Skip to content
July 4, 2026
  • Linkedin
  • Twitter
  • Facebook
  • Youtube

Daily CyberSecurity

Zero-hour alerts. Unmatched analysis.

Primary Menu
  • Home
  • CVE Watchtower
  • Cyber Criminals
  • Data Leak
  • Linux
  • Malware
  • Vulnerability
  • Submit Press Release
  • Vulnerability Report
Light/Dark Button
  • Home
  • News
  • Cybercriminals
  • Search Engine “Malvertising” Ring Disrupted: DOJ Seizes Backend of $14.6 Million Bank Fraud Scheme
  • Cybercriminals

Search Engine “Malvertising” Ring Disrupted: DOJ Seizes Backend of $14.6 Million Bank Fraud Scheme

Do Son December 24, 2025 3 minutes read
0
Malvertising ATO
Add as a preferred
source on Google

A sprawling cybercrime operation that weaponized trusted search engines to drain millions from American bank accounts has been dismantled by federal authorities. The Department of Justice (DOJ) announced the seizure of a critical command-and-control domain used to harvest and manage thousands of stolen banking credentials.

The operation targets a sophisticated “account takeover” scheme that leveraged the trust users place in platforms like Google and Bing to intercept sensitive financial data.

Unlike traditional phishing attacks that arrive via email, this group brought the trap directly to the victim’s search results. According to court documents, the criminals purchased advertising space on major search engines to display fake ads that mimicked legitimate banking portals.

“The criminal group perpetrating the bank account takeover fraud delivered fraudulent advertisements through search engines, including Google and Bing,” the press release states.

When users searched for their bank and clicked on what appeared to be a “sponsored” link to their financial institution, they were quietly redirected to high-fidelity replica sites. Once the victim entered their username and password, the trap was sprung.

“The criminals harvested those credentials through a malicious software program embedded in the fake website,” the DOJ explained. “The criminals then used those bank credentials on the corresponding legitimate bank websites to access victims’ bank accounts and drain their funds.”

The seizure focused on web3adspanels.org, a domain that served as the operational backbone for the fraudsters.

“The domain, web3adspanels.org, was used by those involved in the scheme as a backend web panel to store and manipulate illegally harvested bank login credentials,” the announcement clarified.

This backend interface allowed the attackers to organize their loot—thousands of stolen login sets—and systematically empty accounts. The scale of the theft was massive. The FBI identified at least 19 specific victims, including two companies in Georgia, resulting in “attempted losses of approximately $28 million dollars and actual losses of approximately $14.6 million dollars.”

Crucially, this was an active threat. “Based on the FBI’s investigation, the seized domain continued to host a backend server used in furtherance of the bank account takeover fraud as recently as November 2025.”

This seizure comes amidst a historic surge in account takeover (ATO) fraud. The FBI’s Internet Crime Complaint Center (IC3) has been inundated with reports, signaling a shift in cybercriminal tactics toward direct financial manipulation.

“Since January 2025, the FBI Internet Crime Complaint Center (IC3) received more than 5,100 complaints reporting bank account takeover fraud, with reported losses exceeding $262 million.”

To defend against these “malvertising” threats, the DOJ offers simple but effective advice: stop clicking ads to log in. The public is encouraged to use “‘Bookmarks’ or ‘Favorites’ for navigating to login websites” rather than relying on search engine results, which can be easily spoofed by the highest bidder.

Related Posts:

  • HTTP Client Tools Weaponized in Account Takeover Attacks
  • Atos Responds to Space Bears Ransomware Allegations
  • Microsoft announces that Bing will block cryptocurrency ads
  • Windows 11’s New “Speed Test” Feature: A Gimmick or a Genuine Upgrade?

Get Zero-Hour Vulnerability Alerts

Critical CVEs, CVSS scores, and PoC updates — straight to your inbox every week.


We respect your inbox. Unsubscribe anytime.

Related coverage

  • Trustwave Confirms ‘Trinity of Chaos’ Alliance: Scattered LAPSUS$ Hunters Form EaaS Supergroup
  • Hackers Weaponize npm to Hunt Critical Infrastructure Sales Teams
  • CVE-2024-36401 Exploited in Stealthy Bandwidth-Monetization Campaign
  • Notorious Hacker “IntelBroker” (Kai West) Arrested: Exposed by Crypto Transactions, Caused $25M in Damages
  • BitoPro Crypto Heist: North Korea’s Lazarus Group Steals $11.5M via Phished Employee

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee Logo Buy Me a Coffee PayPal
Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce

Share this article:

Facebook Post LinkedIn Telegram
Written by
@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.

