CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

FBI Warns of $262M Stolen in Account Takeover Fraud Schemes

First reported
Last updated
3 unique sources, 3 articles

Summary

Hide ▲

Since January 2025, cybercriminals impersonating bank support teams have stolen over $262 million through account takeover (ATO) fraud schemes. The FBI's Internet Crime Complaint Center (IC3) has received over 5,100 complaints, affecting individuals and businesses across various sectors. Criminals gain unauthorized access to online financial accounts using social engineering techniques or fraudulent websites. Once in control, they wire funds to crypto wallets and often change account passwords, making recovery difficult. The FBI advises monitoring financial accounts, using strong passwords, enabling MFA, and avoiding search results for banking websites. Victims are urged to contact their financial institutions immediately and file complaints with the IC3. Recent reports highlight the growing use of AI-powered phishing campaigns, SEO poisoning, and exploitation of e-commerce vulnerabilities, particularly ahead of the holiday season. Additionally, purchase scams and mobile phishing (mishing) sites have seen a significant increase, leveraging trusted brand names to deceive users. Cybercriminals have been found to alert account holders to alleged fraudulent purchases of high-risk items such as firearms, and use SEO poisoning by purchasing ads that imitate legitimate business ads to increase the prominence of their phishing websites.

Timeline

  1. 25.11.2025 19:23 3 articles · 1d ago

    FBI Warns of $262M Stolen in Account Takeover Fraud Schemes Since January 2025

    The FBI has reported a massive surge in account takeover fraud schemes, with over $262 million stolen since January 2025. Cybercriminals impersonate bank support teams to gain unauthorized access to financial accounts, using social engineering and fraudulent websites. Once in control, they wire funds to crypto wallets and often change account passwords, making recovery difficult. The FBI advises monitoring financial accounts, using strong passwords, enabling MFA, and avoiding search results for banking websites. Victims are urged to contact their financial institutions immediately and file complaints with the IC3. The article provides additional details on the methods used by cybercriminals to execute ATO fraud, including the manipulation of MFA codes and impersonation of law enforcement. It also highlights the growing threat of AI-powered phishing campaigns, SEO poisoning, and exploitation of e-commerce vulnerabilities. The FBI advises users to be cautious about sharing personal information online and to verify banking website URLs. The article also reports on the increasing prevalence of purchase scams and mobile phishing sites, which are being used to steal victim data and authorize fraudulent payments. Additionally, it mentions that cybercriminals have been found to alert account holders to alleged fraudulent purchases of high-risk items such as firearms, and use SEO poisoning by purchasing ads that imitate legitimate business ads to increase the prominence of their phishing websites.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Crypto Laundering Scheme Involving $230M Heist Uncovered

A 45-year-old California man, Kunal Mehta, has pleaded guilty to laundering at least $25 million stolen in a $230 million cryptocurrency heist. The scheme involved a large group that used social engineering to access victims' accounts between October 2023 and March 2025. The group, which included members from various states and abroad, was involved in organizing, hacking, and stealing funds. Mehta served as a money launderer, creating shell companies to launder funds through bank accounts. The stolen cryptocurrency was used to finance lavish lifestyles, including luxury cars and international travel. The FBI has emphasized the importance of being vigilant against online scams.

Open in new tab

LinkedIn Phishing Campaigns Targeting Enterprises

LinkedIn has become a prominent platform for phishing attacks, with 34% of phishing attacks occurring over non-email channels. Attackers are conducting sophisticated spear-phishing campaigns targeting executives in financial services and technology sectors. These attacks bypass traditional security tools, are cost-effective and scalable for attackers, provide easy access to high-value targets, and have significant potential rewards. The nature of LinkedIn makes it easier for users to fall for these attacks, as they expect to interact with external contacts. The impact of these attacks can be severe, potentially leading to multi-million dollar breaches. Organizations need to adopt comprehensive security measures to detect and block phishing across all apps and delivery vectors. 60% of credentials in infostealer logs are linked to social media accounts, many of which lack MFA. Attackers are hijacking legitimate LinkedIn accounts to launch phishing campaigns, exploiting the lack of MFA on these accounts. LinkedIn phishing attacks target core enterprise cloud platforms such as Microsoft and Google, or specialist Identity Providers like Okta. A single account compromise can snowball into a multi-million dollar, business-wide breach.

