Fighting Cyber-Enabled Fraud 2025

Phishing is often framed as a purely social engineering challenge, but its persistence and evolution are deeply tied to the digital infrastructure services that underpin the internet. Malicious actors exploit domain names, transport layer security (TLS) certificates, web-hosting platforms, reverse proxies and other digital infrastructure services to set up and scale phishing schemes, evade detection and increase their credibility with targets (see Box 2). This infrastructure – designed to support legitimate online activity – can be repurposed by threat actors for malicious purposes. Effective efforts to combat phishing require defenders to work collaboratively across the ecosystem, while implementing trust measures in ways that minimize inconvenience for legitimate users and preserve the internet’s benefits. Phishing-as-a-service: Crime in a box BOX 2 Phishing-as-a-service (PhaaS) – a subset of the broader portfolio of crime-as-a-service (CaaS) offerings – has transformed phishing from a technique requiring technical skill into a commodity. Criminal groups sell ready-made phishing platforms, lowering the barrier of entry for less technically adroit actors and dramatically scaling the reach of attacks. Law enforcement has been actively disrupting PhaaS operations; some recent examples include: Realtime-Phishing: A 2025 joint police operation led to the arrest of a university student in the UK who sold more than 1,000 phishing kits used to target banks and institutions worldwide, causing losses of at least £100 million globally.11 16shop: An International Criminal Police Organization (INTERPOL)-led operation in 2023 shut down this phishing platform, leading to arrests in Indonesia and Japan. 16shop sold phishing kits that enabled attacks against more than 70,000 victims in 43 countries.12 LabHost: A European Union Agency for Law Enforcement Cooperation (Europol)-coordinated action in 2024 involving 19 countries dismantled this platform, arresting 37 suspects.13 With 10,000 users and links to 40,000 phishing domains, LabHost offered subscription-based services such as phishing kits, hosting and LabRat, a tool for stealing credentials and bypassing two-factor authentication.14 Operation First Light 2024: A global police operation spanning 61 countries targeted phishing, fraud and impersonation scams. It resulted in 3,950 arrests, the identification of more than 14,600 suspects and the seizure of $257 million in assets, including cash, cryptocurrency, real estate and luxury goods.15 Phishing, as part of the broader category of online scams, tops the list of cybercrimes INTERPOL’s membership is tackling now, both by volume and economic impact. INTERPOL is actively working with partners worldwide to help law enforcement combat transnational cybercrime more effectively – and calls on all stakeholders to join these efforts. Neal Jetton, Cybercrime Director, INTERPOLPlatform set-up LabHost operated through the Lab-host.ru domain. Customer access LabHost provided online infrastructure and interactive functionality for its subscription-based services.Data collection Victims were deceived into submitting personal information such as date of birth, email address, passwords, home address and credit card details. Website spoofing Customers of LabHost used its services to create and manage more than 40,000 spoofed websites designed to look like legitimate business websites.Credential storage LabHost’s infrastructure stored more than 1 million user credentials and nearly 500,000 compromised credit card records.Financial exploitation Harvested personally identifiable information was used to carry out unauthorized financial transactions. Fighting Cyber-Enabled Fraud: A Systemic Defence Approach 8