CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

FBI Warns of $262M Stolen in Account Takeover Fraud Schemes

First reported
Last updated
3 unique sources, 5 articles

Summary

Hide ▲

Since January 2025, cybercriminals impersonating bank support teams have stolen over $262 million through account takeover (ATO) fraud schemes. The FBI's Internet Crime Complaint Center (IC3) has received over 5,100 complaints, affecting individuals and businesses across various sectors. Criminals gain unauthorized access to online financial accounts using social engineering techniques or fraudulent websites. Once in control, they wire funds to crypto wallets and often change account passwords, making recovery difficult. The FBI advises monitoring financial accounts, using strong passwords, enabling MFA, and avoiding search results for banking websites. Victims are urged to contact their financial institutions immediately and file complaints with the IC3. Recent reports highlight the growing use of AI-powered phishing campaigns, SEO poisoning, and exploitation of e-commerce vulnerabilities, particularly ahead of the holiday season. Additionally, purchase scams and mobile phishing (mishing) sites have seen a significant increase, leveraging trusted brand names to deceive users. The U.S. Justice Department (DoJ) has seized the fraud domain web3adspanels[.]org, which was used to host and manipulate illegally harvested bank login credentials. The scheme targeted 19 victims across the U.S., including two companies in the Northern District of Georgia, with attempted losses of approximately $28 million and actual losses of approximately $14.6 million. The confiscated domain stored the stolen login credentials of thousands of victims and hosted a backend server to facilitate takeover fraud as recently as November 2025. The FBI and Estonian law enforcement collaborated in this seizure, and the domain now displays a law enforcement banner indicating it is under the control of authorities. No arrests have been made yet, but the investigation may reveal clues leading to the operators.

Timeline

  1. 23.12.2025 10:15 2 articles · 2d ago

    DoJ Seizes Fraud Domain Used in $14.6M ATO Scheme

    The U.S. Justice Department (DoJ) seized the fraud domain web3adspanels[.]org, which was used as a backend web panel to host and manipulate illegally harvested bank login credentials. The scheme targeted 19 victims across the U.S., including two companies in the Northern District of Georgia, with attempted losses of approximately $28 million and actual losses of approximately $14.6 million. The confiscated domain stored the stolen login credentials of thousands of victims and hosted a backend server to facilitate takeover fraud as recently as November 2025. The FBI and Estonian law enforcement collaborated in this seizure, and the domain now displays a law enforcement banner indicating it is under the control of authorities. No arrests have been made yet, but the investigation may reveal clues leading to the operators.

    Show sources
    Open in new tab
  2. 25.11.2025 19:23 4 articles · 29d ago

    FBI Warns of $262M Stolen in Account Takeover Fraud Schemes Since January 2025

    The FBI has reported a massive surge in account takeover fraud schemes, with over $262 million stolen since January 2025. Cybercriminals impersonate bank support teams to gain unauthorized access to financial accounts, using social engineering and fraudulent websites. Once in control, they wire funds to crypto wallets and often change account passwords, making recovery difficult. The FBI advises monitoring financial accounts, using strong passwords, enabling MFA, and avoiding search results for banking websites. Victims are urged to contact their financial institutions immediately and file complaints with the IC3. The article provides additional details on the methods used by cybercriminals to execute ATO fraud, including the manipulation of MFA codes and impersonation of law enforcement. It also highlights the growing threat of AI-powered phishing campaigns, SEO poisoning, and exploitation of e-commerce vulnerabilities. The FBI advises users to be cautious about sharing personal information online and to verify banking website URLs. The article also reports on the increasing prevalence of purchase scams and mobile phishing sites, which are being used to steal victim data and authorize fraudulent payments. Additionally, it mentions that cybercriminals have been found to alert account holders to alleged fraudulent purchases of high-risk items such as firearms, and use SEO poisoning by purchasing ads that imitate legitimate business ads to increase the prominence of their phishing websites. The U.S. Justice Department (DoJ) has seized the fraud domain web3adspanels[.]org, which was used to host and manipulate illegally harvested bank login credentials. The scheme targeted 19 victims across the U.S., including two companies in the Northern District of Georgia, with attempted losses of approximately $28 million and actual losses of approximately $14.6 million. The confiscated domain stored the stolen login credentials of thousands of victims and hosted a backend server to facilitate takeover fraud as recently as last month.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

