DOJ seizes phishing domain tied to $14.6 million in US fraud losses

Federal authorities disrupted a phishing operation that stole banking credentials from multiple victims.

What happened

The US Department of Justice announced the seizure of a domain used in a phishing campaign that resulted in approximately $14.6 million in losses affecting 19 victims in the United States. Court records indicate that the domain hosted counterfeit banking websites, which collected login credentials and facilitated account takeovers. Investigators also seized a database containing stolen usernames and passwords. The takedown was carried out as part of a broader effort to dismantle online fraud infrastructure following a federal warrant.

Going deeper

Investigators found that the operation relied on paid search advertisements and lookalike websites designed to appear as legitimate financial institutions. Victims searching for banking services were redirected to fraudulent pages where credentials were harvested. Once access was obtained, attackers transferred funds to accounts under their control. Authorities said the seized infrastructure facilitated credential theft and financial fraud, allowing the operation to scale while remaining difficult for victims to detect.

What was said

The Justice Department said the seizure was intended to immediately stop further losses and prevent additional victims from being targeted. Prosecutors noted that removing criminal infrastructure is often the fastest way to disrupt ongoing fraud, especially when perpetrators operate across jurisdictions. Officials also reiterated that law enforcement does not request sensitive financial information through unsolicited websites or advertisements and urged users to verify banking URLs carefully.

The big picture

According to the FBI, the Internet Crime Complaint Center has received more than 5,100 reports of bank account takeover fraud since January 2025, with losses exceeding $262 million. In its advisory, the bureau warned users to be cautious about what they share online and urged people to “regularly monitor accounts for any financial irregularities,” use unique passwords, verify banking website URLs before signing in, and remain alert for phishing messages or suspicious calls.

FAQs

How do phishing domains typically reach victims?

Attackers often use paid ads, search engine manipulation, or links shared through email and text messages to direct users to fake websites.

Why are banking credentials a common target?

Stolen login information allows criminals to move funds quickly, reset account controls, and lock out legitimate users.

Does seizing a domain stop the entire fraud operation?

It disrupts active activity and prevents new victims, but investigations often continue to identify individuals behind the scheme.

What warning signs indicate a fake banking website?

Misspelled domains, unexpected login prompts, pressure to act quickly, and links reached through ads rather than bookmarks.

What should users do if they have entered information on a phishing site?

They should contact their bank immediately, reset credentials, monitor accounts, and report the incident to IC3.