by international law enforcement agencies. This included arrests at both Manchester Airport and Luton Airport, as well as in Essex and London. Over 70 addresses were searched in the UK and overseas.

On 17 April, ‘LabHost’ and its linked fraudulent sites were disrupted and existing information replaced with a message stating that law enforcement has seized the services.

History of the operation

After being set up in 2021, ‘LabHost’ quickly gained a criminal user base. By the beginning of this year, more than 40,000 fraudulent sites had been created and 2,000 users were registered and paying a monthly subscription fee. Those subscribing to the ‘worldwide membership’ (meaning that they could target victims internationally) paid between £200 and £300 per month.

Since its creation, ‘LabHost’ has received just under £1 million in payments from criminal users, many of whom cyber crime detectives from the Met have now been able to identify. Some have been arrested. Others are now the focus of the ongoing investigation and have been warned they’re being tracked down.

Shortly after the platform was disrupted, 800 users received a message telling them that the police know who they are and what has been happening in relation to law enforcement. Police officers have shown them they know how much has been paid to LabHost, how many different sites they’ve accessed and how many lines of data they’ve received. Many of these individuals will remain the focus of investigation over the coming weeks and months.

Detectives have so far established that just under 70,000 individual UK victims have entered their details into one of the ‘LabHost’ fraudulent sites. Globally, the service has obtained 480,000 card numbers and 64,000 PIN numbers as well as more than one million passwords used for websites and other online services. The total number of victims is likely to be even higher than has already been established and work is ongoing to identify and support as many as possible.

As of 18 April, detectives had contacted up to 25,000 victims in the UK to tell them their data has been compromised. Each and every one of those cases has been reported to both Action Fraud and UK Finance and every victim has been given advice about next steps and how to further protect their data.

Targeting large-scale online fraud

This operation is the latest in a series of activities perpetrated by law enforcement to tackle significant international online fraud. Policing and partner agencies continue to meet the growing threat through increasingly joined-up and sophisticated operations spanning the globe.

In November 2022, the Metropolitan Police Service arrested more than 130 suspects as part of Operation Elaborate. An estimated 200,000 victims were targeted by a scam stealing millions from the public via fake bank phone calls.

In February this year, the National Crime Agency led Operation Cronos, which disrupted LockBit, the world’s most harmful cyber crime group. LockBit ransomware attacks targeted thousands of victims around the world and caused billions of pounds worth of damage. The National Crime Agency infiltrated and took control of LockBit’s systems and website, duly obtaining thousands of decryption keys to help victims recover encrypted data.

Each operation focused on tackling a different type of online fraud, but at the heart of it all was a platform being used by criminals who believed it was impenetrable by law enforcement.

Collective approach

Dame Lynne Owens, Deputy Commissioner of the Metropolitan Police Service, said: “You are more likely to be a victim of fraud than any other form of crime. In addition to the financial impact, it undermines the public’s confidence in the tools and technology they need to use in daily life. Our collective approach should ensure suspects feel that same level of distrust in their own criminal environment.”

Owens continued: “Online fraudsters think they can act with impunity. They believe they can hide behind digital identities and platforms such as ‘LabHost’ and have absolute confidence these sites are impenetrable by policing. This operation, and others over the last year, show how law enforcement worldwide can, and will, come together with one another and private sector partners alike to dismantle international fraud networks at source. Our approach is to be more precise and targeted with a clear focus on those enabling online fraud to be carried out on an international scale.”

Adrian Searle, director of the National Economic Crime Centre, observed: “Fraud is a terrible crime that impacts victims both financially and psychologically, undermining our collective trust in others and the online services on which we all rely. Together with cyber crime, it comprises around 50% of all crime in England and Wales. Recognising the scale and nature of the threat, law enforcement is working more closely together, both here and overseas, to target the fraudsters and the technology they’re exploiting.”

Searle continued: “This latest operation demonstrates that UK law enforcement has the capability and intent to identify, disrupt and completely compromise criminal services that are targeting the UK on an industrial scale.”

Temporary Commander Oliver Shaw from the City of London Police explained: “Collaborative operations like this one are vitally important in the global fight against fraud and cyber crime. As the national lead force for fraud, we were able to support the operation by providing intelligence derived from reports made to Action Fraud. We continue to support the Metropolitan Police Service, Regional Organised Crime Units and forces across the UK in putting cyber criminal fraudsters on the back foot.”

Exerting an impact

Amy Hogan-Burney, general manager of cyber security policy and protection at Microsoft, commented: “Led by the Metropolitan Police Service, this action shows the impact we can have in the fight against cyber crime when we work together. We must continue to work together and leverage the immense skills of industry and Governments to defeat the threat.”

A spokesperson for the Cyber Defence Alliance said: “The partnership with the Cyber Defence Alliance and law enforcement continues to develop. Together, we have once again been able to disrupt a major international criminal platform and prevent more individuals from falling victim to the scammers. In the digital world, our alliance will continue to work with law enforcement to combat the growing threat of online fraud, which impacts millions of people worldwide.”

Security Minister Tom Tugendhat observed: “Fraud is an international crime demanding a global approach. This operation is a fantastic demonstration of law enforcement agencies around the world joining forces to crack down on criminals trying to take advantage of people in the UK. I’m grateful to the Metropolitan Police Service, the National Crime Agency and the National Fraud Squad for their action to infiltrate this criminal platform.”