The U.S. Department of Justice has seized a domain and backend infrastructure used in a large-scale bank account takeover operation that leveraged malicious online ads and phishing websites. The campaign attempted to steal nearly $28 million from U.S. victims, with confirmed losses exceeding $14 million. The takedown highlights the continued effectiveness—and scale—of ad-driven credential theft operations.

Account takeover (ATO) fraud has accelerated sharply in 2025, driven by the availability of phishing kits, infostealer malware, and large underground credential markets. Financial institutions remain a primary target, as stolen login credentials can be rapidly monetized before victims or banks detect suspicious activity.

According to federal data, ATO-related losses in the U.S. have already surpassed $262 million this year, underscoring the systemic risk posed by credential-based fraud.

The U.S. Department of Justice announced the seizure of the domain web3adspanels.org, which hosted a backend panel used by cybercriminals to manage thousands of stolen banking credentials.

Investigators determined that the threat actors placed malicious advertisements on major search engines, including Google and Bing. These ads redirected users to fake banking websites designed to closely mimic legitimate login portals.

Victims who entered their credentials unknowingly handed direct access to their bank accounts to the attackers, who then attempted to drain funds rapidly.

The seized infrastructure functioned as a centralized credential management system. Once credentials were harvested through phishing pages, they were stored, organized, and manipulated through a web-based control panel.

This approach allowed attackers to:

Estonian law enforcement assisted by preserving server data hosting both phishing pages and stolen login databases, enabling deeper forensic analysis.

The Federal Bureau of Investigation has identified nearly 20 U.S. victims so far, including two companies. While attackers attempted to steal roughly $28 million, confirmed losses are estimated at $14.6 million.

Authorities have not announced arrests or charges, suggesting the investigation remains active and may involve additional infrastructure or operators.

This case illustrates how low-cost digital advertising can be weaponized at scale. Search-based phishing remains highly effective because users often trust top-ranked or sponsored results, especially when interacting with financial services.

The takedown also reinforces the importance of disrupting backend infrastructure, not just phishing sites, to meaningfully degrade criminal operations.

The announcement follows recent disclosures by Troy Hunt, operator of Have I Been Pwned, who revealed that the FBI shared 630 million compromised passwords for analysis.

Hunt’s review showed the dataset originated from multiple sources, including infostealer malware and cybercrime markets, highlighting how fragmented—but highly reusable—credential theft ecosystems have become.