Report an incident

Get 24/7 incident response assistance from our global team

Talk to sales

Just fill out the form, and our representative will contact you soon.

Join the Cybercrime Fighters Club

Please review the following rules before submitting your application:

1. Our main objective is to foster a community of like-minded individuals dedicated to combatting cybercrime and who have never engaged in Blackhat activities.

2. All applications must include research or a research draft. You can find content criteria in the blog. Please provide a link to your research or research draft using the form below.

Group-IB Intelligence Powers Spanish Guardia Civil Operation to Dismantle the “GXC Team” Cybercrime Syndicate

Media Center Press Releases
October 9, 2025 · 4 min to read

Group-IB, a leading creator of cybersecurity technologies to investigate, prevent, and fight digital crime, announced today its contribution to the Spanish Guardia Civil led operation that led to the dismantling of one of the country’s most active cybercrime networks. The operation resulted in the arrest of a 25-year-old Brazilian national known as “GoogleXcoder,” the mastermind behind the “GXC Team” – threat actor known to operate Crime-as-a-Service (CaaS) ecosystem providing AI-powered phishing kits and Android malware to cybercriminals targeting banks, transportation, and eCommerce, in Spain, Slovakia, the UK, US, and Brazil. Besides the mastermind, also the criminals who were running attacks with the usage of these tools were also identified and apprehended by Guardia Civil.

Group-IB’s GXC Team threat actor profile.

Group-IB’s GXC Team threat actor profile.

The nationwide action involved six coordinated raids and searches across Spain and led to the identification of several accomplices. Over the past year, investigators have tracked a wave of phishing campaigns that have resulted in millions of euros in financial losses. The arrest of “GoogleXcoder” neutralizes a key enabler of this criminal ecosystem and significantly disrupts the supply of tools used in widespread banking fraud schemes.

Suspects detained by law enforcement authorities in Spain. Image credit: Guardia Civil.

Suspects detained by law enforcement authorities in Spain. Image credit: Guardia Civil.

A Digital Nomad Behind a Crime-as-a-Service Network

Emerging in early 2023, “GoogleXcoder” operated a sophisticated underground business model offering phishing kits, Android malware, and AI-based tools through Telegram channels and the underground forum Exploit.in. His services enabled other criminals to impersonate legitimate financial institutions and deceive victims.

The platform’s offerings included:

  • Advanced phishing kits: capable of replicating the websites of 10 Spanish banks and more than 30 international institutions, including government portals.
  • Android malware: a malicious SMS-stealing trojan disguised as a banking app, capable of intercepting one-time passwords (OTPs) by becoming the user’s default messaging application.
  • AI-powered voice scams: an innovative tool integrated into the phishing kits that generated automated AI voice calls to trick victims into revealing two-factor authentication (2FA) codes.
  • Criminal support services: technical assistance, customization, and regular updates for criminal users.

One of the group’s Telegram channels was brazenly named “Steal everything from grandmas,” reflecting the group’s ruthlessness. To avoid capture, the suspect adopted a “digital nomad” lifestyle, frequently relocating between Spanish provinces and using stolen identities to secure housing, phone lines, and payment cards.

Group-IB Intelligence: From Visibility to Action

Following the discovery of the GXC Team, Group-IB’s Cybercrime Investigation team mapped the group’s technical infrastructure, uncovering over 250 phishing sites and nine strains of Android malware. This technical analysis allowed Group-IB to pivot to the threat actors digital identities, profiling the threat actors through their online activities. Finally, all of these findings were shared with the Spanish Guardia Civil.

Nationwide Raids and Arrest

As a result, Guardia Civil conducted simultaneous raids across Spain on the 20th of May 2025.

  • Arrest: “GoogleXcoder” was detained in San Vicente de la Barquera Cantabria).
  • Nationwide searches: Additional operations were executed in Valladolid, Zaragoza, Barcelona, Palma de Mallorca, San Fernando, and La Línea de la Concepción.
  • Evidence seized: Authorities confiscated electronic devices containing phishing source code, communications with clients, and financial records.
  • Financial disruption: Following a complex, year-long forensic analysis of cryptocurrency transactions, authorities recovered stolen funds stored on various digital platforms and dismantled the Telegram channels used to orchestrate the scams.

