The UK’s Metropolitan Police (the Met) has announced it has taken down a large-scale online fraud service, LabHost, marking the latest episode in a series of international raids on alleged cyber criminals.
On 18 April 2024, law enforcement agencies around the world arrested 37 individuals associated with the industrial-scale scam service as part of a joint operation led by the Met.
The online fraud service LabHost was responsible for facilitating the theft of sensitive personal information including 480,000 credit and debit card numbers and 64,000 PIN codes, bringing in an estimated £1 million in profits.
According to an update provided by the Met on 18 April, work on the operation began in June 2022 when detectives received “crucial intelligence” about LabHost’s activity from the Cyber Defence Alliance.
The takedown comes hot on the heels of a number of high-profile law enforcement operations targeting major players in the digital underworld, including ransomware operators LockBit and ALPHV/BlackCat.
The recent string of busts on large-scale threat collectives suggests authorities around the world are taking a firmer stance on cyber crime, and proactively looking to disrupt hacking groups, rather than just defend against their attacks.
Major ransomware operation LockBit, which accounted for around 30% of all global ransomware and digital extortion attacks in the first quarter of 2023, was taken down in February 2024 in a joint operation involving the National Crime Agency, FBI, Europol, and a number of other international agencies.
Takedowns of major players could leave a fragmented threat landscape
Speaking to ITPro in February right after the LockBit takedown was disclosed, Sergey Shykevich, manager of Check Point’s threat intelligence group, said he expected the ransomware industry to become more fragmented as a result.
Shykevich noted the operation would have left a large number of LockBit’s affiliates without a reliable source of ransomware tools to extort victims. This vacuum would soon be filled by a number of smaller competitors looking to capture some of LockBit’s lucrative market share, he claimed.
“[T]here are many affiliates who are now looking for other rentals and I’m sure not all of them will go to the same group. So I expect there will be more groups, there is no empty space in this business, there’s too much money,” Shykevich said.
Trend Micro’s director of forward-looking threat research, Robert McArdle, told ITPro there is enough room in the digital underworld for major players and the smaller threat collectives to coexist.
“The cyber crime ecosystem is very mature. Just like in the tech industry, there is more than enough room for the large major players (like well-known ransomware actors), and for the equivalent of the SMB or mid-market of highly profitable companies to co-exist.”
McArdle added that although smaller criminal organizations may believe they are less at risk by maintaining a low profile, recent actions by law enforcement agencies suggest they will eventually come to their attention and be targeted.
“In some senses, this mid-market of crime can sail under the radar of normal technical press reports”, McArdle admitted.
“But actions like this recent operation led by the Met to take action against Labhost, and the recent disruption of the infamous Lockbit ransomware gang spearheaded by the NCA, show that no matter where a criminal group sit in the market, they will come to the attention of law enforcement and private industry collaborators,” said McArdle.
“Action will be taken whenever possible to make the world a safer place for the exchange of digital information.”