Threat intelligence firm CTM360 has published a comprehensive analysis revealing one of the most extensive government impersonation campaigns ever documented — a global operation deploying over 11,000 fake government portals to deceive citizens across dozens of countries into surrendering sensitive personal and financial information.

“The scale of this campaign is unlike anything we have seen. These are not crude phishing pages — they are sophisticated, localized replicas of legitimate government services, complete with functional UI, local language support, and SSL certificates.”
— CTM360 Threat Intelligence Report

How the GovTrap Campaign Works

The GovTrap campaign operates by creating pixel-perfect replicas of government service portals — including tax agencies, social benefit offices, vehicle registration authorities, and immigration departments. Victims are directed to these sites through search engine manipulation, social media ads, SMS phishing (smishing), and email campaigns that appear to originate from official government sources.

Once on the fake portal, victims are prompted to submit personal identification numbers, tax file numbers, banking details, and in some cases, full identity documentation. In a particularly alarming technique identified by CTM360, many portals also prompt users to install a “secure government app” — which is in fact malware designed for persistent device access and credential harvesting.

Scale and Geographic Reach

The campaign has been identified across more than 90 countries, with particular concentration in:

• South and Southeast Asia — government benefit and tax portals
• Eastern Europe — immigration, vehicle registration, and utility payment portals
• Latin America — tax authority and social security service impersonation
• Middle East — government identity and residency service portals
• Western Europe and North America — targeted high-value attacks on tax and healthcare portals

CTM360 estimates that the 11,000+ active fake portals represent only a fraction of the overall infrastructure, with many additional domains registered in advance and ready to be activated. The operation appears to be centrally coordinated, sharing common backend infrastructure, templating systems, and cryptocurrency collection addresses.

Who Is Behind GovTrap?

Attribution remains incomplete, but CTM360’s analysis points to a sophisticated, financially motivated threat actor — likely a criminal organization rather than a nation-state. The operation’s infrastructure shows evidence of professional outsourcing: web development contracts on dark web forums, translation services for localization, and affiliate payment structures for distributing traffic to the fake portals.

Law enforcement agencies in the EU, UK, Australia, and the United States have been notified. Domain takedown requests are underway, but the operators’ use of bulletproof hosting and rapid domain cycling makes sustained enforcement difficult.

How to Protect Yourself

Forensic Fraud News recommends the following steps to protect against GovTrap-style campaigns:

• Always navigate to government websites by typing the official URL directly — never click links in emails, SMS, or social media ads
• Verify the domain carefully — government sites use country-specific domains (.gov, .gov.uk, .gov.au) and never use free hosting services
• Do not install software prompted by any government portal that you did not navigate to yourself
• If you have submitted information to a suspicious portal, contact your national cybercrime agency immediately
• Enable two-factor authentication on all financial and government-linked accounts

The full CTM360 GovTrap intelligence report is available through their threat intelligence portal. Forensic Fraud News will continue to monitor and report on enforcement developments.