Skip to content

GXC Team is using and selling AI-powered phishing tools

  • by
  • 3 min read

A cybercriminal faction known as GXC Team, whose leader operates under the alias ‘googleXcoder’, has been actively deploying artificial intelligence in crafting tools for online banking theft, e-commerce deception, and internet scams.

Cybersecurity researchers from Resecurity exposed the tactics, techniques and procedures used by the GXC Team. The group placed multiple ads on various underground forums highlighting the use of advanced AI models to craft malicious tools.

The group’s nefarious activities reached new heights by introducing an AI-powered tool, Business Invoice Swapper. The tool is available for $2,000 per week or at a one-time fee of $15,000. This newly unveiled tool represents a dangerous evolution in cyber threats. The tool utilises proprietary algorithms to analyse compromised emails, identifying those related to invoices through POP3/IMAP4 protocols. Once detected, the tool alters the invoice banking information, leading to unverified payments and potential losses.

The Business Invoice Swapper tools allow threat actors to configure SMTP settings. | Source: Resecurity

The AI-driven tool’s multi-language capability allows the automatic scanning of messages, providing cybercriminals a considerable advantage. The interface includes options to configure SMTP settings for sending fabricated invoices and a feature to send reports to a designated Telegram channel, serving as an alternative to traditional command-and-control communication.

The GXC Team’s arsenal of tools extends beyond AI-powered invoice fraud. They have previously gained notoriety for creating various online fraud tools, including phishing kits, smashing kits, and compromised data checkers. Their targets span over 300 entities, including financial institutions, government services, postal services, cryptocurrency platforms, payment networks, and major international online marketplaces.

For example, one phishing kit that the threat actor offers for $900 is specially designed for Office 365 and has been used to target Humana, one of the largest health insurance companies in the United States.

Furthermore, the group has developed specialised kits for targeting postal services like USPS. The scammers used this kit to target An Post, a state-owned postal service in Ireland.

The group’s focus on Spanish language support is notable, with specialised phishing kits tailored for Spanish banks, including Evo Banco, Abanca, Banca March, and others. Their innovative tactics include creating fake mobile banking apps to intercept One-Time Passwords (OTP) and bypassing two-factor authentication mechanisms.

GXC Team also sells kits to set up fake online shops for phishing. | Source: Resecurity

GXC Team also made tools to target Coinbase users. Available for $900 and aimed at their Spanish customers, the kit is quite effective and includes a setting that the attackers can activate to send notifications via Telegram.

Researchers also uncovered the latest endeavours of the GXC Team, where they introduced a fake online shop system, capable of imitating well-known brands and intercepting credit card and OTP information. Priced at $4,000, this kit only requires the scammer to register a domain name resembling a genuine online shop.

Researchers have advised financial institutions to remain vigilant as the GXC Team expands its focus to include leading banks in the UK and the European Union.

In the News: Facebook’s new Link History feature is a privacy nightmare

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: