US shuts down phisherfolk’s $14.6M password-hoarding platform

Crooks used platform to scoop up and store banking credentials for big-money thefts

by · The Register

The US says it has shut down a platform used by cybercriminals to break into Americans' bank accounts.

A law enforcement splash page now appears when trying to reach web3adspanels.org, which supported SEO poisoning campaigns designed to steal people's bank account credentials.

Criminals would pay for prime slots in search engine results, serving users seemingly legitimate banking websites that were actually fakes. From there, unwitting users entered their passwords, which were dumped into a database, but they would never reach their account.

The Justice Department described the role of web3adspanels.org as a platform on which criminals would store and manipulate these credentials, which they would then use in attempts to access bank accounts and authorize illegal transfers.

According to the affidavit, the FBI is aware of at least 19 victims, including two companies, across the US that have succumbed to this specific scheme, which represents just a small operation in the wider account takeover problem.

Prosecutors tied $28 million worth of attempted illegal transfers to web3adspanels, with the total of actual losses estimated at $14.6 million.

However, law enforcement agencies have received more than 5,100 of these kinds of complaints since the start of the year, with total reported losses of more than $262 million, according to the FBI's Internet Crime Complaint Center (IC3).

In making its announcement, the Justice Department did not offer details about how the criminals bypassed the more stringent security controls such as multi-factor authentiction (MFA) when illegally accessing the accounts. Nor did the IC3 when it released an advisory on the matter last month.

The same campaigns are often conducted using social engineering tactics instead of basic phishing. Criminals convince victims into handing over their credentials and, crucially, their MFA or one-time passcodes to access their accounts.

Once inside, the playbook typically sees the cybercrooks transferring funds to accounts they legitimately control, which then use the money to purchase cryptocurrencies, making it more difficult to track across different blockchains.

Social engineers often also change the victims' bank account passwords, locking them out, the FBI said.

Losses associated with e-crime have risen consistently since 2020, according to IC3 figures [PDF], with cyber-enabled fraud accounting for 83 percent of the total $16.6 billion in 2024. ®

AI makes phishing 4.5x more effective, Microsoft says: And potentially 50 times more profitableJessica Lyons, 16 Oct 2025Death to one-time text codes: Passkeys are the new hotness in MFA: Wanna know a secret?Jessica Lyons, 06 Dec 202521K Nissan customers' data stolen in Red Hat raid: Automaker's third security snafu in three yearsJessica Lyons, 23 Dec 2025There’s so much stolen data in the world, South Korea will require face scans to buy a SIM: SK Telecom's epic infosec fail will cost it another $1.5 billionSimon Sharwood, 22 Dec 2025