According to the FBI, global losses linked to cybercrime exceeded $20 billion in 2025 — 26% more than the year before. Digital fraud no longer depends on highly specialised attackers: today there are platforms offering ready-to-use tools, admin panels and services designed to run fraudulent campaigns at scale.
This model, known as Crime-as-a-Service (CaaS), works like any legitimate digital service. One provider builds the infrastructure and tools; other actors use them to launch phishing campaigns, identity impersonation, telephone fraud or credential theft. Within this ecosystem, fraud-as-a-service (FaaS) is the subtype focused specifically on financial and identity fraud.
The emergence of these services has changed the way cybercrime operates, lowering the technical barriers needed to run complex attacks at scale.
Below, we look at some of the most significant cases of crime-as-a-service and how this model is impacting sectors such as banking, fintech and digital services.
ShinyHunters: A Recent Case of Social Engineering at Global Scale
ShinyHunters has been linked to an attack in May 2026 against Canvas, an educational platform used by more than 30 million users and 8,000 institutions worldwide.
The active cybercrime group uses social engineering attacks and credential theft to access corporate systems and cloud environments — with no need to exploit technical vulnerabilities. Their main techniques include vishing (fake tech support calls), impersonation of internal employees, credential and OAuth abuse, and access to legitimate SaaS platforms.
The incident affected universities including Harvard, Princeton and Columbia, causing operational disruptions during final exam season and the appearance of extortion messages inside the platform.
This case reflects fraud’s evolution towards hybrid models where compromised identity and trust manipulation become the primary attack vector.
Russian Coms: Subscription Vishing with 24/7 Support
Russian Coms was part of a network of fraudulent call centres dismantled in 2025 in an international operation coordinated by Eurojust. The group operated as an organised telephone fraud structure that defrauded victims across Europe of more than €10 million.
Around 100 people worked across the call centres, with defined roles ranging from placing fraudulent calls to forging banking and police documents.
The core of the fraud relied on advanced social engineering techniques. Operators impersonated banks, police officers and financial authorities to generate urgency and credibility, guiding victims into transferring funds or granting access to their accounts.
LabHost: The Phishing-as-a-Service Platform Europol Took Down
LabHost was one of the most sophisticated phishing-as-a-service platforms in recent years. It operated on a subscription model that allowed anyone — with or without technical knowledge — to launch phishing campaigns using ready-made admin panels and templates that mimicked banks, postal services and major companies.
The platform was dismantled in 2024 in an international operation coordinated by Europol and subsequently investigated by the FBI. Authorities identified a network of more than 42,000 phishing domains linked to the operation, used to impersonate legitimate entities and distribute campaigns on a global scale.
The scale of the operation gives a sense of its real impact: LabHost amassed more than 10,000 active users, stored over one million stolen credentials and compromised around 500,000 credit cards.
Genesis Market: Stolen Identity as a Product
Genesis Market was one of the largest platforms for buying and selling compromised digital identities, dismantled in 2023 in an international operation coordinated by Europol, Eurojust and authorities from the United States and the Netherlands. The operation involved more than 100 simultaneous arrests and raids across multiple countries.
Genesis Market sold direct access to already compromised digital identities. Its main product was so-called “bots”: packages that included stolen credentials, cookies, active sessions, browsing histories and data stored on infected devices. At the time of its takedown, the platform offered access to more than 1.5 million bots associated with around 2 million compromised digital identities worldwide.
iSpoof: The Precedent of Phone Spoofing-as-a-Service
iSpoof was dismantled in 2022 in one of the largest anti-fraud operations led by Scotland Yard, with international support from Europol. The platform was used to impersonate banks, tax agencies and other trusted entities via telephone calls, making the numbers displayed appear legitimate through caller ID spoofing techniques.
The reach of the service was global. It is estimated to have affected more than 200,000 victims, with total losses exceeding €115 million and 142 people arrested in connection with the operation.
Unlike other platforms focused on infrastructure or attack automation, iSpoof operated at the most sensitive layer of fraud: the perception of trust. It did not need to steal credentials directly — its value lay in making the victim believe they were talking to their own bank.
