22 July 2021

Group-IB helps Dutch police identify members of phishing developer gang Fraud Family

Group-IB, one of the leading providers of solutions dedicated to detecting and preventing cyberattacks, identifying online fraud, investigation of high-tech crimes and intellectual property protection, has assisted the Dutch National Police in the operation to apprehend alleged members of a cybercriminal group codenamed "Fraud Family." Group-IB’s Amsterdam-based team has identified the individuals behind the Dutch-speaking syndicate that develops, sells and rents sophisticated phishing frameworks and shared their findings with the authorities. According to the police, the operation resulted in the arrest of two suspects, a 24-year-old man and his 15-year-old accomplice, who are thought to be the developer and seller of the phishing frameworks distributed by the Fraud Family. The 24-year-old suspect will be brought arraigned before the examining magistrate in Rotterdam on Friday, while his 15-year-old accomplice has since been released pending further investigation.
A typical attack, analyzed by Group-IB researchers, started with an email, SMS, or WhatsApp message impersonating a real financial organization. Using well-known brands, fraudsters gained users’ immediate trust. These fake notifications contained malicious links to adversary-controlled phishing websites that steal payment info.

The detailed technical analysis of Fraud Family’s operations is available in Group-IB’s blog post.

Having analyzed the technical infrastructure and phishing templates used in these fraudulent campaigns, Group-IB researchers uncovered a massive Fraud-as-a-Service operation. The cybercriminal syndicate behind it, which develops, sells and rents sophisticated phishing frameworks to other cybercriminals, targeting users mainly in the Netherlands and Belgium, was codenamed Fraud Family. These frameworks include phishing kits — tools and resources used to steal information — and web panels that allow cybercriminals to interact with the actual phishing site in real time and are used to collect and manage the stolen user data. The complete „plug and play„ phishing service keeps the framework under control and prevents it from leaking to the public.

Group-IB’s cyber investigations experts found out that Fraud Family members actively use Telegram messenger to advertise their services to other less skilled fraudsters. These services included the sale of phishing tools or the rent of ready-to-use infrastructure that comes equipped with the phishing framework and anti-bot tools to prevent crawlers, automated analysis tools and services like VirusTotal and URLScan, and researchers from accessing the phishing sites. Any fraudster can rent the Express Panel for €200 per month or the Reliable Panel for €250.

Group-IB cyber investigations team discovered at least eight Telegram channels operated by the Fraud Family gang. The whole network of channels has close to 2,000 subscribers. Their most popular group has 640 members. According to Group-IB assessment, half of these users could be actual buyers.

We have analyzed the panel’s source code, found the roots of the threat, restored the timeline of its evolution. We’ve also examined groups and sellers that were distributing phishing panels and distinguished the core team — Fraud Family. During our research, we have observed group members, determined their roles and functions in the gang, collected their personal identifiers and provided the information to police.

Anton Ushakov

Anton Ushakov

Deputy Head of the Group-IB’s High-Tech Crime Investigation Department, Europe

Digital fraud such as phishing is a social problem that requires an integrated approach. This approach involves a joint effort between the Police, Public Prosecutors, banks, government agencies and others together for investigation, prosecution and prevention.

Witeke Koorn

Dutch Public Prosecutor, Attorney

Further findings indicate that all of the panels designed to target customers of the Dutch and Belgian banks are different versions, or forks, of U-Admin, which is the panel initially developed by a Ukrainian threat actor nicknamed Kaktys. It turned out that the market of phishing frameworks in the Netherlands and Belgium is being dominated by Fraud Family. The gang tuned and customized phishing frameworks like U-Admin and gave them new names.

Fraud Family’s panels inherited features of its initial version produced by the Ukrainian developer, which allowed us to track the panels and conduct investigation faster and more efficiently. Fraud Family distributed the panels only via Telegram, they didn’t have any Dark Web topics whatsoever. The way of conducting investigation in messengers is slightly different from classic underground forums. Based on our 18 years of hands-on experience, it was challenging not to track them but rather to attribute each panel or phishing website to a particular group because they used pretty much the same source code.

Roberto Martinez

Roberto Martinez

Senior Threat Intelligence analyst at Group-IB, Europe.

Group-IB is one of the leading providers of solutions dedicated to detecting and preventing cyberattacks, identifying online fraud, investigation of high-tech crimes and intellectual property protection, headquartered in Singapore. The company’s threat intelligence and research centers are located in the Middle East (Dubai), the Asia-Pacific (Singapore), Europe (Amsterdam), and Russia (Moscow).

Group-IB’s Threat Intelligence & Attribution system has been named one of the best in class by Gartner, Forrester, and IDC. Group-IB’s Threat Hunting Framework (earlier known as TDS) intended for the proactive search and the protection against complex and previously unknown cyberthreats has been recognized as one of the leaders in Network Detection and Response by the leading European analyst agency KuppingerCole Analysts AG, while Group-IB itself has been recognized as a Product Leader and Innovation Leader. Gartner identified Group-IB as a Representative Vendor in Online Fraud Detection for its Fraud Hunting Platform. In addition, Group-IB was granted Frost & Sullivan’s Innovation Excellence award for its Digital Risk Protection (DRP), an Al-driven platform for identifying and mitigating digital risks and counteracting brand impersonation attacks with the company’s patented technologies at its core.

Group-IB’s technological leadership and R&D capabilities are built on the company’s 18 years of hands-on experience in cybercrime investigations worldwide and 70,000 hours of cybersecurity incident response accumulated in our leading forensic laboratory, high-tech crime investigations department, and round-the-clock CERT-GIB. Group-IB is a partner of Europol.

Group-IB’s experience in threat hunting and cyber intelligence has been fused into an ecosystem of highly sophisticated software and hardware solutions designed to monitor, identify, and prevent cyberattacks. Group-IB’s mission is to fight high-tech crime while protecting our clients in cyberspace and helping them achieve their goals. To do so, we analyze cyber threats, develop our infrastructure to monitor them, respond to incidents, investigate complex high-tech crimes, and design unique technologies, solutions, and services to counteract adversaries.

Report an incident

Get 24/7 incident response assistance from our global team

APAC: +65 3159-3798
Europe: +31 20 226-90-90
EMA: +971 4 508 1605

Thank you for filling out the form! We will get back to you shortly.

We use cookies on the website to make your browser experience more personal, convenient and secure. You may block or manage the use of cookies, however, in some cases they’re essential to make this site work properly. Learn more about cookies in Group-IB Privacy And Cookies Policy.

Report an incident