483,000 Victims: Phishing Scam Unlocks Phones, Steals Data
In a landmark operation, law enforcement agencies from Spain and Latin America, with support from Europol, Ameripol, and cybersecurity leader Group-IB, successfully dismantled a notorious phishing network operating under the name “iServer.” Code-named “Operation Kaerb,” the coordinated effort led to the arrest of 17 cybercriminals involved in a global phishing scheme that primarily targeted mobile phone users. These criminals, operating across Argentina, Chile, Colombia, Ecuador, Peru, and Spain, exploited a sophisticated phishing-as-a-service platform to compromise over 1.2 million mobile devices, impacting 483,000 victims worldwide.
Unlike typical phishing platforms that focus on stealing login credentials for banking or social media accounts, iServer had a more specialized target: unlocking stolen or lost mobile phones. The platform’s operators created phishing pages mimicking popular cloud-based mobile services, tricking victims into sharing sensitive details like passwords, OTPs, and device-specific data, including IMEI numbers. The ultimate goal? Unlock devices that were either stolen or in “Lost Mode,” allowing criminals to effectively take ownership of the devices.
iServer’s phishing-as-a-service model | Image: Group-IB
Group-IB investigators revealed that the iServer platform functioned as a service marketplace, where the platform’s administrator provided access to “unlockers” who, in turn, facilitated phone unlocking services for criminals in need of access to compromised devices. The web-based platform streamlined phishing attacks, automating the creation and deployment of phishing pages that lured victims through SMS messages containing malicious links.
Though the iServer platform originated in Spanish-speaking countries, its reach expanded globally over the past five years. Investigations showed that the majority of victims hailed from Spain, Argentina, Colombia, and Peru, with additional victims in North America and Europe. Most were individuals who had lost their phones or were attempting to recover stolen devices. Instead of regaining access to their phones, they fell prey to phishing attacks designed to harvest their credentials.
Between September 10 and 17, 2024, Operation Kaerb culminated in a series of raids across six countries. Authorities conducted 28 searches and seized 921 items, including mobile phones, electronic devices, weapons, and vehicles. Among the 17 arrested was the platform’s mastermind, an Argentinian national believed to be the key operator behind iServer.
The iServer phishing platform operated with a degree of sophistication that made it accessible even to low-skilled cybercriminals. Criminals known as “unlockers” would initiate phishing campaigns by using iServer’s automated tools to create customized phishing pages. These pages often imitated well-known mobile cloud services. Victims, tricked into believing they were accessing legitimate services, would input sensitive details, which were immediately harvested and verified through the iServer interface.
Phishing message asking for passcode | Image: Group-IB
One key feature of iServer was the use of “redirector” links, which filtered potential victims to verify their suitability before leading them to the final phishing page. This ensured that only relevant targets were directed to the phishing pages, increasing the likelihood of successful attacks. Once victims provided the necessary credentials, unlockers could use the stolen information to bypass security features, such as “Lost Mode,” and unlink the devices from their rightful owners.
With over 480,000 victims already affected, law enforcement agencies and cybersecurity experts urge mobile users to remain vigilant, particularly when dealing with recovery processes for lost or stolen devices. Stronger security measures, awareness campaigns, and technological safeguards will be essential to combat the evolving threat landscape that criminal platforms like iServer continue to shape.