“The emergence of AI-driven tools in cybercrime marks a dangerous evolution in how criminals deceive and exploit their victims. The ‘GXC Team’ case demonstrates how artificial intelligence can be misused to industrialize fraud and impersonation on an unprecedented scale. Group-IB was the first to investigate this AI-enabled framework, allowing us to support law enforcement in preventing its spread and mitigating its impact. We are grateful to the Spanish Guardia Civil for their tireless efforts in this operation. Through our ongoing partnership with law enforcement, Group-IB remains committed to dismantling these networks and protecting individuals and organizations from both financial loss and the erosion of trust in the digital ecosystem.”

Anton Ushakov

Head of Cybercrime Investigation, Europe at Group-IB

About The Guardia Civil

The Guardia Civil is the oldest law enforcement agency in Spain and one of the two national police forces. As part of its mission, the Department against Cybercrime of the Central Operational Unit (UCO) is dedicated to investigating and combating high-tech crimes, protecting citizens and infrastructure from complex digital threats.

About Group-IB

Founded in 2003 and headquartered in Singapore, Group-IB is a leading creator of cybersecurity technologies to investigate, prevent, and fight digital crime. Combating cybercrime is in the company’s DNA, shaping its technological capabilities to defend businesses, citizens, and support law enforcement operations.

Group-IB’s Digital Crime Resistance Centers (DCRCs) are located in the Middle East, Europe, Central Asia, and Asia-Pacific to help critically analyze and promptly mitigate regional and country-specific threats. These mission-critical units help Group-IB strengthen its contribution to global cybercrime prevention and continually expand its threat-hunting capabilities.

Group-IB’s decentralized and autonomous operational structure helps it offer tailored, comprehensive support services with a high level of expertise. We map and mitigate adversaries’ tactics in each region, delivering customized cybersecurity solutions tailored to risk profiles and requirements of various industries, including retail, healthcare, gambling, financial services, manufacturing, crypto, and more.

The company’s global security leaders work in synergy with some of the industry’s most advanced technologies to offer detection and response capabilities that eliminate cyber disruptions agilely.

Group-IB’s Unified Risk Platform (URP) underpins its conviction to build a secure and trusted cyber environment by utilizing intelligence-driven technology and agile expertise that completely detects and defends against all nuances of digital crime. The platform proactively protects organizations’ critical infrastructure from sophisticated attacks while continuously analyzing potentially dangerous behavior all over their network.

The comprehensive suite includes the world’s most trusted Threat Intelligence, The most complete Fraud Protection, AI-powered Digital Risk Protection, Multi-layered protection with Managed Extended Detection and Response (XDR), All-infrastructure Business Email Protection, and External Attack Surface Management.

Furthermore, Group-IB’s full-cycle incident response and investigation capabilities have consistently elevated industry standards. This includes the 77,000+ hours of cybersecurity incident response completed by our sector-leading DFIR Laboratory, more than 1,400 successful investigations completed by the High-Tech Crime Investigations Department, and round-the-clock efforts of CERT-GIB.

Time and again, its solutions and services have been revered by leading advisory and analyst agencies such as Aite Novarica, Gartner®, Forrester, Frost & Sullivan, KuppingerCole Analysts AG, and more.

Being an active partner in global investigations, Group-IB collaborates with international law enforcement organizations such as INTERPOL, EUROPOL and AFRIPOL to create a safer cyberspace. Group-IB is also a member of the Europol European Cybercrime Centre’s (EC3) Advisory Group on Internet Security, which was created to foster closer cooperation between Europol and its leading non-law enforcement partners.

Read next
Top Women in Security ASEAN Awards 2025
November 13, 2025
Group-IB’s High-Tech Crime Investigations team triumphs at Top Women in Security ASEAN Awards 2025
October 21, 2025
Group-IB launches Asia-Pacific’s first Cyber Fusion Center in Singapore
October 9, 2025
Group-IB Intelligence Powers Spanish Guardia Civil Operation to Dismantle the “GXC Team” Cybercrime Syndicate
September 30, 2025
Group-IB and Cyber Samurai join forces to enhance cyber resilience in the DACH region
September 26, 2025
Group-IB supports INTERPOL’s “Operation Contender 3.0”, leading to the arrest of 260 suspects in Africa
September 25, 2025
Group-IB Unites Partners to Strengthen Turkey’s Cybersecurity Landscape
Go to all Press Releases →