The FBI has released a comprehensive list of 42,000 phishing domains linked to LabHost, a prolific phishing-as-a-service (PhaaS) platform. This disclosure aims to bolster cyber resilience by enabling organizations to scan historical logs for potential breaches and block malicious activity. The domains, retrieved from LabHost’s backend servers, include creation dates and impersonate over 200 brands, including banks, governments, and tech firms1.
Key Findings and Operational Impact
LabHost operated as a subscription-based service, offering phishing kits, SMS spoofing, and real-time analytics for $99–$499/month4. The platform facilitated adversary-in-the-middle (AiTM) attacks, bypassing two-factor authentication by stealing session cookies5. According to BitLife Media, LabHost campaigns compromised 1.7 million credentials and 884,000 payment cards, with domains active between November 2021 and April 20243.
Global law enforcement collaboration led to 37 arrests across 12 countries, including the sentencing of mastermind Zak Coyne to 8.5 years in the UK3. The FBI’s IC3 division published the domain list as a CSV file, urging organizations to integrate it into SIEM tools like Splunk or Palo Alto Cortex1.
Actionable Mitigation Steps
Organizations can take immediate steps to mitigate risks:
- Domain Blocklisting: Download and implement the FBI’s domain list using:
wget https://www.ic3.gov/CSA/2025/LabHost_Domains.csv - Log Analysis: Query DNS logs for historical connections:
SELECT * FROM dns_logs WHERE domain IN (SELECT domain FROM labhost_domains); - Employee Training: Focus on smishing and brand impersonation tactics, using LabHost case studies.
Technical Relevance
For threat researchers, the domain list provides a fingerprint for tracking LabHost-affiliated campaigns. The FBI’s data includes creation timestamps, enabling correlation with past incidents2. Red teams can use this to simulate phishing campaigns, while blue teams can enhance detection rules for AiTM attacks.
Emerging trends include CSS-based phishing to evade email filters and AI-generated lures targeting HR departments5. LabHost’s infrastructure overlaps with Darcula PhaaS, another SMS phishing network, suggesting shared TTPs among affiliates3.
Conclusion
The FBI’s disclosure underscores the scalability of PhaaS platforms and the need for proactive defense measures. Organizations should prioritize log reviews and employee awareness to mitigate residual risks. Future analyses may reveal deeper ties between LabHost and other cybercrime operations.
References
- FBI IC3 Alert: LabHost Domain List. (2025).
- SC World: LabHost Domain Analysis. (2025).
- BitLife Media: LabHost Takedown Report. (2025).
- FBI Facebook Post on LabHost. (2025).
- Cibersecurity.io: LabHost Mitigation. (2025).
