Europol, working with law enforcement organisations from nine countries, has successfully dismantled the “Ghost” encrypted communications platform. This platform was used by organised crime groups for operations such as drug trafficking and money laundering.
Ghost featured advanced security and anonymisation, enabling subscription purchases using cryptocurrency. It utilised three levels of encryption and a self-destruction technique for messages, ensuring that no traces remained on either the sender’s or recipient’s devices.
Law enforcement and judicial authorities from Spain, Argentina, Chile, Colombia, Ecuador, and Peru participated in Operation Kaerb. Between September 10 and 17, officials detained an Argentine citizen responsible for designing and maintaining the phishing-as-a-service (PhaaS) since 2018.
The operation led to seventeen arrests, twenty-eight searches, and the seizure of 921 items, including mobile phones, electronic gadgets, automobiles, and firearms. One estimate puts the number of unlocked mobile phones at 1.2 million.
Meanwhile, iServer, a phishing-as-a-service (PhaaS) platform, reportedly victimised over 483,000 people globally. The largest number of victims came from Chile (77,000), Colombia (70,000), Ecuador (42,000), Peru (41,500), Spain (30,000), and Argentina (29,000).
A Singapore-based company called iServer offered a web interface via which unskilled criminals, known as “unlockers,” could get user credentials and passwords from cloud-based mobile applications. This allowed them to bypass Lost Mode and unlock stolen devices.
The administrator of the criminal group advertised iServer to unlockers, who then sold access to other criminals, including phone thieves, and exploited it for phishing attacks.
Unlockers also sent fraudulent SMS messages to victims of phone theft, urging them to click a link to locate their lost phone. This led victims to a fake landing page where they were tricked into entering credentials, device passcodes, and two-factor authentication (2FA) codes. This information was subsequently used to disable “Lost Mode” and unlink the device from the owner’s account.
According to Group-IB:
iServer automates the creation and delivery of phishing pages that imitate popular cloud-based mobile platforms, featuring several unique implementations that enhance its effectiveness as a cybercrime tool.
How Europol and Law Enforcement Cracked Ghost Chat’s Encryption?
The removal of the encrypted communication network Ghost (www.ghostchat[.]net) reveals how it is used to support major organised crime globally. The site was used for severe violence, money laundering, and human trafficking.
The site supported over 1,000 message exchanges every day, with thousands of users worldwide. It was accessible through customised Android handsets and cost around $1,590 for a six-month membership.
According to the Europol investigation:
The solution used three encryption standards and offered the option to send a message followed by a specific code which would result in the self-destruction of all messages on the target phone. This allowed criminal networks to communicate securely, evade detection, counter forensic measures, and coordinate their illegal operations across borders.
A 32-year-old Sydney, New South Wales resident has been convicted of being involved in Operation Kraken by creating and running Ghost, a website purportedly used for drugs trafficking. Several others are also accused of using Ghost for distributing cocaine and cannabis, as well as plotting a false terrorism scheme.
Jay Je Yoon Jung, the forum administrator, is believed to have launched the illegal business nine years ago with the intention of making millions of dollars. At his Narwee residence, he was taken into custody.
Authorities in Australia dismantled a drug lab as part of the operation, seizing firearms, narcotics, and €1 million in cash. The Australian Federal Police (AFP) disclosed that they had compromised Ghost’s system and, by manipulating the update procedure, had staged a software supply chain attack. This allowed them to access content on 376 active handsets across Australia.
The seizure of iServer and the Ghost platform shows Europol’s continuous efforts to take down cybercrime networks that use digital tools to target victims. These operations reveal how phishing-as-a-service and encrypted communication platforms have become key resources for cybercriminals, highlighting the need for coordinated global law enforcement.
Recently, Europol called for solutions that secure privacy while allowing authorised access to data during criminal investigations, highlighting the need for a balanced approach to encryption. The agency additionally alerted private businesses of their need to grant authorised access to data upon request for these kinds of enquiries.
At Phishing Tackle, we know all too well that security technology is often left incorrectly configured, demonstrated by our free Domain Spoofing Test which currently gets past around 50% of users security systems.
Security Awareness Training remains one of the most cost-effective methods of boosting cyber-security within your business. Have a look at our free Click-Prone® Test to find out how many of your staff are susceptible to a phishing attack and learn how you can reduce this number today.