Case Studies On Forensic Investigation Of Ai-Assisted Phishing Campaigns
Case 1: Zak Coyne / “LabHost” Phishing Kit Service (UK, 2025)
Facts:
A 24‑year‑old (Zak Coyne) ran a subscription‑based service called “LabHost” (August 2021 – October 2023) providing phishing‑toolkits: fake webpages impersonating banks/governments, hosting infrastructure, support to subscribers.
Practically a “one‑stop shop for phishing” – users paid monthly to get ready‑made phishing pages + guidance.
Forensic/Investigation Details:
Law enforcement seized his computers/devices, traced financial flows, IP logs, domain registrations of phishing pages.
Forensic linking: many phishing campaigns traced back to pages generated via LabHost; DOM/HTML code reused; timestamps/versions matched his infrastructure.
Legal Issues & Outcome:
He pleaded guilty to making/supplying articles for use in fraud, assisting offences, transferring/acquiring criminal property.
Sentenced to 8.5 years’ imprisonment (UK).
Significance:
Demonstrates the shift of phishing from lone hacker to organised “tool‑kit provider” model.
Shows forensic importance of tracing toolkit infrastructure, domain churn, code reuse.
Legal precedent: catering to phishing users (tool‑supply) is criminally liable, not just end‑users.
Case 2: China‑based Spear‑Phishing Campaign (U.S., 2024)
Facts:
Chinese national Song Wu indicted in U.S. (Northern District of Georgia) for a multi‑year spear‑phishing campaign: impersonation emails (purported U.S. researchers/engineers) targeted NASA, U.S. military/FAA, research universities.
Goal: obtain restricted software/source‑code for aerospace engineering, computational‑fluid‑dynamics.
Forensic/Investigation Details:
Email logs: accounts created impersonating researchers; sender metadata traced.
IP tracing and forensic mailbox analysis identified patterns of phishing “agent” accounts.
Victim organisations’ logs showed access attempts following phishing emails.
Legal Issues & Outcome:
Charges: wire fraud, aggravated identity theft, unauthorized access to computers.
The case illustrates how phishing is used not only for credential theft but for high‑value intellectual property theft.
Significance:
Highlights spear‑phishing in high‑tech/intel context; toolsets may be automated or at least template‑based.
Forensic challenge: aggregation across many victims, tracing impersonation infrastructure.
Prosecution uses existing statutes; redress for AI/automation‑enabled phishing would follow similar patterns.
Case 3: Audio Deep‑Fake Scam Targeting Business Leaders (Italy, 2025)
Facts:
Fraudsters used AI to clone voice of Italian Defence Minister; targeted business leaders (one transferred ~€1m) claiming urgent funds needed for journalists’ release.
Victims included top‑level executives; voice + phishing component.
Forensic/Investigation Details:
Audio forensic examination: voice‑clone signatures, match to public‑figure’s voice, timestamp of calls logged.
Banking/financial logs traced funds to offshore accounts; domain/phone number evidence.
Evidence of phishing email or voice request preceded fund transfer.
Legal Issues & Outcome:
Fraud, impersonation, unauthorised fund transfer; AI‑voice cloning increasing complexity of phishing.
Authorities froze assets (~€1m) and opened investigation; arrests ongoing.
Significance:
Illustrates “phishing” evolving: not just email but vishing (voice‑phishing) with AI‑voice clones.
Forensics must include multimedia (voice clone detection) alongside standard phishing traces.
Legal systems will need to adapt to AI‑enabled impersonation in phishing contexts.
Case 4: Phishing Kit Developer (UK Student, 2025)
Facts:
University student at Kent created/distributed phishing kits targeting 69 organisations across 24 countries.
He supported nearly 700 users and created over 1,000 kits; fraud losses tied to kits exceeded tens of millions (UK£).
Forensic/Investigation Details:
Digital evidence: code on his device linking to kits; server logs of distribution; cryptocurrency wallet analysis for revenues.
Victim logs: credential harvesting sites linked to his infrastructure, domain registration records from his devices.
Legal Issues & Outcome:
Guilty plea; seven‑year sentence for facilitating fraud, supplying articles for fraud, handling criminal property.
Significance:
Reinforces tool‑kit supply model of phishing (scale via automation).
Forensic analysis of kit‑templates, code reuse, infrastructure monetisation.
Prosecution strategy: focus on supply side, not just end‑users.
Case 5: Phishing Infrastructure “One‑Stop Shop” (UK, early‑2025)
Facts:
A website offered ready‑to‑use phishing pages (banks/governments) via subscription service to fraudsters; target victims across many countries.
Users of service committed authorised push payment (APP) fraud.
Forensic/Investigation Details:
Domain and IP attribution: many phishing pages traced to central hosting; credit card/cryptocurrency payment logs for subscription.
Victim transfers matched phishing pages from this service.
Legal Issues & Outcome:
Defendant pleaded guilty to facilitation of fraud and supplying articles for fraud; significant prison sentence.
Significance:
Further exemplifies how phishing campaigns are commoditised and automated, raising forensic complexity.
Emphasises need for investigators to trace service‑providers of phishing rather than just single campaigns.
Key Observations & Forensic/Legal Considerations
Automation and Scale: Phishing is no longer just one email/single target; tool‑kits, subscription services, deep‑fake voice clones amplify attacks.
Forensic Trace Complexity: Investigators must trace domain/IP churn, code/templates, audiobook/voice clones, user payment records, cross‑jurisdiction infrastructure.
Legal Focus: Supply side (tool providers, kit creators) are now major targets for prosecution, not just individual phishing perpetrators.
Multimedia & AI Components: Voice deep‑fakes, AI‑generated kits, impersonation tools increase complexity of evidence (audio forensics, metadata, model logs).
Use of Existing Laws: Fraud statutes, unauthorised access, identity theft, supply of articles for use in fraud are being adapted to these new phishing modalities rather than waiting for completely new laws.
Sentencing & Deterrence: Large prison sentences for tool‑kit developers reflect recognition of harm potency when phishing is automated/AI‑supported.
RELATED Blog
comments