The FBI has released a list of 42,000 phishing domains tied to the dismantled LabHost network, giving cybersecurity teams a powerful tool to identify threats and strengthen defenses against future phishing attacks.
The FBI has released a list of 42,000 phishing domains connected to LabHost, a now-defunct phishing-as-a-service (PhaaS) platform that was taken down in a sweeping global operation in April 2024. The list includes domains registered between November 2021 and April 2024 and is intended to help cybersecurity professionals detect threats and prevent future attacks.
LabHost offered subscription-based phishing services, charging between $179 and $300 per month for access to phishing kits targeting U.S. and Canadian banks. The service boasted features such as real-time campaign management dashboards, SMS automation for phishing lures, and tools capable of bypassing two-factor authentication (2FA).
While LabHost launched in 2021, it gained significant momentum in late 2023 and early 2024, ultimately becoming one of the most prominent PhaaS platforms. By the time of its seizure, LabHost had over 10,000 customers globally and was responsible for stealing over 1 million user credentials and nearly half a million credit card records.
Its dismantling involved coordinated efforts across 19 countries, including simultaneous raids at 70 locations and the arrest of 37 individuals connected to the operation.
The FBI clarified that although the released domain list may no longer be tied to active malicious campaigns, it serves defensive purposes. Security teams can use the list to block re-registrations, retroactively scan system logs, and train phishing detection models.
The bureau cautioned that the list may contain typos or inaccuracies due to user-generated inputs from LabHost operators: “FBI has not validated every domain name, and the list may contain typographical or similar errors from LabHost user input,” the agency said.
Additionally, the FBI noted that further analysis of the domain patterns could uncover additional domains linked to the same criminal infrastructure.
While the operation disrupted one major network, the vast dataset of domains now offers cybersecurity teams valuable intelligence to improve defenses, detect overlooked breaches, and enhance threat attribution models. Even defunct domains carry risk—bad actors can repurpose them or learn from previous campaigns. The FBI’s release serves as both a warning and a tool, reinforcing the need for proactive, intelligence-driven cybersecurity in an age of highly professionalized cybercrime.
To help defenders retroactively identify breaches, block future re-registrations, and improve phishing detection models.
Yes. While many are inactive, attackers can reclaim or mimic them to launch new campaigns.
Security teams should cross-check internal logs, update blocklists, and refine phishing filters using the released data.
It industrializes phishing, letting even low-skilled criminals run advanced, scalable attacks.
Not likely. LabHost's takedown disrupts one major player, but similar services continue to operate and adapt.