US Authorities Seize Domain Containing Thousands of Stolen Banking Credentials in $28 Million Fraud Scheme

Federal authorities have seized a web domain containing thousands of stolen banking credentials used in a sophisticated account takeover scheme that has targeted Americans through fraudulent search engine advertisements, resulting in approximately $14.6 million in confirmed losses and another $13.4 million in attempted thefts. The domain, web3adspanels.org, served as a backend panel where criminals stored and manipulated illegally harvested login credentials, according to an affidavit filed in support of the domain seizure by the Justice Department.

The operation disrupted a criminal network that impersonated legitimate banking institutions through sponsored search results on platforms including Google and Bing, redirecting victims to fake banking websites where their credentials were harvested before being used to drain their accounts. The seizure comes just weeks after the FBI issued a Public Service Announcement warning about Account Takeover Fraud via financial institution impersonation.

Background and Context

Account takeover fraud has emerged as a particularly damaging form of cybercrime, with the FBI Internet Crime Complaint Center (IC3) receiving more than 5,100 complaints related to such schemes since January 2025, with reported losses exceeding $262 million. Criminals typically employ social engineering tactics and technical deception to gain unauthorized access to victims' financial accounts, often leveraging the trust users place in legitimate banking institutions.

The seized scheme represents an evolution in these tactics, utilizing sophisticated search engine advertising campaigns to appear alongside legitimate banking results. According to investigators, the fraudulent advertisements were designed to closely mimic the official promotional materials of financial institutions, making them difficult for average consumers to distinguish from authentic bank marketing.

Key Figures and Entities

The investigation was announced by U.S. Attorney Theodore S. Hertzberg for the Northern District of Georgia, Acting Assistant Attorney General Matthew R. Galeotti of the Justice Department's Criminal Division, and Special Agent in Charge Paul Brown of the FBI Atlanta Field Office. The prosecution is being handled by Assistant U.S. Attorney Jessica C. Morris of the Northern District of Georgia and Trial Attorney Brian Mund of the Criminal Division's Computer Crime and Intellectual Property Section (CCIPS).

To date, the FBI has identified at least 19 victims throughout the United States, including two companies in the Northern District of Georgia whose accounts were compromised through this scheme. The full extent of victimization remains unclear as investigators continue to analyze the seized server, which contained credentials from thousands of victims.

Legal and Financial Mechanisms

The fraud operation employed a multi-stage process beginning with fraudulent advertisements that appeared in search engine results when users searched for banking services. When clicked, these advertisements redirected victims to counterfeit banking websites controlled by the criminals, according to court documents. These sites contained malicious software that captured login credentials as users entered them, then transmitted the information to the criminal backend hosted on the now-seized domain.

Once credentials were obtained, criminals accessed victims' actual bank accounts through the legitimate banking websites, initiating transfers and withdrawals that drained funds before victims could detect the unauthorized activity. The backend server allowed criminals to organize and manage thousands of stolen credentials, increasing the efficiency of their fraudulent operations.

International Implications and Policy Response

The investigation revealed significant international dimensions to the fraud scheme, with Estonian law enforcement preserving and collecting data from servers hosting both the phishing pages and stolen credentials. This cooperation highlights the transnational nature of modern cybercrime and the importance of cross-border collaboration in combating such schemes.

Since 2020, the Justice Department's CCIPS has secured convictions of more than 180 cybercriminals and obtained court orders for the return of over $350 million in victim funds. However, the scale of losses in this case—exceeding $14 million from just 19 identified victims—underscores the ongoing challenges in preventing account takeover fraud and the need for enhanced security measures in financial services.

Sources

This report draws on the Justice Department announcement regarding the domain seizure, the FBI Internet Crime Complaint Center data on account takeover fraud, and public FBI warnings about financial institution impersonation schemes. Additional context comes from the Computer Crime and Intellectual Property Section case records and international law enforcement cooperation agreements referenced in the announcement.