Pierluigi Paganini
May 01, 2025
The FBI shared a list of 42,000 domains registered from November 2021 to Apr 2024, linked to LabHost to raise awareness and aid in threat detection. The domain list helps prevent future malicious use, allows security teams to scan past logs for breaches, and supports phishing analysis and model training.
“The Federal Bureau of Investigation (FBI) is releasing this FLASH to disseminate 42,000 phishing domains linked to the LabHost phishing-as-a-service (PhaaS) platform between November 2021 and April 2024. Prior to being disabled by law enforcement in April 2024, LabHost was one of the world’s largest PhaaS providers, offering a range of illicit services for approximately 10,000 users.” reads the Flash Alert published by the FBI. “The platform enabled cyber criminals to impersonate more than 200 organizations, including major banks and government institutions, in an effort to collect personal information and banking credentials from unsuspecting victims worldwide. The FBI is releasing this information to maximize awareness and provide indicators of compromise that may be used by recipients for research and defense.”
In April 2024, an international law enforcement operation, codenamed Nebulae and coordinated by Europol, led to the disruption of LabHost, which is one of the world’s largest phishing-as-a-service platforms.
Law enforcement from 19 countries participated in the operation, which resulted in the arrest of 37 individuals.
The phishing-as-a-service platform was available on the clear web and has been shut down by the police. LabHost stored over 1 million credentials and 500,000 credit cards, facilitating financial theft, fraud, and money laundering by its users.
Between April 14th and April 17th, law enforcement agencies conducted searches at 70 addresses worldwide, leading to the arrest of the suspects. Four individuals, including the original developer of LabHost, were arrested in the United Kingdom.
Phishing as a service (PaaS) platforms provide phishing tools and resources to crooks, often for a fee or subscription. These tools typically include pre-designed phishing templates, email or text message sending capabilities, website hosting services for phishing pages. Most important PhaaS platforms also provide technical support to their customers.
LabHost was a prominent tool for cybercriminals globally, offering a subscription-based service that facilitated phishing attacks. The platform provided phishing kits, hosting infrastructure, interactive features for engaging victims, and campaign management tools. The investigation conducted by law enforcement revealed approximately 40,000 phishing domains associated with LabHost, which reached 10,000 users worldwide. Subscribers paid an average monthly fee of $249 for use the platform’s services. LabHost offered a selection of over 170 convincing fake websites for users to deploy with ease.
“What made LabHost particularly destructive was its integrated campaign management tool named LabRat. This feature allowed cybercriminals deploying the attacks to monitor and control those attacks in real time. LabRat was designed to capture two-factor authentication codes and credentials, allowing the criminals to bypass enhanced security measures.” reads the announcement published by Europol.
“FBI obtained these 42,000 domain names and creation dates associated with LabHost from the backend server of the platform. FBI has not validated every domain name, and the list may contain typographical or similar errors from LabHost user input.” concludes the alert. “The information is historical in nature, and the domains may not currently be malicious.”
The FBI urges organizations to review the 42,000+ domains for signs of compromise, take mitigation steps, and report suspicious activity.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, PhaaS)
