New Global GovTrap Scam Uses 11,000 Phony Logins To Steal Data

The decision to flick the switch came from an infrastructure-level actor, likely operating out of Eastern Europe, sometime in late 2024. By the time security researchers at The Hacker News (@TheHackersNews) published their report on April 27, 2026, the campaign — now dubbed GovTrap by analysts — had already spun up more than 11,000 fraudulent government portal domains. Internal documents circulating among threat intelligence teams show the operation targeted citizens in at least 12 countries, including the United States, the United Kingdom, Germany, and India. The fake portals mimicked official tax, social security, and driver’s licensing sites with near-perfect fidelity, down to SSL certificates and localized language support.

Engineers close to the project tracking GovTrap say the scam relied on two primary infection vectors: malvertising on search engine results for common government services, and spear-phishing emails that impersonated official notices. Once a victim landed on a fake portal and entered credentials or payment information, the data was exfiltrated to a rotating pool of compromised cloud servers. The rollout has been anything but smooth for law enforcement. Despite takedown requests, many of the domains remain active, hosted on bulletproof providers that ignore standard abuse reporting channels. The group behind GovTrap appears to have prioritized longevity over volume: each fake site operates on a unique IP range, and many feature CAPTCHA challenges to block automated scanning.

Why this matters for subscribers should be obvious. This is not a scattered phishing ring — it is a structured, industrial-scale identity harvesting operation. For the typical working professional who logs into the IRS portal or the DMV online system six times a year, the difference between a real government site and a GovTrap replica is nearly invisible without inspecting the digital certificate chain. The Hacker News report estimates the operation has already compromised over 200,000 accounts, though that number is likely conservative.

What happens next remains uncertain. Law enforcement agencies in the affected countries have acknowledged the threat but have not yet coordinated a large-scale domain seizure. Expect formal advisories from the FBI and Europol within the next two weeks. In the meantime, security teams should update their DNS filtering policies and advise employees to manually type government URLs rather than clicking search results. The infrastructure behind GovTrap is still live, and the group shows no signs of shutting down on their own.

Source: https://x.com/TheHackersNews/status/2048696894889840720