Spanish authorities have dismantled a notorious cybercrime group known as the “GXC Team” and arrested the gang’s 25-year-old Brazilian leader, known online as “GoogleXcoder.”
The GXC Team sold phishing kits, malware for Android devices, and voice scam tools via Telegram and Russian-language forums. The tools were used in large-scale credential theft, business email compromise (BEC) scams, and identity fraud, primarily targeting victims in Spain, the UK, and other EU countries.
Investigators from UCO tracked the suspect across multiple provinces in Spain. According to an official statement, GoogleXcoder frequently relocated and used spoofed identities, mobile lines, and payment methods to avoid detection.
The group first came under scrutiny in January 2024 after US cybersecurity firm Resecurity released a report detailing GXC Team and its AI-driven fraud software, including “Business Invoice Swapper,” a tool used for wire fraud and BEC scams. It allowed cybercriminals to hijack email threads, replace banking details in invoices, and redirect funds. Subscriptions to the tool reportedly started at $2,000 per week.
Further analysis revealed that GXC Team’s arsenal included fake government portals, spoofed banking apps, and phishing kits capable of bypassing two-factor authentication by tricking victims into installing malicious Android apps. The kits mimicked well-known financial and government institutions, including dozens of Spanish banks and international platforms like Amazon, PayPal, Binance, and Microsoft’s Office 365.
The Guardia Civil’s year-long investigation has resulted in six coordinated raids across Spain. Authorities seized numerous electronic devices containing phishing kits, access credentials, cryptocurrency wallets, and chat logs linking the suspect to other cybercriminals. So far, six individuals linked to the GXC Team network have been identified.
Telegram channels operated by the group have been deactivated, the investigation is still ongoing, the police said.