Cyber Threats

FBI Uncovers 42,000 Phishing Domains Linked to Notorious LabHost Cybercrime Platform

By Omkar Santosh Mahajan
Cybersecurity Analyst & Contributor | May 2025

In a major takedown that rippled across the cybersecurity world, the Federal Bureau of Investigation (FBI) has disclosed the discovery of over 42,000 phishing domains connected to one of the most notorious phishing-as-a-service (PhaaS) platforms to date—LabHost.

Spanning from November 2021 through April 2024, LabHost’s cybercriminal operation was recently dismantled by a coordinated international law enforcement action, marking a significant victory in the fight against organized digital crime.

What Was LabHost?

At its peak, LabHost was a cybercrime behemoth, boasting nearly 10,000 registered users—each paying to access professional-grade phishing services.

LabHost’s offerings included:

• Custom phishing website templates
• Smishing (SMS phishing) campaigns
• Infrastructure for phishing campaigns
• Real-time adversary-in-the-middle (AitM) proxy tools to bypass multi-factor authentication (MFA/2FA)

The service impersonated over 200 legitimate global organizations, including:

• Major banks
• Government agencies
• Streaming platforms
• Postal and logistics services

Once victims were lured in, their personal information—including login credentials and credit card data—was funneled directly to cybercriminals in real time.

 The Scale of the Breach

According to the FBI, LabHost’s infrastructure stored:

• Over 1 million login credentials
• Nearly 500,000 compromised credit card records

These details powered a massive global cybercrime network involved in:

• Financial fraud
• Identity theft
• Money laundering

The 42,000 domains discovered only scratch the surface. FBI officials estimate over a million victims globally may have been impacted, many of whom remain unaware of the compromise.

  How the FBI Got In

The domains and backend data were recovered during a multi-agency cyber operation that included intelligence from allied law enforcement agencies. During the takedown, investigators accessed LabHost’s servers, extracting:

• Domain names
• Creation timestamps
• IPs tied to attacker infrastructure

This data was later released via an FBI FLASH alert, providing the cybersecurity community with actionable Indicators of Compromise (IOCs).

 What Should Organizations Do Now?

The FBI recommends organizations take immediate preventive actions:

1. Review DNS logs for connections to any of the 42,000 known domains.
2. Blacklist or block the associated domains in perimeter defenses.
3. Perform retrospective analysis to identify signs of compromise.
4. Report suspicious activity to their nearest FBI field office.

The Bureau also warns that while many of the domains may now be inactive, residual threats like malware or credential stuffing attacks could still be live.

 A New Era of Commercialized Cybercrime

LabHost is a textbook example of how cybercrime is evolving into a service-based industry, offering “plug-and-play” phishing kits to anyone with malicious intent and a budget.

This case reinforces the need for:

• Zero-trust architecture
• Cyber awareness training
• AI-powered phishing detection tools
• International threat intelligence sharing