Remko de Waal/ANP/AFP/Getty Images
EU agency Europol supported the UK's Metropolitan Police in the global operation against LabHost.
London CNN  — 

Law enforcement officials in 19 countries have shut down an online platform that earned at least $1 million by selling phishing kits to cybercriminals, helping them launch attacks on tens of thousands of people worldwide.

The operation, led by the Metropolitan Police in the United Kingdom, targeted LabHost, which officials said was set up in 2021 to make it easier for hackers to create fake websites aimed at tricking people into revealing email addresses, passwords and bank details.

Thirty-seven suspects were arrested, and more than 70 locations were searched in the UK and across the world between Sunday and Wednesday, the Metropolitan Police said in a statement.

“Since (its) creation, LabHost has received just under £1 million ($1,173,000) in payments from criminal users, many of whom Met cybercrime detectives have now been able to identify,” London’s police service said, adding that 2,000 users had registered with the site and were paying a monthly subscription.

LabHost had obtained 480,000 bank card numbers, 64,000 pin numbers, as well as more than 1 million passwords used for websites and other online services, it said.

European Union law enforcement agency Europol coordinated the police action internationally, working with the US Secret Service and Federal Bureau of Investigation, as well as authorities in countries as far apart as Australia and Finland. In a separate statement, Europol said four people linked to the running of LabHost, including the developer of the service, had been arrested.

At least 40,000 phishing domains, with about 10,000 users worldwide, had been uncovered by the investigation into LabHost, Europol said.

“With a monthly fee averaging $249, LabHost would offer a range of illicit services which were customizable and could be deployed with a few clicks,” it said.

“Depending on the subscription, criminals were provided an escalating scope of targets from financial institutions, postal delivery services and telecommunication services providers, among others.”

Among the services offered, Europol said, was a campaign management tool called LabRat, which allowed criminals to monitor and control phishing attacks in real time, and was designed to bypass enhanced security measures such as two-factor authentication.