Crime-as-a-Service Syndicate Dismantled: Spain Arrests “GoogleXcoder,” Alleged Leader of GXC Team

In Spain, authorities have concluded a large-scale operation targeting one of the most active cybercriminal groups operating within the Spanish-speaking segment of the internet. Law enforcement officers apprehended the alleged leader of the network, known by the alias GoogleXcoder — a 25-year-old Brazilian national. The arrest marked the culmination of a long-running investigation into the GXC Team, a cybercrime syndicate that offered paid services for phishing attacks and malware distribution.

Members of the group sold their tools through Telegram channels and hacker forums, offering phishing kits capable of generating counterfeit websites mimicking Spanish and international companies, Android malware designed to intercept one-time authentication codes, and AI-powered scripts for telephone-based scams.

According to Group-IB, the group’s operations served attackers based in Spain, Slovakia, the United Kingdom, the United States, and Brazil. In total, more than 250 phishing domains were deployed, while the group’s malicious toolkit included at least nine distinct variants of mobile malware.

The organizers provided technical support and customized configurations for each client’s needs, transforming the platform into a fully fledged cyberattack-as-a-service enterprise. The GXC Team operated under the “crime-as-a-service” model, enabling other criminals to rapidly launch and scale their malicious campaigns.

The coordinated police operation took place on May 20 across multiple Spanish regions — including Cantabria, Valladolid, Zaragoza, Barcelona, Palma de Mallorca, San Fernando, and La Línea de la Concepción. Authorities seized electronic devices containing source code for phishing tools, client communications, and financial records. Several Telegram channels used to advertise the services were also taken offline.

The official report on the operation highlights that investigators conducted an intricate analysis of cryptocurrency transactions and digital footprints, which proved essential in reconstructing the group’s structure and identifying six active members. The key breakthrough came from data recovered from devices belonging to the suspected ringleader, who had been arrested over a year earlier.

The investigation into the GXC Team’s operations remains ongoing, and additional arrests are expected. Spanish authorities have vowed to see the case through to completion and dismantle the network entirely, putting an end to the group’s criminal enterprise.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy