Phishing Kits & PhaaS
What Is LabHost?
LabHost was a phishing-as-a-service (PhaaS) platform that operated from 2021 until its disruption in April 2024.
LabHost was a phishing-as-a-service (PhaaS) platform that operated from 2021 until its disruption in April 2024. It provided a subscription-based end-to-end phishing service enabling cybercriminals to launch phishing campaigns using a variety of phishing kits for banks and financial services across North America. The platform defrauded approximately 1 million victims across 91 countries, resulting in financial losses exceeding £100 million ($132 million USD), according to Europol's April 2024 statement. Created and maintained by Zak Coyne, a 24-year-old from the UK, LabHost was distinguished by its LabRat campaign management tool specifically designed to capture two-factor authentication (2FA) codes in real-time, enabling attackers to bypass enhanced security measures that typically protect against credential theft.
How Does LabHost work?
LabHost operated as a subscription service with two pricing tiers: a Standard Plan at $179 per month and a Premium Plan at $249 per month, generating approximately $1,173,000 in total subscription revenue over its operational lifespan according to Crown Prosecution Service documents from April 2025. The platform provided customers with access to over 170 pre-built, convincing fake websites (templates) designed to mimic major banks and financial services, as documented by Bleeping Computer in April 2024.
The platform's core functionality centered on its LabRat campaign management tool, which allowed operators to monitor and control attacks in real-time. According to Intel 471's analysis, LabRat captured both credentials and two-factor authentication (2FA) codes as victims entered them, enabling attackers to bypass multi-factor authentication protections. The dashboard provided real-time victim monitoring and data capture capabilities, allowing attackers to see credential submissions as they occurred.
Integration with external infrastructure required customers to enter the IP address, username, and password of their virtual private servers (VPS) to link the VPS to their phishing pages, according to Trend Micro's analysis of the platform. This architecture distributed the hosting burden to individual subscribers while maintaining centralized control through the LabRat backend.
The platform infrastructure supported approximately 40,000-42,000 phishing domains identified by the FBI in April 2024. Between 2021 and April 2024, LabHost facilitated the theft of 480,000 credit cards, 64,000 PINs, and over 1 million passwords, according to CNN's reporting on the law enforcement operation. At its peak, the platform maintained approximately 10,000 registered customers with roughly 2,000 active users, as documented in Europol's April 2024 statement.
How Does LabHost differ from other phishing platforms?
Feature | LabHost | Darcula | Lucid |
|---|---|---|---|
Primary Delivery Channel | Email-based phishing | iMessage/RCS smishing | iMessage/RCS smishing |
Subscription Model | $179-$249/month (fixed tiers) | Per-operator pricing | Weekly licensing |
Template Library | 170+ pre-built sites | 600+ (with GenAI) | 1,000+ domains |
2FA Bypass Capability | LabRat tool (real-time capture) | Character-by-character streaming | Admin panel monitoring |
Active Customer Base | 2,000 (at takedown, Apr 2024) | 600+ operators | 2,000 Telegram members |
Operational Period | 2021-2024 (3 years) | 2023-present | Mid-2023-present |
Geographic Focus | North American financial institutions | Global (100+ countries) | 88 countries |
Data Theft Volume | 480K cards, 1M+ passwords | 884K cards (7 months) | Not specified |
Status | Disrupted April 2024 | Active as of 2025 | Active as of 2025 |
LabHost's primary distinction was its all-inclusive subscription model providing hosting, templates, and real-time monitoring through a single service. According to Intel 471, the platform required less technical expertise than do-it-yourself phishing operations while offering capabilities comparable to more complex PhaaS platforms. The LabRat tool's specific focus on capturing 2FA codes in real-time distinguished it from many competing platforms that only captured initial credentials, according to The Hacker News reporting from April 2024.
Why Does LabHost matter?
LabHost represented a significant evolution in the commodification of cybercrime. The platform democratized sophisticated phishing attacks by eliminating technical barriers to entry, according to Europol's analysis. Criminals with minimal technical skills could launch professional-grade phishing campaigns targeting major financial institutions at a relatively low monthly cost.
The scale of victim impact demonstrated the effectiveness of the PhaaS model. With 1 million victims across 91 countries and total losses exceeding £100 million, according to Europol's April 2024 statement, LabHost facilitated financial crime at a scale that would have required substantial technical infrastructure and expertise in previous eras. The platform's operational period of approximately three years indicated sustained profitability and demonstrated the viability of subscription-based cybercrime services.
The LabRat tool's 2FA bypass capability highlighted an important security gap. According to Intel 471, many organizations implemented two-factor authentication believing it would prevent credential theft, but LabHost's real-time capture capability rendered this protection ineffective against phishing attacks. This forced security teams to recognize that 2FA, while valuable, is not phishing-resistant unless implemented with hardware security keys or other advanced methods.