Tags: Account Takeover ATO Bing Ads DOJ fbi Financial Crime Google Ads Malvertising Northern District of Georgia Search Engine Fraud web3adspanels.org

Leave a Reply Cancel reply

You must be logged in to post a comment.

Search

Translation

CVE WATCHTOWER
🚨

Receive alerts for vulnerabilities being exploited in the wild.

⚡

Get notified instantly when a Proof of Concept (PoC) exploit is published.

🔍

Access critical info on vulnerabilities even when marked as "RESERVED".

🧠

Insights powered by decades of expertise and global intelligence sources.

🎯

Customize alerts with up to 10 keywords for your specific tech stack.

📊

Export the raw CVE database for SIEM integration and reporting.

Upgrade Package

🚨 Active Exploits in the Wild

  • CVE-2026-48282CVSS 10.0
    ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted...
    Admin intel📅 Updated: Jul 3, 2026
  • CVE-2024-14037CVSS 9.8
    Redsea Cloud eHR contains an arbitrary file upload vulnerability that allows unauthenticated attackers to achieve remote code execution...
    Admin intel📅 Updated: Jul 3, 2026
  • CVE-2026-8451CVSS 8.8
    Insufficient input validation in NetScaler ADC and NetScaler Gateway leading to memory overread if NetScaler ADC or NetScaler Gateway is configured...
    Admin intel📅 Updated: Jul 2, 2026
  • CVE-2026-8037CVSS 9.6
    OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an un-authenticated attacker to...
    Admin intel📅 Updated: Jul 1, 2026
  • CVE-2026-45659CVSS 8.8
    Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
    CISA KEV📅 Added to KEV: Jul 1, 2026
  • CVE-2026-48558CVSS 10.0
    SimpleHelp versions 5.5.15 and prior and 6.0 pre-release versions contain an authentication bypass vulnerability in the OIDC authentication...
    Admin intelCISA KEV📅 Added to KEV: Jun 29, 2026📅 Updated: Jun 29, 2026
  • CVE-2026-46817CVSS 9.8
    Vulnerability in the Oracle Payments product of Oracle E-Business Suite (component: File Transmission). Supported versions that are affected...
    Admin intel📅 Updated: Jun 29, 2026
  • CVE-2026-28496CVSS 9.4
    FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 have a Server-Side Template...
    Admin intel📅 Updated: Jun 25, 2026
Powered by CVE Watchtower

🔴 Live Critical Threats

  • CVE-2026-58426CVSS 9.6
    Gitea Actions Artifacts V4 signed URL HMAC ambiguity allows cross-repository artifact read...
  • CVE-2026-58289CVSS 9.0
    Access of resource using incompatible type ('type confusion') in Microsoft Edge (Chromium-based)...
  • CVE-2026-22874CVSS 9.6
    Gitea versions up to and including 1.26.2 have incomplete SSRF protection in...
  • CVE-2026-20896CVSS 9.8
    Gitea Docker image versions up to and including 1.26.2 use REVERSE_PROXY_TRUSTED_PROXIES=* by...
  • CVE-2026-4321CVSS 9.8
    Improper neutralization of special elements used in an SQL command ('SQL injection')...
  • CVE-2026-14544CVSS 9.8
    A flaw was found in HPLIP (HP Linux Imaging and Printing Software)....
  • CVE-2026-9725CVSS 9.1
    The Printcart Web to Print Product Designer for WooCommerce plugin for WordPress...
  • CVE-2026-13768CVSS 10.0
    Gardyn devices expose a privileged iothubowner key. Access to this key will...
  • CVE-2026-57100CVSS 9.9
    Server-side request forgery (ssrf) in Microsoft Entra Provisioning Service (SyncFabric) allows an...
  • CVE-2026-45499CVSS 9.9
    Server-side request forgery (ssrf) in Azure OpenAI allows an authorized attacker to...
Powered by CVE WATCHTOWER

Get Zero-Hour Vulnerability Alerts

Critical CVEs, CVSS scores, and PoC updates — straight to your inbox every week.

    We respect your inbox. Unsubscribe anytime.

    Our Websites
  • Penetration Testing Tools
  • The Daily Information Technology
  • Daily CyberSecurity

    • About SecurityOnline.info
    • Advertise with us
    • Announcement
    • Contact
    • Contributor Register
    • Login
    • About SecurityOnline.info
    • Advertise on SecurityOnline.info
    • Contact Us

    When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works

    • Disclaimer
    • Privacy Policy
    • DMCA NOTICE
    • Linkedin
    • Twitter
    • Facebook
    • Youtube
    © 2017 - 2026 Daily CyberSecurity. All Rights Reserved.