Operation TrustTrap Uncovers 16,800 Fake Domains Targeting User Data

Operation TrustTrap Uncovers 16,800 Fake Domains Targeting User Data

First seen 29 Apr 2026, 18:33 UTC ThecyberexpressScworld 79% similarity 70.6

Article Content

Browse articles
ThreatCluster

Cyble Research and Intelligence Labs (CRIL) has identified Operation TrustTrap, a significant domain spoofing campaign involving over 16,800 fraudulent domains that mimic legitimate U.S. government portals, particularly those related to transportation services. This operation, which began in early 2026, aims to harvest sensitive user data through credential and payment card phishing. Attackers utilized subdomain trust injection techniques, embedding government-like tokens in subdomains to deceive users. Most of the malicious domains were hosted on Tencent Cloud and Alibaba Cloud APAC, and they often used top-level domains such as .cc, .cfd, and .bond to evade detection. While primarily targeting the U.S., the campaign also impersonated government portals in the UK, India, and Vietnam. Researchers have linked the operation to the Pakistan-based threat group APT36, also known as Transparent Tribe. The complexity of the attack lies not in advanced hacking techniques but in exploiting human cognitive biases regarding URL interpretation.

Key Points: • Operation TrustTrap involves over 16,800 fake domains targeting U.S. government services. • Attackers used subdomain trust injection to deceive users into providing sensitive information. • The campaign is linked to the Pakistan-based threat group APT36.

ThreatCluster AI

Timeline

2026-01-01
Operation TrustTrap tracking began by CRIL
2026-04-27
Thecyberexpress article published detailing the operation
2026-04-29
Scworld article published summarizing the findings

Community

Browse all →