The international law enforcement response to LabHost set an important precedent. The April 2024 coordinated takedown involved 19 countries, resulted in 37 arrests, and included 70 simultaneous address searches, according to Europol. This demonstrated that international cooperation could disrupt PhaaS platforms despite jurisdictional challenges. On April 14, 2025, Zak Coyne was sentenced to 8.5 years in prison for making or supplying articles for fraud, encouraging or assisting crimes, and transferring criminal property, according to the Crown Prosecution Service.
The platform's disruption provided valuable intelligence. The FBI released a list of 42,000 compromised domains, according to Security Affairs in April 2024, enabling organizations to block known malicious infrastructure and identify potentially compromised accounts. This intelligence sharing benefited the broader security community and demonstrated the value of public-private coordination in combating PhaaS platforms.
What Are LabHost's limitations?
Infrastructure Dependency Creates Visibility
LabHost's reliance on external VPS infrastructure created tracking opportunities for law enforcement. According to Trend Micro's analysis, customers were required to integrate their own virtual private servers by providing credentials to the LabHost platform. This architecture created multiple points of visibility as security researchers and law enforcement could monitor VPS provider activity, identify common configuration patterns, and map the network of LabHost-connected infrastructure. The centralized backend infrastructure represented a single point of failure—once law enforcement identified and seized the core LabHost servers, the entire platform became inoperable.
Template Recognizability Enabled Detection
The platform's 170 pre-built templates, while convenient for attackers, created recognizable patterns that security researchers could identify and catalog. According to Intel 471, these templates targeted a specific set of financial institutions, meaning security teams could develop signatures for LabHost phishing pages and deploy them across email security gateways and web filtering solutions. The limited template count compared to platforms like Darcula (600+) meant LabHost lacked the diversity to evade pattern-based detection at scale.
Payment Infrastructure Left Traceable Evidence
The subscription payment infrastructure proved vulnerable to law enforcement investigation. According to Crown Prosecution Service documents from April 2025, cryptocurrency payment trails ultimately led to Coyne's arrest and conviction. The $1.2 million in subscription revenue generated over the platform's operational period created financial transaction records that, despite cryptocurrency's pseudonymous nature, could be traced through blockchain analysis and exchange cooperation with authorities.
Limited Sector Flexibility Constrained Targeting
LabHost focused predominantly on financial institution templates, limiting its utility for attackers targeting other sectors. According to Bleeping Computer's April 2024 analysis, the platform was optimized for North American banks and financial services rather than offering the broad brand coverage available in competing platforms. This specialization made it easier for financial institutions to develop specific countermeasures and limited the platform's addressable market.
Operator Visibility Compromised Operational Security
Zak Coyne maintained an identifiable online presence and operational footprint that facilitated law enforcement investigation. According to CNN's April 2024 reporting, Coyne was arrested at Manchester Airport during the international coordinated takedown, suggesting authorities had developed sufficient intelligence to predict his movements. The platform's concentrated activity and Coyne's role as primary developer and maintainer meant the operation lacked the distributed structure that might have provided greater resilience against law enforcement action.
How Can organizations defend against LabHost-style attacks?
Email Security and Domain Monitoring
Organizations should deploy advanced phishing filters with machine learning capabilities to identify lookalike domains characteristic of LabHost campaigns. According to Trend Micro, the platform's 40,000+ domains created patterns detectable by modern email security gateways. Implement DNS Security Extensions (DNSSEC) and actively monitor for domain typosquatting and lookalike domains targeting your organization. Email security solutions should inspect SSL certificates for validity, verify that organizational certificates are properly issued by recognized authorities, and flag suspicious certificate characteristics common in phishing infrastructure.
Domain monitoring services should track newly registered domains containing organizational names or brand terms, as LabHost operators frequently registered domains mimicking legitimate financial institutions. According to Intel 471, early detection of these domains enables proactive blocking before phishing campaigns launch.
Phishing-Resistant Multi-Factor Authentication
The LabRat tool's ability to capture 2FA codes demonstrated that SMS-based and app-based authentication can be defeated by sophisticated phishing platforms. According to Intel 471's analysis, organizations should implement hardware security keys using FIDO2/WebAuthn standards for high-value accounts and privileged access. These hardware tokens are resistant to phishing because they validate the domain of the authentication request, preventing credential submission to fraudulent sites even if the phishing page appears identical to the legitimate service.
For administrative and privileged accounts, hardware MFA should be mandatory rather than optional. According to Crown Prosecution Service guidance, organizations that enforced hardware MFA experienced significantly lower successful account compromise rates even when employees clicked phishing links and attempted to authenticate.
User Education and Awareness Training
Training programs should educate employees to identify phishing sites through multiple verification methods. According to Trend Micro, users should inspect SSL certificates for valid organizational certificates (not just the presence of HTTPS), verify exact domain names rather than relying on visual similarity, and recognize that legitimate services will not request 2FA codes through unexpected communication channels.
Real-time warning systems should alert users about unsecured communication channels and unexpected authentication requests. Organizations should emphasize that legitimate 2FA flows will never ask users to provide authentication codes in messages, emails, or through customer support calls.
Conditional Access and Behavioral Monitoring
Implement conditional access policies that flag unusual login patterns characteristic of credential compromise. According to Intel 471, monitor for logins from unusual geographic locations, new devices, or impossible travel scenarios (authentication from two distant locations within an implausible timeframe). When anomalous patterns are detected, require additional verification before granting access.
Monitor payment systems and financial accounts for unauthorized access attempts or unusual transaction patterns that might indicate credentials compromised through LabHost-style attacks. Rapid detection of anomalous behavior enables organizations to lock accounts and force password resets before attackers can cause significant damage.
Threat Intelligence Integration
Organizations should subscribe to threat intelligence feeds tracking PhaaS platform indicators. According to Security Affairs, the FBI released a list of 42,000 domains associated with LabHost following the April 2024 takedown. Security teams should integrate these indicators into email gateways, web proxies, and DNS filtering solutions to block access to known malicious infrastructure.
Report phishing attempts to the FBI's Internet Crime Complaint Center (IC3) and CISA. According to Crown Prosecution Service guidance, law enforcement relies on victim and organizational reporting to build cases against PhaaS operators and identify infrastructure for disruption. Legal frameworks including GDPR and the Computer Fraud and Abuse Act (CFAA) enable cooperation between law enforcement and internet service providers or hosting companies to take down malicious infrastructure.
FAQs
What made LabHost different from other phishing kits?
LabHost's LabRat tool specifically captured 2FA codes in real-time, allowing attackers to bypass two-factor authentication—a capability that set it apart from many competing PhaaS platforms, according to Intel 471's analysis. The platform offered an all-inclusive subscription service at $179-$249 per month, providing hosting infrastructure, over 170 pre-built phishing templates for major banks, and a real-time campaign management dashboard. According to The Hacker News reporting from April 2024, this integration made LabHost more streamlined than do-it-yourself phishing operations while requiring significantly less technical expertise from subscribers. The platform's focus on financial institutions and North American targets created a specialized offering within the broader PhaaS market.
How was Zak Coyne identified and arrested?
Coyne was arrested at Manchester Airport on April 14, 2024, during an international coordinated takedown operation involving 19 countries, according to CNN's reporting. Law enforcement identified Coyne through multiple investigative pathways including cryptocurrency payment analysis, subscriber pattern analysis, and digital forensics of the platform infrastructure. According to Crown Prosecution Service documents from April 2025, the investigation traced cryptocurrency transactions from LabHost subscriptions through blockchain analysis and cooperation with cryptocurrency exchanges. The platform's centralized architecture concentrated operational evidence on servers that were seized during the coordinated law enforcement action, providing comprehensive forensic data about the platform's operations, customer base, and financial flows. The arrest at the airport suggests authorities had developed intelligence about Coyne's travel plans, demonstrating thorough operational surveillance preceding the takedown.
How many people lost money to LabHost?
LabHost defrauded approximately 1 million victims across 91 countries, with total losses exceeding £100 million ($132 million USD equivalent), according to Europol's April 2024 statement. According to CNN's reporting, the platform facilitated the theft of 480,000 credit cards, 64,000 PINs, and over 1 million account passwords between 2021 and April 2024. Individual victim losses varied significantly depending on account types compromised, payment methods stolen, and how quickly victims or financial institutions detected the fraud. The platform supported approximately 2,000 active users at the time of disruption, with 10,000 total registered customers over its operational period, according to Europol's analysis.
What happened after LabHost was shut down?
The April 14-17, 2024 international operation resulted in 37 arrests globally and 70 simultaneous address searches across multiple countries, according to Europol. The platform's infrastructure was seized and taken offline, rendering the service inoperable. On April 14, 2025, Zak Coyne was sentenced to 8.5 years in prison by UK courts for making or supplying articles for fraud, encouraging or assisting crimes, and transferring criminal property, according to the Crown Prosecution Service. The FBI released a list of 42,000 domains associated with LabHost to enable organizations to block this infrastructure and identify potentially compromised accounts, according to Security Affairs reporting from April 2024. The service has remained offline since the takedown, though former subscribers may have migrated to competing PhaaS platforms such as Darcula, Lucid, or other services.
Could victims recover their stolen data or losses?
Recovery options for LabHost victims are limited and depend on multiple factors. According to Crown Prosecution Service guidance, victims should report losses to their financial institutions immediately, as many banks have policies to reimburse fraud losses if reported promptly. Local law enforcement agencies should also receive reports to contribute to the investigation record. The FBI and Europol released indicators of compromise including the list of 42,000 domains, but this intelligence primarily helps organizations prevent future attacks rather than recovering losses from past incidents. Individual account recovery depends on financial institution policies, local consumer protection regulations, and whether the victim's bank participated in fraud reimbursement programs. According to Intel 471, stolen credentials sold on dark web markets may continue to circulate even after the platform's disruption, meaning victims should change passwords for all accounts, enable hardware-based MFA where available, and monitor financial accounts for unauthorized activity for at least 12 months following potential compromise.