Open in new tab

Credential Compromise Lifecycle and Enterprise Risks

Enterprise credentials are frequently compromised through phishing, brute force attacks, third-party breaches, and exposed API keys. Hackers aggregate and monetize these credentials, selling them on underground markets. Once purchased, these credentials are used for account takeovers, lateral movement, data theft, resource abuse, and ransomware deployment, causing significant financial and reputational damage to organizations. The credential compromise lifecycle involves users creating credentials, hackers compromising them, aggregating and monetizing them, distributing and weaponizing them, and finally exploiting them for various malicious activities. Common vectors include phishing campaigns, credential stuffing, third-party breaches, and leaked API keys. The criminal ecosystem consists of opportunistic fraudsters, automated botnets, criminal marketplaces, and organized crime groups, each with different motivations and methods. The real-world impact of credential compromise includes account takeover, lateral movement, data theft, resource abuse, and ransomware deployment, leading to regulatory fines, lawsuits, remediation costs, and long-term reputational damage.

Open in new tab

Spear-Phishing Campaign Targets Social Media and Marketing Professionals with Fake Job Offers

A spear-phishing campaign targets social media and marketing professionals with fake job offers from Tesla, Red Bull, and Ferrari. The campaign, tracked since February 2025, uses spoofed emails and fake landing pages to steal personal information. The attackers request resumes and login credentials, aiming to harvest personal data for future attacks. The phishing emails mimic legitimate recruitment practices, using brand logos and tailored URLs to appear credible. The campaign includes multi-step processes to create an illusion of legitimacy, including CAPTCHA pages and fake Glassdoor or Facebook login pages.

Open in new tab

Lighthouse and Lucid PhaaS Campaigns Target 316 Brands Across 74 Countries

The phishing-as-a-service (PhaaS) offerings Lighthouse and Lucid have been linked to over 17,500 phishing domains targeting 316 brands across 74 countries. The campaigns leverage various phishing kits and templates to impersonate brands and harvest credentials. The operations are attributed to the Chinese-speaking XinXin group and other associated actors. Google has filed a civil lawsuit against China-based hackers behind the Lighthouse PhaaS platform, which has ensnared over 1 million users across 120 countries and made over $1 billion over the past three years. The platform uses over 194,000 malicious domains and has compromised between 12.7 million and 115 million payment cards in the U.S. alone. The phishing kits offer template customization and real-time victim monitoring, with prices ranging from $88 for a week to $1,588 for a yearly subscription. The campaigns also highlight a broader trend of collaboration and innovation within the PhaaS ecosystem, with threat actors returning to email as a primary channel for harvesting stolen credentials. A growing cluster of fraudulent domains impersonating major Egyptian service providers, including Fawry, Egypt Post, and Careem, has been identified during a recent threat-hunting operation by Dark Atlas. The discovery points to an expanding campaign run by the Smishing Triad, a Chinese-speaking cybercrime group known for large-scale SMS phishing operations. New malicious domains were uncovered after analysts examined HTTP headers from the group’s infrastructure and used those indicators to run targeted searches on Shodan. The investigation highlighted the group’s reliance on Telegram to promote and sell its phishing-as-a-service offerings. A separate but related development involves Darcula, a large-scale PhaaS platform operating more than 20,000 spoofed domains across 100 countries. Netcraft reports that an upgraded version, Darcula 3.0, introduced anti-detection features, an enhanced admin panel, a card-cloning tool, and AI-driven automation that allows operators to build phishing pages with a single click. Both the Smishing Triad and emerging PhaaS services like Darcula demonstrate the increasing sophistication of global phishing operations.

Open in new tab