The Guardia Civil dismantled a banking phishing network

09/10/25   News   The Civil Guard dismantled a banking phishing network and arrested the main developer of credential theft kits in Spain.

The developer, known as "GoogleXcoder," offered other criminals a range of phishing services, developing and selling phishing kits capable of cloning the websites of banking organizations and various government agencies.

This cybercriminal's criminal activity was known and pursued by other national and international police forces, as well as numerous cybersecurity organizations.

The investigation culminated in six raids and searches across Spain, the arrest of the main supplier of the phishing kits, and the identification of six individuals directly involved in the use of these services.

The Civil Guard dismantled a banking phishing network

The Civil Guard has dismantled one of the most active phishing criminal organizations in Spain, arresting a 25-year-old Brazilian man believed to be the main supplier of tools for mass credential theft in the Spanish-speaking world.

Since 2023, a series of phishing campaigns have been unfolding across the country, in which cybercriminals have impersonated major government agencies and major Spanish banks to deceive victims and obtain their personal information. These credential theft campaigns have resulted in a significant number of victim complaints, the theft of millions of euros, and social unrest.

Due to the seriousness of the circumstances and the aggressive spread of the phishing campaigns, the Cybercrime Department of the Civil Guard's Central Operations Unit (UCO) has launched an investigation to identify not only the perpetrators but also the "mastermind" behind the development of the tools used by numerous criminal groups to commit fraud.

Investigators tracked down a developer known as "GoogleXcoder," who, using the Crime-as-a-Service (CaaS) model, offered other criminals a comprehensive phishing service. Specifically, the suspect developed and sold phishing kits capable of cloning the websites of banking institutions and all types of government agencies. His services included setup, technical support, and updates, which allowed him to consolidate a professional criminal organization.

Messaging group "Steal everything from grannies"

Cybercriminals, or "phishers," contacted GoogleXCoder via the Telegram messenger, received services from him for hundreds of euros per day, and abused these tools. The result in a single day: several dozen fake organizations, thousands of defrauded people, and millions of euros stolen. The sense of impunity among these criminals was so great that one of the messaging groups they used to commit fraud was called "Steal everything from grannies."

The man behind this pseudonym was completely unknown to law enforcement agencies, not only nationally but also internationally. However, his search required a complex, operational investigation, as he frequently moved from place to place across different provinces of Spain, using phone numbers and payment cards under false names to avoid detection. His criminal activity allowed him to live the life of a "digital nomad" with his family.

During the main search in San Vicente de la Barquera (Cantabria), the man behind the "GoogleXCoder" identity was arrested, and electronic devices containing phishing kits for all the identities impersonated, the suspect's personal accounts, and conversations with dozens of cybercriminals were seized.

Forensic analysis of the seized devices and cryptocurrency transactions, which took over a year due to its complexity, allowed for the reconstruction of the entire criminal network, leading to the identification of six individuals directly involved in the use of these services.

Following an investigation conducted by the Investigative Court No. 1 of San Vicente de la Barquera (Cantabria), the operation culminated in six raids and searches of homes in various locations (Valladolid, Zaragoza, Barcelona, ​​Palma de Mallorca, San Fernando, and La Línea de la Concepción), during which electronic devices were seized and funds associated with the money stolen from the victims, which had been stored on various digital platforms, were recovered.

The investigation is ongoing, and further action cannot be ruled out. The Telegram channels have already been deactivated, and the seized digital evidence is being analyzed, which may lead to the identification or arrest of the perpetrators.

The Brazilian Federal Police and the cybersecurity company Group IB participated in the investigation.

For more information, please contact the press service of the Central Operations Unit at 91 503 13 27.

Information taken from the website Guardia Civil