Thousands of Phishing Sites Linked to LabHost Revealed
Summary:
Between late 2021 and early 2024, the service LabHost quietly propagated to become one of the most popular tools used by internet scammers. Before it was shut down by law enforcement in April of 2024, LabHost helped cyberthieves deliver phishing campaigns globally. Today, the FBI issued a list of over 42,000 domain names linked with the service, hoping it will allow defenders to identify patterns and strengthen security.
LabHost was a phishing service platform. Instead of building all of this from the ground up, scammers could just pay to use software that enabled them to construct fake login pages for banks, online stores, video streaming websites, and even government websites. They were good enough to make users hand over sensitive data—stuff like usernames, passwords, credit card details, and two-factor authentication tokens.
The FBI estimates that the site had over a million stolen passwords and nearly half a million credit card numbers. All were collected and resold to LabHost customers, who used them to make fraudulent transactions or to steal money from accounts.
Security Officer Comments:
Since the platform is offline now, the domains which were active can still be useful in understanding how the scams were run. Some can still be active, and some can be offline—but security teams can check the list to determine if there is any prior traffic or activity in their systems which is related.
Suggested Corrections:
The full domain list is available on the FBI’s IC3 site at ic3.gov/CSA/2025, and organizations are being encouraged to check it out. Even though these domains are historical, they could offer clues about attacker tactics and infrastructure. It’s also a reminder of how easy phishing kits have made it for nearly anyone to launch a convincing scam online.
Link(s):
www.ic3.gov/CSA/2025/250429.pdf