Resecurity uncovered a cybercriminal group known as the GXC Team, led by googleXcoder, that developed AI-powered tools for invoice fraud, wire transfers, and business email compromise (BEC). Their AI-enabled toolset includes FraudGPT/WormGPT-based platforms and a premium service called Business Invoice Swapper, with multilingual capabilities, Telegram reporting, and rental pricing entering the Dark Web market. #GXC_Team #FraudGPT #WormGPT #BusinessInvoiceSwapper #InvoiceFraud #BEC
Keypoints
- The GXC Team, led by googleXcoder, is marketing AI-powered tools for online banking theft, ecommerce fraud, and BEC/invoice fraud on the Dark Web.
- They unveiled an AI-driven tool called Business Invoice Swapper (Dec 30, 2023) offering subscription plans from $2,000/week or a $15,000 one-time access fee.
- AI platforms like FraudGPT and WormGPT enable scalable BEC campaigns, content generation for fraud, deepfakes for social engineering, and money-mule operations.
- The group released a wide array of phishing kits (e.g., Office 365) with 2FA/OTP interception capabilities and targeted crypto-asset platforms (Coinbase, Binance, AAVE, DAO Maker, DYDX).
- They also built a Fake Shop System 4.0 with 400+ products, multilingual fake storefronts, real-time victim monitoring, and autonomous “silent send” fund transfers to preselected wallets.
- The toolkit extends to attacks against postal services, banks, and e-government sites (Spain, Australia) with identity-theft and credential-phishing components.
MITRE Techniques
- [T1566.001] Phishing – Used phishing kits and forums to harvest credentials and bypass security measures; for example, Office 365 phishing with 2FA support. [‘phishing kit designed for Office 365, equipped with support for two-factor authentication (2FA)’]
- [T1071.001] Web Protocols – Telegram-based reporting and communications for C2-like channels; the tool sends reports to a designated Telegram channel. [‘reports to a designated Telegram channel, serving as an alternative to traditional command-and-control (C2C) communication’]
- [T1078] Valid Accounts – Operators input compromised email accounts to scan for invoices and perform fraud. [‘The operator must input a list of compromised email accounts to be scanned.’]
Indicators of Compromise
- [Email Addresses] Abused Email Accounts – scarico@colonialsud[.]it, john218@pembery[.]co[.]uk, and 2 more examples
- [MX Records] Mail Exchange (MX) Records – mx[.]sincrono[.]it, mx[.]doriapamphilj[.]it, and 2 more items