FBI Warns of Spoofed IC3 Websites Harvesting Victim Data

Cybercriminals are tricking victims into filing crime reports on fake FBI websites… and walking away with their most sensitive data.

A newly uncovered phishing campaign has cloned the FBI’s Internet Crime Complaint Center (IC3) portal, diverting visitors to spoofed domains that harvest personal and financial information in real time. Victims who believed they were reporting scams to the federal government instead exposed their names, addresses, Social Security numbers, and banking details to threat actors.

The FBI warned on Sept. 19 that these attacks not only endanger individuals but also undermine trust in one of the nation’s most important channels for reporting cybercrime.

Rising sophistication in government website spoofing

The campaign highlights the growing sophistication of government website impersonation. 

Individuals visiting domains like icc3[.]live and ic3a[.]com believed they were filing crime reports. However, these sites instead exposed names, addresses, phone numbers, Social Security numbers, and banking information to threat actors.

Because IC3 serves as a primary channel for reporting cybercrime, the attacks undermine trust in law-enforcement portals and potentially complicate investigations.

How the attack works

IC3 analysts first flagged the spoofed sites on Sept. 18, after multiple victims reported suspicious confirmation emails claiming to acknowledge IC3 submissions. 

Those emails contained links that redirected users to fraudulent domains designed to perfectly mirror the legitimate ic3[.]gov portal. The cloned pages reproduced the FBI seal, IC3 banner, and even the official complaint form, making them almost indistinguishable from the authentic site.

Once a victim landed on one of these fake portals, any data entered into the web forms — such as names, addresses, phone numbers, Social Security numbers, banking information, or email credentials — was transmitted in clear text over HTTP, bypassing the encrypted protections commonly used on the real IC3 site.

Embedded directly in the HTML, a malicious JavaScript snippet hijacked the form’s submit event, silently capturing all user inputs before allowing the page to display an error or redirect to another screen. 

The script also installed listeners on input fields, enabling the attackers to log keystrokes and harvest browser cookies or session data. Because the code blended with legitimate page elements rather than behaving as a downloadable file, traditional antivirus tools had little chance of detecting it.

Network analysis later showed that every form submission generated an immediate POST request to attacker-controlled endpoints — evidence of real-time exfiltration. The spoofed infrastructure was hosted through so-called “bulletproof” providers, which allowed rapid domain rotation and made it difficult for defenders to take the malicious sites offline. 

This combination of cloned branding, stealthy scripting, and resilient hosting enabled the campaign to persist despite early detection. This is not the first time threat actors have impersonated the FBI.

How to stay protected

The FBI advises users to navigate directly to www.ic3.gov rather than clicking links in emails or search results. Always verify the .gov certificate, avoid suspicious graphics, and never provide payment or credentials on nonofficial sites. 

To reduce exposure to spoofed IC3 websites, organizations can take the following steps:

• Monitor DNS logs for suspicious IC3-themed domains.
• Deploy network filters to block known spoofing infrastructure.
• Educate staff on phishing awareness and safe browsing practices.
• Reinforce zero-trust principles across networks and endpoints.
• Require multi-factor authentication for all user accounts.
• Enforce secure browsing policies for employees who may use IC3 for official reporting.
• Consult phishing defense strategy resources for additional controls.

The spoofing of high-value government portals reflects a broader trend in which threat actors exploit institutional trust to harvest data. As more public services move online, attackers gain opportunities to cloak malicious activity behind official logos and domains. Campaigns like this erode public confidence and could deter victims from reporting cybercrime altogether.

Security leaders must treat impersonation risks as part of their enterprise threat modeling, ensuring employees can quickly and reliably verify government websites. As the FBI cautions, vigilance and direct navigation remain essential defenses against a rising wave of spoofed portals.

As phishing tactics evolve, attackers are increasingly leveraging AI-powered tools to craft more convincing lures, raising the stakes for organizations and individuals alike.