Police Bust GXC Team, One of the Most Active Cybercrime Networks

The Spanish Guardia Civil, with assistance from the research firm Group-IB, has successfully dismantled one of the world’s most active online crime networks- the GXC Team. This nationwide operation, which saw six coordinated searches across Spain, ended in the arrest of the alleged mastermind on May 20, 2025.

The individual arrested in San Vicente de la Barquera, Cantabria, is a 25-year-old Brazilian national known online as GoogleXcoder. Authorities also detained other criminals who were actively using his illegal tools. It must be noted that over the last year, this group’s actions are believed to have caused financial losses amounting to millions of euros.

Emerging in early 2023, the suspect GoogleXcoder ran a Crime-as-a-Service (CaaS) operation. This means he was not always the one robbing people, but instead, he sold the specialised tools criminals needed to carry out massive scams.

These dangerous tools targeted institutions like banks, transportation companies, and online shops in several countries, including Spain, Slovakia, the UK, the US, and Brazil. He offered these kits on underground channels, even having a Telegram group shamelessly named “Steal everything from grandmas,” which shows their lack of conscience.

The service offered multiple high-tech tools, including:

Phishing Kits: These kits allowed other criminals to create fake websites that perfectly copied the online pages of 10 Spanish banks and more than 30 international institutions and government portals.

Android Malware: This was a malicious program disguised as a simple banking app. Once installed, it became the phone’s main messaging application and could steal One-Time Passwords (OTPs), which are the security codes you get via text.

AI Voice Scams: An innovative addition, these tools automatically generate realistic-sounding voice calls to trick victims into giving up their Two-Factor Authentication (2FA) codes, the extra security layer we rely on.

The operation was only possible after Group-IB mapped out the team’s entire setup, finding over 250 fake scam sites and nine different types of bad software. This intelligence was shared with the Guardia Civil’s Department against Cybercrime.

Investigation further revealed that GoogleXcoder lived as a digital nomad, constantly moving between Spanish regions and using stolen identities to rent homes and get new phone lines, making him difficult to track.

Following the evidence trail, the Guardia Civil conducted raids not only in Cantabria but also in cities like Valladolid, Barcelona, and Zaragoza. Authorities seized electronic devices containing the source code for the fake websites, records of communication with his criminal clients, and financial details. The year-long investigation also tracked and recovered stolen funds that had been moved through various digital currencies, finally dismantling the channels used to run the schemes.

“The ‘GXC Team’ case demonstrates how artificial intelligence can be misused to industrialise fraud and impersonation on an unprecedented scale. Group-IB was the first to investigate this AI-enabled framework, allowing us to support law enforcement in preventing its spread and mitigating its impact,” Group-IB’s head of cybercrime investigation in Europe, Anton Ushakov, concluded in the blog post.