How lucrative is being a phishing service operator? How the facade of his professional life look like? Today, we review how much money can be made with phishing in merely two years and how large the Bulletproftlink operation is.

This is a multipart article. In the last part of the series (Part 1, Part 2), we look into the life of a professional bulletproof server hosting owner and the scale of his phishing operation.

Professional life

In the previous parts of this series, we established that Adrian Katong appear to have close ties with Anthrax Linkers, an adversary group running phishing operations. We also found that Bulletproftlink (also tied to Anthrax Linkers) is a webshop offering various phishing products and bulletproof hosting services.

According to Mr Katong’s public LinkedIn profile, he claims to be the CEO of a company named ‘BPL Hosting’. As we did not manage to find any legitimate business running under this name, we assume that ‘BPL’ likely stands for ‘BulletProftLink’.

Adrian Katong works in Sabah, Malaysia for 'BPL Hosting'. His previous employer was 'Next Point Solution'.
Mr Katong is the CEO of 'BPL Hosting' according to his LinkedIn page.

The profile page also reveals that Mr Katong works in Sabah, Malaysia. Remember the ties to 7Heaven LLC ( in Kyiv, Ukraine? Adrian Katong merely relies on no-questions-asked server hosting providers from Ukraine for his phishing services, but he runs his business from Malaysia.

According to his work history, he worked for ‘Nexus Point Solution’ between 2013 and 2017. His responsibilities included the ‘maintenance and operation of large networks and computer systems’ meaning Mr Katong has the technical skills as well as experience to operate a business like Bulletproftlink.

A luxurious lifestyle

Mr Katong and his family have a relatively public life on social media, allowing us to peek into the personal life of the owner of a phishing service operator.

According to the public social media, Mr Katong purchased several cars in the past few years, including two heavily-customised compact cars, a Toyota family car. As one of his hobbies is motorbikes, he purchased a Kawasaki Vulcan 900 Classic motorbike in 2019.

Mr Katong's heavily-customised compact car. Mr Katong's heavily-customised compact car. A new family car purchased in 2020. A second heavily-customised car also in the possession of Mr Katong. Motorbike purchase in late 2019. Mr Katong and his brand-new Kawasaki motorbike.
Mr Katong is the owner of several vehicles.

Mr Katong also likes to treat his family well, as he likes to spoil his spouse with luxury items such as designer wear and jewellery according to the photos on his Facebook page.

Evidence of splurges on designer clothes and shoes. Purchase of jewellery items. An invoice from the wife's page showing the total sum.
Social media evidence of spending on luxury.

Adrian Katong seem to spend some serious cash on tech gadgets as well. He purchased a drone, a new computer and a surveillance system recently according to the following public posts on Facebook.

Brand new drone gadget. New computer and a surveillance system. Evidence of a recencomputer upgrade.
Recent tech purchases of Mr Katong.

Per other social media posts, the family took extravagant trips to Thailand and the Maldives in the past couple of years.

A relaxing trip to the Maldives.
A relaxing trip to the Maldives.

Lastly, a new family house is being built this year in parallel with these splurges from above.

The ongoing construction of the new family house. The ongoing construction of the new family house. The progress of the construction as shown by Mr Katong's spouse. The progress of the construction as shown by Mr Katong's spouse.
The new property is under construction in 2020.

According to public data, we found no evidence that the person claiming to be Mr Katong had any second source of income apart from his own IT operation. In other words, all these binges are all presumably financed by Mr Katong’s CEO ‘salary’ at BPL hosting.

We also could not help but notice that these purchases were all made in 2019 and 2020. As a reminder, Bulletproftlink is coincidentally offering its illegitimate services since mid-2018 according to Internet Archive records.

The sheer scale of the operation

At the time of writing, the scam business at Bulletproftlink is flourishing. The webshop currently features 108 phishing page templates in total up for sale and ready for self-hosting.

The Bulletproftlink password capturing infrastructure includes the following endpoints:

Each password capturing endpoint is associated with a 50-300 fake login pages sending the stolen credentials back to one of these domain names. The phishing pages are typically hosted on the Google Cloud Storage platform.

Random examples

For example, the endpoint has been seen capturing passwords for at least one-hundred phishing pages according to The actual number is probably higher.

The endpoint '' is capturing passwords for over one-hundred fake login pages.
The endpoint '' is capturing passwords for over one-hundred fake login pages.

The domain seem to be associated with over 370 phishing pages waiting for the victims to hand over their login credentials unwittingly.

The endpoint '' is capturing passwords for over three-hundred fake login pages.
The endpoint '' is capturing passwords for over three-hundred fake login pages.

At the end of this article, we list all password capturing URIs and all phishing page links we managed to track down.

Further phishing domains

Beside the Anthrax Linkers alter-ego, someone also registered a large number of domain names in the past with the [email protected] email address. By searching in public WHOIS records, we identified over a 100 domain names featuring this email address as a contact person.

A large number of domain names registered with Adrian Katong's personal email address.
A large number of domain names registered with Adrian Katong's personal email address.

The issue is that these domain names are also associated with phishing activity. For example, and were both serving deceptive login pages respectively - according to Maltiverse and this blog.


By going through the social media posts of the last ten years of someone claiming to be ‘Adrian Katong’ on Facebook, we could not help but notice how a smart and talented computer-enthusiast had slowly turned to cybercrime over the years. The man showed genuine interest in computer security and programming, but he ended up wasting his talent as a phishing service operator selling bulletproof hosting for $800 per month.

Although this hacker’s story may be saddening, let’s not forget the large number of victims whose life turned into hell. The victims’ login passwords likely ended up on the black market for just a few dollars a pop. For instance, the Bulletproftlink ICQ group chat is currently having 1,618 members - all potential buyers of the stolen passwords and the Bulletproftlink phishing services.

A phishing page stealing Adobe login credentials. A phishing page stealing OneDrive login credentials. A phishing page stealing Office 365 login credentials. A phishing page stealing Wells Fargo login credentials.
A small sample of Bulletproftlink's phishing operation facilitating identity theft.

As a reminder, the Bulletproftlink services are targeting personal mailboxes and online banking services - both are common ingredients of identity theft. According to the Department of Home Affairs (AU), victims of identity theft lose $4,101 on average, with losses ranging between $1 and $310,000. Apart from financial loss, victims tend to suffer a significant amount of emotional distress as well.

In parallel with the publication of this article, links to the series are sent to the authorities at the FBI Internet Crime Complaint Center (IC3) and MyCERT.


Public social media profiles of the individual claiming to be ‘Adrian Katong’ from ‘Anthrax Linkers’ and ‘Bulletproftlink’:

Email addresses:

Other communication channels:

Telegram: @anthraxlinkers
Jabber: [email protected]
ICQ: 670672280
ICQ: anthraxlinkers
ICQ: anthraxlinkers2
ICQ group chat:
Skype: live:7d2efe75c20f7e74

Scam operation websites:

Home address (unconfirmed):

(available upon request for the relevant cybercrime authorities)

Domains names registered by Adrian Katong:

Password capturing endpoint URIs:

Phishing pages hosted on Google Cloud Storage:[email protected][email protected][email protected]&c=E,1,D-mbr8j2aMXCSvaFnTpZnMlmqeu9Mm_CK_MgNfsaI0D25UFam8VcpGt5S2r8oJzbSPxLFeZG3iK1pS8DypW47BwAkUZ3wGrsqTbDjP0-uVcGxA,,&typo=1[email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected]