GXC Team

GXC Team is a cybercrime group and crime-as-a-service (CaaS) operation dismantled by the Spanish Guardia Civil in May 2025 with assistance from Group-IB. The group was allegedly led by a 25-year-old Brazilian national using the alias GoogleXcoder. Reporting states that GXC Team emerged in 2023 and operated via Telegram and at least one Russian-speaking hacker forum, providing phishing kits, Android malware, AI-powered voice scam tools, and support services to other cybercriminals. The operation targeted banks, government entities, transportation organizations, e-commerce organizations, and online shops. Victims were reported in Spain, Slovakia, the United Kingdom, the United States, and Brazil. The phishing kits cloned legitimate websites, including those of 10 Spanish banks and more than 30 international institutions and government portals, to steal credentials. The Android malware was described as disguising itself as a banking app and stealing OTPs by becoming the primary messaging app; other reporting describes it as an SMS-stealing Android trojan. The voice scam tooling used AI-generated calls to trick victims into disclosing 2FA codes. Group-IB reported identifying more than 250 fake scam sites and nine malware types tied to the infrastructure. The tools were marketed through underground channels, including a Telegram group reportedly named "Steal everything from grandmas." Authorities stated the campaigns caused millions in losses over the past year. Spanish authorities conducted six searches across Spain, arrested the alleged mastermind in San Vicente de la Barquera, Cantabria, detained other criminals using the tools, seized electronic devices containing source code, communications, and financial records, deactivated Telegram channels associated with the operation, and recovered stolen funds moved through digital currencies. Known alias directly mentioned in the content: GoogleXcoder (alleged leader/operator associated with GXC Team).