Scam Campaign Report: whalebank.org Email Infrastructure Abuse
A coordinated scam campaign has been identified operating through the domain whalebank.org, a domain registered on September 2, 2019, through registrar Mesh Digital Limited. The campaign involves a cluster of 378 documented email addresses all hosted under the whalebank.org domain, suggesting that threat actors registered or compromised this domain specifically to generate a large volume of fraudulent email identities. The use of a banking-themed domain name — whalebank.org — is consistent with financial impersonation tactics designed to lend false credibility to communications sent from these addresses.
The 378 email addresses identified in this cluster follow a consistent naming pattern combining common first and last names with numeric suffixes, such as jameskimbrell85@whalebank.org, angiehaase98@whalebank.org, davidreese96@whalebank.org, and sylviajohnson93@whalebank.org. This pattern is characteristic of bulk account generation, where threat actors programmatically create large numbers of addresses to distribute phishing or fraud campaigns across many apparent senders, making it harder for spam filters and investigators to block any single point of contact. The sheer volume of 378 documented addresses, with community reports referencing lists of 1,000 or more leaked addresses under the same domain, indicates the true scale of the infrastructure may be significantly larger than what has been formally documented.
Fifteen cross-entity relationships have been mapped within this cluster, all of the reported_together type, meaning these email addresses have been flagged in conjunction with one another in consumer complaints and reports. Key hub addresses in this network include sylviajohnson93@whalebank.org, briannamay72@whalebank.org, and davidreese96@whalebank.org, each of which appears as a connecting node between multiple other addresses. For example, sylviajohnson93@whalebank.org has been reported alongside virginiathompson100@whalebank.org, orarichardson89@whalebank.org, matthewengebretson93@whalebank.org, and lisettesearchwell87@whalebank.org. Similarly, davidreese96@whalebank.org connects to mallorygriffin79@whalebank.org, gayhaney92@whalebank.org, williamcromwell74@whalebank.org, and lauraschneider82@whalebank.org. All cross-entity relationships carry a confidence score of 0.20, which reflects early-stage but consistent co-reporting across multiple consumer submissions.
Community impact is evidenced by at least three separate reports, each receiving 2 upvotes, identifying lists of 1,000 leaked email addresses associated with this domain. Addresses named repeatedly across these reports include anthonyvargas87@whalebank.org, giselletinney75@whalebank.org, deborahbraden91@whalebank.org, leonardsalles92@whalebank.org, and barbarahershenson85@whalebank.org, among others. The repeated submission of identical or near-identical lists suggests that recipients of fraudulent communications from this domain are actively sharing the information in consumer protection communities, and that the volume of affected individuals is likely in the hundreds to thousands. The banking-themed branding of the domain raises concern that victims may be targeted with financial fraud schemes such as phishing for account credentials, fake loan offers, or advance-fee fraud.
Consumers who receive any email from an address ending in @whalebank.org should treat it as fraudulent and not click any links, open attachments, or provide any personal or financial information. If contacted, do not reply — simply delete the message. To verify whether a domain or email address is associated with known scam activity, consumers can search it on the FTC's scam reporting portal at reportfraud.ftc.gov or check domain reputation through tools such as Google Safe Browsing or the Anti-Phishing Working Group resources. Any contact from these addresses should be reported to the FTC at reportfraud.ftc.gov and, if received via electronic communication platforms, to the FCC as well. Reporting helps authorities identify patterns and take action against the operators of infrastructure like whalebank.org.
This campaign represents a moderate-to-high threat level due to the scale of the email infrastructure, the financial impersonation branding of the domain, and documented community reports confirming active distribution of address lists consistent with phishing or fraud operations. Recommended next steps include escalation to Mesh Digital Limited with a request to suspend or investigate the whalebank.org domain, submission of the full 378-address list to major email abuse databases and spam filter services, and continued monitoring for new address registrations under this domain. Consumers and organizations should add whalebank.org to email blocklists immediately and alert any financial institutions whose customers may be targeted by communications impersonating a bank under this name.