By Andrew Brown in Canberra

Five Australians have been arrested as part of a global sting operation into a “one-stop shop” for cyber criminals seeking to steal personal data.

Federal police made the arrests as part of a take down of the platform LabHost, which allows for cyber criminals to impersonate websites as part of phishing scams.

The personal details of 94,000 Australians have been stolen through LabHost, which has been used by criminals to impersonate 170 websites, including banks and government websites such as MyGov.

A Melbourne man and an Adelaide man were arrested during police search warrants carried out on Wednesday, with police alleging the pair used LabHost.

A further three people were arrested in Melbourne for drug-related offences during the searches.

Police estimate as much as $28 million was lost due to phishing scams carried out through LabHost.

AFP acting assistant commissioner for cyber command Chris Goldsmid said investigations into the Australian arm of LabHost had been under way since October.

“What was really insidious about LabHost is it was a one-stop shop for phishing,” he told reporters in Canberra on Thursday.

“LabHost provided cyber criminals with all the tools they needed to undertake phishing attacks, including the infrastructure to host a phishing website.”

Criminals could sign up to the service for as little as $270 to obtain information such as log-ins and passwords to steal money from victims.

Once websites were replicated using LabHost, texts and emails are then sent out to customers as an attempt to steal personal data.

The arrests were made as part of a global operation into LabHost, led by police in the United Kingdom, that saw officers from 19 countries carry out search warrants.

Overall, 37 people were arrested as part of the investigation, including the alleged developer.

“This is a significant disruption of the LabHost infrastructure and criminals’ ability to operate using this service,” Mr Goldsmid said.

“Global activity will continue over the coming weeks and months and further arrests are expected.”

Police estimate LabHost had more than 40,000 phishing websites, with more than 10,000 people using the platform.

The platform started in Canada in 2021, with Australian criminals among the top three user countries.

Mr Goldsmid said the rise in cybercrime represented a significant concern for law enforcement.

“Cybercrime as a service is probably not a new concept, but it’s certainly something that is lowering the barrier of entry for criminals,” he said.

“Phishing is really a key threat vector, a really key mechanism that criminals use to both gain access to networks and steal personal information.

The arrests have prompted a repeat of warnings for customers to be careful when receiving unsolicited email or texts with links.