AFP intelligence leads to eight arrests over phishing kits

Malaysian authorities have arrested eight people for their alleged role in an international criminal syndicate which developed phishing kits targeting Australian Government websites.

The AFP’s Joint Policing Cybercrime Coordination Centre (JPC3) developed and provided intelligence to the Royal Malaysian Police (RMP), which identified a Malaysian national advertising phishing kits targeting the Australian Government’s myGov website.

The intelligence outlined the operation and architecture of the phishing service, and identified a connection with a ‘bulletproof’ hosting service to facilitate the criminal activity.

It was alleged the kits contained phishing templates and scripts replicating government websites in Malaysia, Australia and the United States, and were being sold to cybercriminals to allow them to send phishing attacks and obtain victims’ credentials.

In a separate investigation, the Federal Bureau of Investigations (FBI) linked the ‘bulletproof’ hosting service to an alleged organised criminal syndicate.

Further enquiries by the RMP, FBI and the AFP revealed a Malaysian man, 35 who advertised the kits had used the services of a Malaysian-based technology park to physically host a number of computer servers and hardware responsible for the ‘bulletproof’ hosting service.

RMP officers arrested the man following a search warrant of his home in Borneo on 6 November, 2023, with officers identifying a large number of usernames, passwords and cryptocurrency wallet seed phrases during the search. FBI officers assisted with this activity.

Simultaneously, RMP members executed a search warrant at the technology park, with the RMP seizing four servers, power cables, monitors and a modem. The AFP assisted with this activity.

The man, and seven other individuals who were allegedly mules for the man, were arrested and charged under Malaysian law.

It was alleged officers identified a server which held more than 16 virtual machines that ran a variety of operating systems and services to support the hosting service.

Investigators seized more than 60 terabytes of data across the police activity, including three servers and one network storage device.

AFP Acting Detective Superintendent Darryl Parrish said Australians lost over $24.6 million to phishing attacks last year.

“Cybercriminals will use any tools and tricks to exploit people for their own profit – in this case, it is mimicking trusted government websites,” Acting Det-Supt Parrish said.

“The AFP is committed to working with our valued law enforcement partners to track down cybercriminals and bring them to justice, regardless of where they are in the world.

“This case highlights how vital it is for law enforcement agencies to share intelligence and resources globally, as crime is borderless.”

Bukit Aman Commercial Crime Investigation Department Director Datuk Seri Ramli Mohamed Yoosuf thanked AFP and FBI members for their collaboration.

“We believe that we should continue to synergise our resources in facing current and future challenges of ICT-driven technologies,” he said.

“The recent operations involving the three agencies to bust an online syndicate was a manifestation of this.”

FBI Legal Attaché Canberra Nitiana Mann said the FBI continues to work alongside our international partners to combat malicious cyber threats.

“We will continue to pursue cybercriminals for their reckless actions wherever they may be located in the world,” she said.

The JPC3 is a partnership between the AFP, Australian state policing agencies, foreign law enforcement, government and the private sector that was established in March 2022 to effectively combat cybercrime impacting Australians.

If you believe you are a victim of a phishing scam, or see any discrepancies in your bank account, please contact your bank and report the matter to Report Cyber.

If you need assistance with reporting cybercrime to police, please call the Australian Cyber Security Centre (ASCS) Hotline on 1300 CYBER1 (1300 292 371).

Learn more about how to protect yourself from phishing attacks by watching this short 90-second cybercrime prevention video.

/Public Release. View in full here.