GoogleXcoder is the alias from the 25-year-old Brazilian arrested in Cantabria a couple of weeks agoaccused of directing the largest operation of phishing banking that Spain has suffered.
His group, ‘Team GXC’, cloned 35 financial institutions and emptied the accounts of thousands of clients. The Civil Guard arrested him along with six other members of the network after more than a year of monitoring.
Why is it important. This case marks a turning point in Spanish cybercrime. The GXC did not only steal: according to a report by The Worldthey also rented their tools to other criminals for up to 900 euros a day.
The multiplier effect turned each day into dozens of banks supplanted and millions stolen. His name on Telegram sums up the philosophy: “Steal everything from grandmothers.”
The method. They combined phishing traditional with malware for Android, a double scam that nullified any security barrier:
- First, they captured bank details through fake websites.
- The malware then collected additional documents, digital signatures, and passwords.
With that arsenal, they emptied accounts without leaving any apparent trace.
The investigation. Group-IB, a cybersecurity firm that collaborates with Interpol, detected the threat in 2023. Anton Ushakovhis head of investigations in Europe, alerted the UCO of the Civil Guard when he confirmed that Spain was the epicenter. For months they tracked IP addresses bouncing around global servers until they located the mastermind: a digital nomad who changed provinces every few weeks.
GoogleXcoder used stolen identities for its phone lines and cards. He lived with his family, constantly moving between provinces, believing himself to be invulnerable. The agents followed him while they gathered enough evidence. They hunted him in San Vicente de la Barquera, a town with less than 4,000 inhabitants, with their devices full of evidence as well as wads of cash.
The UCO has published both the moment of his arrest and a recording of the tool used:
The scope. The network operated from Spain but its tentacles reached Slovakia, the United Kingdom, the United States and South America. Six people directly linked fell in simultaneous operations in Valladolid, Zaragoza, Barcelona, Palma, San Fernando and La Línea. The forensic analysis of their cryptocurrencies took more than a year due to the complexity of the network.
The collaboration between Group-IB and the UCO sets a precedent:
- Until now, private cybersecurity companies mainly worked with Europol or Interpol.
- This time, identifying a specific threat against Spain, they shared findings directly with national forces.
The result: one of the largest operations against cybercrime in our country, as recognized by the UCO itself.
In Xataka | They seemed like useful tools for WhatsApp Web, but they were part of a large spam campaign
Featured image | UCO
GIPHY App Key not set. Please check settings