Spanish law enforcement has dismantled a cybercrime syndicate known as the GXC Team and arrested its alleged leader, a 25-year-old Brazilian known by the alias “GoogleXcoder.” The nationwide operation targeted the group’s infrastructure and collaborators, seizing tools, finances and communication channels that powered a wide-ranging fraud ecosystem.
The dismantling effort follows a year-long investigation involving Group-IB and the Guardia Civil, which traced the GXC Team’s operations back to 2023. The syndicate provided phishing kits, Android malware, voice-scam tools, and other fraud-tool services to criminal clients via Telegram and hacker forums. It targeted financial institutions, e-commerce, and transportation sectors across multiple countries, including Spain, Brazil, the UK, the US and several EU member states.
“The Civil Guard has dismantled one of the most active criminal organizations in the field of phishing in Spain, with the arrest of a 25-year-old Brazilian young man considered the main provider of tools for the massive theft of credentials in the Spanish-speaking environment,” the Guardia Civil said.
GXC Team Ran Phishing Kits and Malware Service Across Multiple Jurisdictions Before Arrests
GXC Team offered Crime-as-a-Service (CaaS) tools and infrastructure, with at least 250 phishing sites replicating sites of Spanish and international banks and governmental portals. The group developed at least nine Android malware variants capable of intercepting SMS messages and one-time passwords. Voice-scam modules were also integrated into its offerings. Criminal clients could purchase pre-built phishing infrastructure, rent Android trojans, or request modifications and updates to existing kits for specific targets or campaigns.
Authorities determined that the syndicate’s campaigns resulted in financial losses amounting to millions of euros across impacted victims. The operation’s infrastructure was built to support widespread credential theft and account takeover, often relying on phishing lure pages and Android malware distribution.
Law enforcement executed coordinated raids across six Spanish provinces including Cantabria, Valladolid, Zaragoza, Barcelona, Palma de Mallorca, San Fernando, and La Línea de la Concepción. Investigators seized electronic devices containing source code for phishing kits, malware samples, client communications, and financial records. Various Telegram channels used to distribute tools and direct campaigns were also shut down. Cryptocurrency wallets tied to proceeds were identified and funds recovered.
GoogleXcoder Arrested After Prolonged Tracing of Cryptocurrency and Phishing Infrastructure
The alleged leader, “GoogleXcoder,” was arrested in San Vicente de la Barquera in Cantabria during the operation. He operated using multiple false identities, frequently moved between provinces and procured services and infrastructure under masked names and identities. His role was as a central tool-provider in the GXC Team ecosystem, handling technical development, coordination of phishing campaigns, malware distribution and customer support for other cybercriminal users.
Investigators conducted forensic analysis over more than a year, correlating cryptocurrency transaction records, intercepted communications, digital footprints and malware deployment logs to reconstruct the network’s structure. The analysis revealed connections to at least six other individuals directly assisting in tool deployment, campaign execution or malware distribution. The criminal network reached across national boundaries—affecting victims and affiliates in Spain, Brazil, the UK, the United States and beyond.
Financial disruption was part of the takedown: authorities located stolen funds spread across multiple digital platforms and began recovery efforts. Telegram-based sales and support channels used by GXC Team were disabled to prevent further use of the group’s market channels.
Disruption Impacts Phishing Infrastructure and Signals Shift in Threat Service Models
By dismantling the GXC Team’s operations and arresting its leader, Spanish authorities believe they have delivered a major disruption to Criminal-as-a-Service infrastructure that powered phishing, credential theft, and malware campaigns across several industries and geographies. The seizure of phishing kit source code, control over Android malware samples, and compromised Telegram channels cuts off access to many of the tools used by affiliates.
Security experts suggest that this case demonstrates a rising trend of professionalized phishing platforms that include frequent updates, customer support for criminal users, payment flexibility (rentals and purchases), and AI-assisted features. The innovation and scale observed in the GXC Team operation—from both the tools offered and the campaign reach—pose increasing challenges to defenders and law enforcement alike.
Investigations remain ongoing and authorities have indicated that additional arrests are possible as prosecutors analyze seized devices, collaborations, and campaign data. The dismantling is cited as a win for cross‐border law enforcement cooperation, particularly between private intelligence firms and national police investigative units.