Comparative Table: Five Crime-as-a-Service Operations
| Operation | Coordination | Modality · Pricing | Impact | Status |
|---|---|---|---|---|
| ShinyHunters | — | Social engineering / credential theft Not commercialised |
>30M users exposed 8,000 institutions |
Active · 2026 |
| Russian Coms | Eurojust | Vishing-as-a-Service ~£350/month |
1.3M calls · 500,000 UK numbers >€10M in losses |
Dismantled · 2025 |
| LabHost | Europol (19 countries) | Phishing-as-a-Service ~$249/month |
10,000 users · 42,000 domains 500,000 cards compromised |
Dismantled · 2024 37 arrested |
| Genesis Market | Europol / Eurojust US / Netherlands |
Stolen identity marketplace Per bot / access |
1.5M bots 2M identities compromised |
Dismantled · 2023 >100 arrested |
| iSpoof | Met Police / Europol | Phone spoofing-as-a-Service Subscription |
>200,000 victims >€115M in losses |
Dismantled · 2022 142 arrested |
How to Respond to Crime-as-a-Service
Post-LabHost blockchain analysis revealed that 20 shared wallets had also transacted with iSpoof, moving over $5.3 million in Bitcoin between the two platforms. The same actors were combining phishing, vishing and spoofing within a single operation. This componentisation logic is precisely what makes digital fraud no longer dependent on advanced technical knowledge: today there are platforms that allow anyone to buy infrastructure, impersonate trusted channels or access compromised identities directly.
For sectors such as banking and fintech, this means reinforcing prevention at different points along the digital journey:
- Continuous identity verification: Validating a user at account opening is no longer enough. Sensitive operations, device changes or unusual access patterns require additional controls to confirm that the person behind the interaction is still the legitimate one.
- Protection of vulnerable channels: Cases like iSpoof show how phone calls, SMS or account recovery processes can become critical fraud points without robust anti-fraud solutions in place.
- Early detection of anomalous behaviour: Many crime-as-a-service platforms allow attacks to be automated at high speed. Identifying atypical access, browsing or transaction patterns helps stop fraudulent operations before they complete.
- Coordination across teams and channels: Fraud no longer happens at a single point. An attack can start with phishing, continue with a fake call and end with access to a compromised account. Reducing risk requires connecting signals across digital, operational and customer service channels.
- Education against social engineering: Even as tools evolve, many campaigns still rely on generating urgency or trust in the victim. Keeping users and teams informed remains one of the most effective barriers against fraud.
Crime-as-a-Service will keep evolving alongside automation and artificial intelligence. Organisations need to combine technology, identity verification and continuous monitoring to stay ahead of increasingly sophisticated threats and protect trust in digital environments.
Frequently Asked Questions
Crime-as-a-Service (CaaS) is a criminal business model where specialised groups sell fraud tools, infrastructure and 24/7 support to other criminals through monthly subscriptions, with plug-and-play architecture that removes the need for technical skill.
Crime-as-a-Service (CaaS) is the umbrella term for any subscription-based criminal service: malware, ransomware, phishing, spoofing, vishing. Fraud-as-a-Service (FaaS) is a subtype focused specifically on financial and identity fraud. LabHost is FaaS operating inside the wider CaaS ecosystem.
Operation Nebulae was an international takedown coordinated by Europol in April 2024 that dismantled LabHost, one of the largest phishing-as-a-service platforms in the world. 19 countries took part, 70 simultaneous raids were carried out and 37 people were arrested.
Russian Coms ran as criminal “Tech Support as a Service”: for £350 a month it offered 5,000 minutes of encrypted calls, 24/7 support, hold music and voice changers. It placed 1.3 million fake calls impersonating banks to 500,000 UK numbers, causing tens of millions of pounds in losses.
Post-LabHost blockchain analysis showed that 20 wallets had transacted with both LabHost and iSpoof, moving over $5.3M in Bitcoin between the two platforms. The same threat actors combine specialised services — phishing, spoofing, vishing — in a single operation. Today’s cybercrime logic is one of componentisation.