A notorious phishing service that supplied cybercriminals with phishing kits, scam pages, and stolen credentials has been disrupted by a joint operation involving Malaysian, Australian, and U.S. authorities. 

BulletProftLink, also known as a phishing-as-a-service (PhaaS) platform, had been operating for several years and had a large customer base that engaged in various forms of online fraud, posing a serious threat to both individuals and businesses.

International Cooperation in Action

The operation resulted in the arrest of eight suspects, aged between 29 and 56, including a key figure at 36. 

The Royal Malaysian Police Inspector-General Tan Sri Razarudin Husain announced the success of the operation on Nov. 8, 2023.

He revealed the seizure of servers, computers, jewelry, vehicles, and cryptocurrency wallets containing around 1 million Malaysian ringgit (approximately US $213,000), reads the Intel471 report.

Royal Malaysian Police posted a video of a press conference describing a policing operation that dismantled a phishing syndicate on TikTok on Nov. 8, 2023.

dashboard statistics on the BulletProftLink website

The Australian Federal Police and the U.S. FBI provided vital assistance in this significant takedown.

BulletProftLink was known for its durability and popularity, offering a range of services, including phishing kits, scam page templates, and automated solutions through single-payment or subscription models.


Protect Your Storage With SafeGuard

StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices.

The service catered to a wide clientele involved in various fraudulent activities, highlighting the importance of initial access brokering in cybercrime.

The threat actor behind BulletProftLink, identified as AnthraxBP (also known as TheGreenMY and AnthraxLinkers), displayed notable lapses in operational security. 

Both AnthraxBP and the developers of BulletProftLink made mistakes that allowed cybersecurity professionals to uncover real-world identities, addresses, and even family details through publicly available information.

Operational security lapses extended to the BulletProftLink developers, who posted code related to the phishing operation on public platforms like GitHub. 

Disgruntled customers further compromised security by revealing Bitcoin addresses used for payments, exposing invoices, and even disclosing the age of one customer, who was just 15 years old.

BulletProftLink’s extensive impact is evident in its statistics, boasting over 8,138 active clients and 327 phishing page templates as of April 2023. 

The phishing templates covered a wide range, targeting organizations such as Microsoft Office, DHL, Naver, American Express, Bank of America, Consumer Credit Union, and Royal Bank of Canada.

Evolving Tactics

The article also reveals the evolving tactics of BulletProftLink, including the integration of the Evilginx2 source code into its inventory. 

This addition enabled the threat actors to conduct adversary-in-the-middle (AITM) phishing attacks, capturing not only login credentials but also session tokens, presenting a heightened risk for enterprises by bypassing multifactor authentication.

The international response to BulletProftLink’s activities underscores the importance of coordinated law enforcement efforts in tackling cybercrime. 

This successful operation, led by the Royal Malaysian Police, serves as a major step in dismantling a major player in the cybercrime-as-a-service landscape, ultimately contributing to a safer online environment.

Patch Manager Plus, the one-stop solution for automated updates of over 850 third-party applications: Try Free Trial.

Leave a Reply

Your email address will not be published. Required fields are marked *