Search Engine “Malvertising” Ring Disrupted: DOJ Seizes Backend of $14.6 Million Bank Fraud Scheme
Ddos 
A sprawling cybercrime operation that weaponized trusted search engines to drain millions from American bank accounts has been dismantled by federal authorities. The Department of Justice (DOJ) announced the seizure of a critical command-and-control domain used to harvest and manage thousands of stolen banking credentials.
The operation targets a sophisticated “account takeover” scheme that leveraged the trust users place in platforms like Google and Bing to intercept sensitive financial data.
Unlike traditional phishing attacks that arrive via email, this group brought the trap directly to the victim’s search results. According to court documents, the criminals purchased advertising space on major search engines to display fake ads that mimicked legitimate banking portals.
“The criminal group perpetrating the bank account takeover fraud delivered fraudulent advertisements through search engines, including Google and Bing,” the press release states.
When users searched for their bank and clicked on what appeared to be a “sponsored” link to their financial institution, they were quietly redirected to high-fidelity replica sites. Once the victim entered their username and password, the trap was sprung.
“The criminals harvested those credentials through a malicious software program embedded in the fake website,” the DOJ explained. “The criminals then used those bank credentials on the corresponding legitimate bank websites to access victims’ bank accounts and drain their funds.”
The seizure focused on web3adspanels.org, a domain that served as the operational backbone for the fraudsters.
“The domain, web3adspanels.org, was used by those involved in the scheme as a backend web panel to store and manipulate illegally harvested bank login credentials,” the announcement clarified.
This backend interface allowed the attackers to organize their loot—thousands of stolen login sets—and systematically empty accounts. The scale of the theft was massive. The FBI identified at least 19 specific victims, including two companies in Georgia, resulting in “attempted losses of approximately $28 million dollars and actual losses of approximately $14.6 million dollars.”
Crucially, this was an active threat. “Based on the FBI’s investigation, the seized domain continued to host a backend server used in furtherance of the bank account takeover fraud as recently as November 2025.”
This seizure comes amidst a historic surge in account takeover (ATO) fraud. The FBI’s Internet Crime Complaint Center (IC3) has been inundated with reports, signaling a shift in cybercriminal tactics toward direct financial manipulation.
“Since January 2025, the FBI Internet Crime Complaint Center (IC3) received more than 5,100 complaints reporting bank account takeover fraud, with reported losses exceeding $262 million.”
To defend against these “malvertising” threats, the DOJ offers simple but effective advice: stop clicking ads to log in. The public is encouraged to use “‘Bookmarks’ or ‘Favorites’ for navigating to login websites” rather than relying on search engine results, which can be easily spoofed by the highest bidder.
Donate