Global GovTrap campaign exposes 11,000 portals

Identification of the GovTrap operation

In a report published within the last 24 hours, threat intelligence firm CTM360 detailed the discovery of 'GovTrap,' a massive, globally distributed network of fraudulent websites. The operation comprises more than 11,000 malicious domains specifically engineered to impersonate government entities. Unlike isolated phishing attempts, GovTrap functions as a scalable fraud ecosystem, enabling threat actors to deploy convincing replicas of official state portals across multiple jurisdictions simultaneously. The scale of the campaign suggests a highly organized effort to harvest sensitive citizen data and facilitate direct financial theft.

Technical execution and replication

GovTrap attackers replicate entire government service environments to ensure their fraudulent platforms are visually indistinguishable from legitimate government assets. The research indicates that these portals meticulously reproduce official branding, language, workflows, and service structures of actual government services. Portals are localized by country, with messaging, language, and references to local policies and deadlines tailored to each target region. This level of technical fidelity is designed to bypass the traditional skepticism users might have toward poorly designed phishing sites.

Targeted services and victim profile

The campaign focuses on services where financial transactions are common. Primary targets include portals for tax reporting, payment of traffic fines, and vehicle registration, as well as social benefit platforms. By positioning themselves at the point of payment or data submission, attackers can intercept credit card details and personal identification information. The geographic reach of GovTrap is extensive, affecting citizens across North America, Oceania, Europe, and Asia. Victims are typically directed to these sites via coordinated SMS campaigns, email phishing, and social media platforms, with messages engineered to create a sense of urgency - such as an 'overdue fine' or 'expired license' notification.

Infrastructure and persistence

The infrastructure supporting GovTrap is characterized by its resilience. CTM360 found that the network relies on low-cost, easily accessible hosting and rapidly registers and deploys new domains daily to evade blacklisting by security software. Rather than relying exclusively on country-code top-level domains (ccTLDs), the campaign leverages a broad mix of TLDs including .me, .com, .cc, .vip, and .icu - chosen for their low cost and ease of registration - to enhance perceived legitimacy. Furthermore, the campaign employs localized language translation, ensuring that the fraudulent experience remains consistent for non-English speaking victims. The researchers noted that harvested data is exfiltrated in real time via automated scripts to attacker-controlled servers or transmitted through messaging platforms such as Telegram bots, enabling immediate exploitation of the compromised information.

Strategic implications for digital trust

The emergence of GovTrap signals an evolution in the threat landscape where criminals are no longer just targeting commercial brands but are systematically undermining the digital interface between the state and its citizens. This systematic impersonation of public infrastructure poses a significant risk to the integrity of digital government initiatives. As more public services move exclusively online, the existence of 11,000 fake portals creates an environment where the burden of verification is shifted onto the individual citizen, who may lack the technical tools to differentiate between a legitimate government server and a GovTrap node.

Recommendations for mitigation

To counter the GovTrap network, CTM360 advocates for a proactive, intelligence-driven approach that goes beyond reactive takedowns. This includes continuous monitoring of domain activity, phishing infrastructure, and impersonation patterns across the full fraud lifecycle - from resource development and distribution to monetization. Governments are encouraged to invest in visibility across the entire threat ecosystem rather than responding only to individual fraudulent sites. For citizens, the primary defense remains careful verification of URLs and official communications before entering any sensitive data, along with a healthy skepticism toward unsolicited messages referencing fines, fees, or urgent compliance requirements.