OAuth Device Code Phishing Campaigns Target Microsoft 365 Accounts

A surge in phishing campaigns exploiting Microsoft’s OAuth device code authorization flow has been observed, targeting Microsoft 365 accounts. Both state-aligned and financially motivated actors are using social engineering to trick users into approving malicious applications, leading to account takeover and data theft. The attacks leverage the OAuth 2.0 device authorization grant, a legitimate process designed for devices with limited input capabilities. Once victims enter a device code generated by an attacker-controlled application, the threat actor receives a valid access token, granting control over the compromised account. The campaigns use QR codes, embedded buttons, and hyperlinked text to initiate the attack chain, often claiming to involve document sharing, token reauthorization, or security verification. The growth of these campaigns is linked to readily available phishing tools like SquarePhish2 and Graphish, which simplify device code abuse and require limited technical skill. Proofpoint observed financially motivated actor TA2723 and Russia-linked group UNK_AcademicFlare adopting this technique, targeting various sectors in the US and Europe. Organizations are advised to strengthen OAuth controls and train users to avoid entering device codes from untrusted sources. The activity, ongoing since September 2025, is being tracked by Proofpoint under the moniker UNK_AcademicFlare. The attacks involve using compromised email addresses belonging to government and military organizations to strike entities within government, think tanks, higher education, and transportation sectors in the U.S. and Europe. The adversary claims to share a link to a document that includes questions or topics for the email recipient to review before the meeting. The URL points to a Cloudflare Worker URL that mimics the compromised sender's Microsoft OneDrive account and instructs the victim to copy the provided code and click 'Next' to access the supposed document. Device code phishing was documented in detail by both Microsoft and Volexity in February 2025, attributing the use of the attack method to Russia-aligned clusters such as Storm-2372, APT29, UTA0304, and UTA0307. The October 2025 campaign is assessed to have been fueled by the ready availability of crimeware offerings like the Graphish phishing kit and red-team tools such as SquarePhish. To counter the risk posed by device code phishing, the best option is to create a Conditional Access policy using the Authentication Flows condition to block device code flow for all users. If that's not feasible, it's advised to use a policy that uses an allow-list approach to allow device code authentication for approved users, operating systems, or IP ranges.

Open in new tab

Crypto Laundering Scheme Involving $230M Heist Uncovered

A 45-year-old California man, Kunal Mehta, has pleaded guilty to laundering at least $25 million stolen in a $230 million cryptocurrency heist. The scheme involved a large group that used social engineering to access victims' accounts between October 2023 and March 2025. The group, which included members from various states and abroad, was involved in organizing, hacking, and stealing funds. Mehta served as a money launderer, creating shell companies to launder funds through bank accounts. The stolen cryptocurrency was used to finance lavish lifestyles, including luxury cars and international travel. The FBI has emphasized the importance of being vigilant against online scams.

Open in new tab

LinkedIn Phishing Campaigns Targeting Enterprises

LinkedIn has become a prominent platform for phishing attacks, with 34% of phishing attacks occurring over non-email channels. Attackers are conducting sophisticated spear-phishing campaigns targeting executives in financial services and technology sectors. These attacks bypass traditional security tools, are cost-effective and scalable for attackers, provide easy access to high-value targets, and have significant potential rewards. The nature of LinkedIn makes it easier for users to fall for these attacks, as they expect to interact with external contacts. The impact of these attacks can be severe, potentially leading to multi-million dollar breaches. Organizations need to adopt comprehensive security measures to detect and block phishing across all apps and delivery vectors. 60% of credentials in infostealer logs are linked to social media accounts, many of which lack MFA. Attackers are hijacking legitimate LinkedIn accounts to launch phishing campaigns, exploiting the lack of MFA on these accounts. LinkedIn phishing attacks target core enterprise cloud platforms such as Microsoft and Google, or specialist Identity Providers like Okta. A single account compromise can snowball into a multi-million dollar, business-wide breach.

Open in new tab

Credential Compromise Lifecycle and Enterprise Risks

Enterprise credentials are frequently compromised through phishing, brute force attacks, third-party breaches, and exposed API keys. Hackers aggregate and monetize these credentials, selling them on underground markets. Once purchased, these credentials are used for account takeovers, lateral movement, data theft, resource abuse, and ransomware deployment, causing significant financial and reputational damage to organizations. The credential compromise lifecycle involves users creating credentials, hackers compromising them, aggregating and monetizing them, distributing and weaponizing them, and finally exploiting them for various malicious activities. Common vectors include phishing campaigns, credential stuffing, third-party breaches, and leaked API keys. The criminal ecosystem consists of opportunistic fraudsters, automated botnets, criminal marketplaces, and organized crime groups, each with different motivations and methods. The real-world impact of credential compromise includes account takeover, lateral movement, data theft, resource abuse, and ransomware deployment, leading to regulatory fines, lawsuits, remediation costs, and long-term reputational damage.

Open in new tab

Spear-Phishing Campaign Targets Social Media and Marketing Professionals with Fake Job Offers

A spear-phishing campaign targets social media and marketing professionals with fake job offers from Tesla, Red Bull, and Ferrari. The campaign, tracked since February 2025, uses spoofed emails and fake landing pages to steal personal information. The attackers request resumes and login credentials, aiming to harvest personal data for future attacks. The phishing emails mimic legitimate recruitment practices, using brand logos and tailored URLs to appear credible. The campaign includes multi-step processes to create an illusion of legitimacy, including CAPTCHA pages and fake Glassdoor or Facebook login pages.

Open in new tab