A 26-year-old Algerian national who allegedly ran two criminal marketplaces selling phishing kits and bulk SMS fraud infrastructure has been extradited from Spain to the United States to face federal bank fraud conspiracy charges, authorities announced.
The Defendant and the Charges
Abdellah Belmili, also known online as Spox and Dila Belmili, was arrested in Spain before being transferred to U.S. jurisdiction. He faces charges of conspiracy to commit bank fraud — a charge that carries a maximum sentence of 30 years in federal prison if convicted. Prosecutors allege Belmili ran a criminal services operation that enabled large-scale phishing campaigns targeting customers of major financial institutions on both sides of the Atlantic.
Two Marketplaces, One Criminal Operation
Federal investigators say Belmili operated two sequential criminal marketplace platforms. The first, Market0Day, ran from September through December 2020. After that platform’s run, Belmili launched Spoxy as its successor, expanding the range of services on offer.
How Market0Day and Spoxy Enabled Phishing-as-a-Service at Scale
Spoxy went beyond selling phishing kits. Prosecutors allege the platform also operated a bulk SMS service that enabled customers to blast phishing messages to large volumes of potential victims — effectively offering phishing-as-a-service infrastructure that allowed criminal buyers with limited technical capability to run their own fraud campaigns using Belmili’s tooling and distribution infrastructure.
Approximately $900,000 in fraud proceeds were deposited into accounts under Belmili’s control across the operation’s lifespan, according to the indictment. Around 5,600 victims — located in the United States and internationally — have been identified as having been targeted through infrastructure connected to his platforms.
Financial Institutions in the Crosshairs
The phishing kits and campaigns sold through Belmili’s marketplaces specifically targeted customers of some of the largest financial institutions in the United States. American Express, Bank of America, JPMorgan Chase, and Wells Fargo were among the named targets. UK-based financial institutions were also included in the targeting scope, reflecting the cross-border nature of the fraud operation.
Phishing kits sold through Market0Day and Spoxy were designed to mimic the login pages and customer-facing interfaces of these institutions — capturing usernames, passwords, and in some cases multi-factor authentication tokens from victims who believed they were interacting with legitimate banking portals.
Criminal Infrastructure-as-a-Service
The Belmili case exemplifies what law enforcement has described as the professionalization of cybercrime infrastructure. Rather than directly conducting fraud himself, Belmili allegedly served as a supplier — providing the technical tools (phishing kits), the delivery mechanism (bulk SMS), and the distribution channel (criminal marketplace) that enabled downstream fraud operators to target banking customers at scale.
This infrastructure-as-a-service model allows criminal actors with varying levels of technical sophistication to participate in large-scale phishing operations by purchasing ready-made components. The result is a multiplier effect: a single marketplace operator can enable dozens or hundreds of individual fraud campaigns, each targeting thousands of potential victims.
Bulk SMS Smishing as a Primary Delivery Mechanism in Belmili’s Operation
The use of bulk SMS as a delivery channel is particularly notable. SMS-based phishing — commonly called smishing — has grown significantly as a fraud vector as criminals have adapted to increased consumer skepticism of email-based lures. SMS messages, particularly those impersonating banks with urgent security alerts, continue to achieve high engagement rates among targeted recipients.
Impact and Industry Consequences
The successful extradition of Belmili from Spain demonstrates the growing reach of U.S. federal jurisdiction in cross-border cybercrime cases and the effectiveness of international law enforcement cooperation in pursuing criminal marketplace operators who have historically relied on geographic distance as a form of protection.
For the financial services sector, the case reinforces the scale of phishing-enabled fraud losses across major U.S. institutions and highlights the role that underground marketplace infrastructure plays in enabling consumer-facing attacks. With 5,600 confirmed victims and $900,000 in traced proceeds, the Belmili operation — while not the largest ever prosecuted — represents a significant slice of the phishing ecosystem that financial institutions’ fraud teams work to defend against daily.
The 30-year maximum sentence Belmili faces reflects how seriously federal prosecutors treat the operation of criminal cybercrime infrastructure, even when the operator is positioned as a supplier rather than a direct perpetrator of individual fraud incidents.
