The Justice Department announced today the seizure of four domains used by the administrators and customers of a domain spoofing service. The domain seizures were authorized pursuant to seizure warrants issued in the Western District of Pennsylvania and were executed in coordination with the arrest of dozens of administrators and customers of the illicit service by foreign law enforcement agencies.
“Together with our international partners, the Justice Department has disrupted another cybercrime scheme originating from Russia that enabled criminals to steal from over a million victims in the United States and around the world,” said Attorney General Merrick B. Garland. “I am grateful to the U.S. Attorney’s Office for the Western District of Pennsylvania, the FBI, and our partners at the Secret Service for their work on this case, and to our foreign law enforcement partners whose efforts have led to the arrests of dozens of LabHost administrators and users.”
According to court records, the United States obtained authorization to seize the domains as part of an investigation of the spoofing service operated through the Lab-host.ru domain (LabHost), which resolves to a Russian internet infrastructure company. LabHost provided online infrastructure and interactive functionality for its subscription-based services. According to court records, customers of LabHost used its services to create and manage spoofed websites designed to look like the legitimate websites of businesses such as Amazon, Netflix, Wells Fargo, Bank of America, and Chase Bank. LabHost customers used the spoofed websites to lure unwitting victims into disclosing their personally identifiable information (PII) — e.g., date of birth, email address, password, address, and credit card information — on the websites the victims believed were legitimate. In turn, according to court documents, LabHost’s customers used the stolen PII to engage in unauthorized financial transactions at the expense of the victims. As outlined in court records, LabHost has been used to create over 40,000 spoofed websites, and its infrastructure has stored over one million user credentials and nearly 500,000 compromised credit cards.
The warrants authorized the seizure of the following four domains associated with application programming interface (API) services used to install spoofed websites and manage LabHost’s phishing and credential-theft operations: Instapi-1xoa93z90o348fz.co, Api2-4hdfix74ks.co, Api1-9kcpqcf7olw1w300w3m6.cc, and Api-d789342789342uy432hjf87df87dfk.cc. The four LabHost API domains were registered to NameSilo, LLC, a third-party webhosting service based in the United States. According to court records, the seized domains represented property used to commit violations of federal criminal law, including access device fraud, computer fraud, wire fraud, identity theft, and money laundering.
The effect of the domain seizures was to shut down the LabHost platform.
“The theft of personal information — and the financial ruin that often follows — should never be just another cost of using the internet for ordinary citizens,” said U.S. Attorney Eric G. Olshan for the Western District of Pennsylvania. “Today’s domain seizures show that cybercriminals’ greed will not go unchecked — no matter their sophistication and geographic reach. We will continue to work with our domestic and foreign law enforcement partners, using all available tools, to protect the global public.”
“Seizing LabHost and arresting those involved will have a systemic impact on transnational cybercrime,” said Special Agent in Charge Timothy P. Burke of the U.S. Secret Service (USSS) Pittsburgh Field Office. “We are proud to work with our foreign and domestic law enforcement partners as we continue to counter those engaged in cybercrime.”
“Behind every cybercrime-as-a-service operation lurks one thing: financial devastation,” said Special Agent in Charge Kevin Rojek of the FBI Pittsburgh Field Office. “The FBI and our global partners will continue to aggressively pursue anyone who thinks they can get rich by stealing from hard-working Americans. Selling cybercrime tools has ripple effects that go far beyond the businesses and borders of America. With every theft and intrusion, the public loses more and more trust in our critical digital infrastructure.”
The domain seizures in the United States occurred in conjunction with the international arrests of dozens of LabHost administrators and customers facing criminal charges in more than a dozen foreign countries. Law enforcement authorities from the following countries participated in the investigation: Australia, Austria, Belgium, Canada, Czechia, Estonia, Finland, Ireland, Malta, the Netherlands, New Zealand, Poland, Portugal, Romania, Spain, Sweden, and the United Kingdom.
Assistant U.S. Attorney Mark V. Gurzo for the Western District of Pennsylvania is prosecuting the case.
The FBI and USSS investigated the case in the United States, and the United Kingdom’s London Metropolitan Police investigated the international case, with the support of Europol’s European Cybercrime Centre and Joint Cybercrime Action Taskforce.