Police Dismantle Phishing-as-a-Service Platform BulletProftLink

The global operation also led to the arrest of eight individuals, including the alleged mastermind.

BulletProftLink, a prolific phishing-as-a-service (PhaaS) and initial access broker (IAB) operation was operating since 2015.

In a significant blow to the cybercrime community, Malaysian police have dismantled BulletProftLink, a prolific phishing-as-a-service (PhaaS) and initial access broker (IAB) operation.

The seizure was a result of a collaborative effort between the Royal Malaysian Police, the Australian Federal Police, and the FBI. The authorities arrested eight individuals on 6 November, 2023 including the platform’s alleged mastermind and a software engineer.

Additionally, security agencies also seized cryptocurrency wallets containing approx. $213,000, apart from jewellery, servers, payment cards, and computers.

BulletProftLink, a prolific phishing-as-a-service (PhaaS) and initial access broker (IAB) operation was operating since 2015. It served thousands of threat actors with tools and resources to conduct phishing attacks through its extensive collection of phishing templates (over 300), including login pages for prominent services like DHL, Microsoft Office, Naver, and financial institutions.

Some of these pages were hosted on legit cloud services such as Google Cloud and Microsoft Azure. It also aided attackers in bypassing MFA (multi-factor authentication) protections by offering the Evilginx2 reverse-proxying tool that could lead to Adversary-in-the-Middle phishing attacks.

According to Malaysian police, the platform had become intensely active since 2018, and that’s when it came to their radar. Since its inception, BulletProftLink has attracted over 8000 clients, many of whom paid up to $2,000/month for accessing credential logs regularly. Malicious actors preferred it for buying stolen accounts to conduct frauds and cyberattacks.

“From our investigations, not only the syndicate has compromised websites those of financial and education institutions, and official government sites in Australia, but they are also involved with the selling of stolen credentials,” stated Royal Malaysian Police’s inspector general, Sri Razarudin Husain.

This platform remained a key source for cybercriminals to infiltrate corporate networks, conduct reconnaissance, and laterally move towards valuable targets. Intel471, a threat intelligence platform, was monitoring the platform’s activities, and the following screenshot has been captured from their coverage of the event.

Malaysian Police Shut Down BulletProftLink Phishing-as-a-Service Operation
The screenshot reveals phishing templates for various platforms that were previously accessible on the BulletProofLink website.

The authorities haven’t yet disclosed the identities of the arrested individuals. As per cyber threat intelligence professionals, a threat actor, AnthraxBP, could be linked to the platform, and certain operational mistakes from BulletProftLink could have led to its dismantling.

The authorities have taken down multiple domains of the platform. Its closure is certainly a huge victory against cybercriminals because BulletProftink had remained a crucial source of stolen credentials for threat actors. Now that it is out of the picture, cybercriminals will need to look for alternative sources to gain initial access to corporate networks.

  1. NetWire Malware Site and Server Seized, Admin Arrested
  2. Ragnar Locker Ransomware Gang Dismantled, Key Suspect Arrested
  3. SSNDOB Cybercrime Marketplace Seized in Intl. Coordinated Operation
  4. INTERPOL Dismantles Infamous ’16shop’ Phishing-as-a-Service Platform
  5. EvilProxy Phishing Kit Targets Microsoft Users via Indeed.com Vulnerability
Related Posts