An international criminal network responsible for a large-scale phishing scheme targeting mobile phone credentials has been dismantled in a coordinated operation led by Europol and law enforcement agencies across six countries. The operation, codenamed “Operation Kaerb,” successfully shut down the phishing-as-a-service (PhaaS) platform known as iServer, which had been used to unlock over 1.2 million stolen or lost mobile phones. The criminal network, which operated mainly in Spanish-speaking countries, claimed more than 483,000 victims globally.
The iServer Phishing Platform
iServer, an automated phishing platform, operated as a PhaaS service, making it possible for criminals with minimal technical skills to unlock stolen or lost mobile phones by gathering user credentials. The platform’s targets were individuals in Latin American and European countries, with the highest number of victims reported in Chile (77,000), Colombia (70,000), Ecuador (42,000), Peru (41,500), Spain (30,000), and Argentina (29,000).
The victims were tricked into providing their mobile phone credentials through phishing messages that mimicked legitimate services. These messages often claimed to help victims locate their lost or stolen phones. Once a victim clicked on the link provided in the fraudulent message, they were redirected to a phishing page that appeared to be a legitimate mobile service provider. Victims would then be prompted to enter sensitive information, such as their device passcodes and cloud-based mobile platform credentials, which the criminals would use to unlock the stolen devices.
Coordinated International Effort
Operation Kaerb, which took place from September 10 to 17, 2024, was a joint law enforcement effort involving authorities from Spain, Argentina, Chile, Colombia, Ecuador, and Peru. In total, the operation resulted in the arrest of 17 individuals and the seizure of 921 items, including mobile phones, electronic devices, vehicles, and weapons. These arrests included the mastermind behind the iServer platform, an Argentinian national who had been running the phishing service since 2018. The operation achieved success in the fight against phishing-related cybercrime. The coordinated effort involved 28 searches across the six participating countries, with a large number of digital assets seized as part of the crackdown. Among the confiscated items were 630 stolen mobile devices, which were part of the criminal operation to unlock phones and erase any connection to the legitimate owners.
How iServer Operated
iServer provided a web-based platform that automated the creation of phishing pages designed to resemble legitimate cloud-based mobile services. This platform allowed criminals, known as “unlockers,” to gain access to the credentials of stolen or lost phones. By accessing cloud-based accounts, unlockers were able to bypass security measures such as Lost Mode and unlink the devices from their rightful owners, making it impossible for victims to recover their phones. While this operation targeted external threats, businesses must also be careful in dealing with potential insider threats to data security, as malicious employees can compromise systems from within. The process typically began with a phishing SMS sent to the victim, which claimed to offer assistance in locating the lost phone. Victims who clicked the link were directed to a phishing page where they were asked to enter their device credentials and passcodes. The credentials were then verified through the iServer platform, and the unlockers would use this information to disable the phone’s security features, rendering it usable again for resale. According to Group-IB, a cybersecurity firm involved in the investigation, iServer distinguished itself from other phishing platforms by focusing specifically on unlocking stolen phones. The platform was designed to be user-friendly, enabling even low-skilled criminals to participate in the scheme by simply following automated steps to create phishing pages and send fraudulent messages.
Europol’s Role and International Cooperation
Europol played an important role in coordinating Operation Kaerb, providing analytical support and deploying experts to Argentina and Spain during the operation. Europol’s European Cybercrime Centre (EC3) worked closely with Ameripol’s Specialised Cybercrime Centre, marking the first time the two organizations had collaborated on such an extensive operation. The investigation, which began in 2022, was initiated after Europol received information from Group-IB regarding the phishing network. The success of the operation was the result of international cooperation between law enforcement agencies and judiciary authorities across six countries. The coordinated effort allowed authorities to dismantle the infrastructure supporting iServer, including the takedown of the platform’s digital servers and the redirection of online traffic to law enforcement-controlled domains.
While iServer’s shutdown did triumph against cybercrime, it also shows the growth of phishing-as-a-service platforms. These platforms allow criminals with minimal technical expertise to conduct phishing attackst. The global nature of such criminal networks makes it clear that international cooperation is necessary in tackling cybercrime effectively. The takedown of the iServer phishing platform and the arrest of 17 individuals involved in the criminal operation is a success of coordinated law enforcement efforts across borders.
Image credit: Timon, AdobeStock
