As Southern California continues to battle devastating wildfires, cybercriminals have seized the opportunity to exploit the chaos, targeting vulnerable individuals and organizations.

Researchers from BforeAI and Veriti have uncovered a surge in phishing campaigns and fraudulent activities linked to the disaster, with themes ranging from insurance claims and fundraising to fire department support and restorations.

Multiple phishing campaigns have already surfaced targeting wildfire victims through fake insurance claims, fraudulent fundraising sites and deceptive merchandise stores.

These schemes specifically incorporate language about the LA Fire and relief funds to appear authentic while expanding into cryptocurrency scams and fraudulent GoFundMe campaigns.

Between January 8 and January 13, 119 domains were registered with keywords such as “LA fire,” “relief,” “fund,” and “rebuild,” highlighting their connection to the wildfire disaster.

More than half of these domains (58%) were registered through GoDaddy, followed by platforms like Namecheap and Register. Most domains used “.com” as their top-level domain (TLD), with some opting for “.fund” or other credible-sounding TLDs to enhance their appearance of legitimacy.

The BforeAI report noted the fraudulent campaigns vary in scope, with researchers identifying at least eight fake GoFundMe campaigns using old images from unrelated events to solicit donations for pets and wildfire victims.

Examples include “Aid Our Recovery from LA Fire Tragedy” and “LA Fire Relief for Vulnerable Animals.”

These campaigns prey on emotions, leveraging social media to reach wide audiences and solicit funds under false pretenses.

Cybercriminals have also launched fake online stores, selling apparel and merchandise purportedly linked to the Los Angeles Fire Department.

The disaster has also spurred an increase in dubious cryptocurrency schemes, including newly minted coins and “pump-and-dump” scams targeting wildfire victims who face financial hardship.

Monitoring Threats, Phishing Campaigns

Abu Qureshi, lead for threat intelligence and mitigation at BforeAI, advised organizations to stay proactive by monitoring threat intelligence feeds and alerts specific to phishing campaigns.

“Individuals should be cautious about unsolicited emails, verify URLs before clicking, and rely on official sources,” he said. “Security teams can hunt for disaster-related phishing attempts in real-time.”

He added predictive intelligence tools can monitor domain registrations and disrupt malicious infrastructure using observed keywords like “LAWildfireRelief” or “DisasterAid2025.”

These domains often exhibit patterns in registration metadata, such as obscure registrants or specific hosting services known for abuse. Collaboration with registrars and threat-sharing organizations can enable proactive blocking, or suspension, of domains before they become active threats.

Qureshi said security teams should prioritize takedowns by identifying fraudulent fundraising pages early and reporting these pages to hosting providers, payment processors and platforms like GoFundMe to ensure swift action.

“Public awareness campaigns play a crucial role — people should know how to verify legitimate fundraising efforts through official channels or charity watchdogs,” he said.

To prevent crypto-related scams, including “pump and dump” schemes targeting vulnerable individuals during disaster recovery, prevention starts with monitoring the rise of new coins or tokens marketed as “relief efforts.”

“Crypto scams thrive on anonymity, so tracing wallet addresses associated with fraudulent campaigns is critical,” Qureshi said.

Partnering with blockchain analysis firms can uncover malicious patterns that link to previous scams.

“Educating the public about the risks of investing in disaster-themed crypto schemes is also vital, emphasizing the need to rely on trusted platforms,” he said.

Cybercriminals Accelerate Disaster Schemes

Stephen Kowski, field CTO at SlashNext Email Security+, said cybercriminals consistently exploit disasters and crises to prey on vulnerable individuals, making this pattern entirely predictable.

“During times of heightened emotion and urgency, threat actors rapidly create deceptive domains and campaigns targeting relief efforts, insurance claims and charitable giving,” he explained.

He added the speed and sophistication of these attacks continue to increase with each major disaster event.

Kowski explained crises create perfect conditions for social engineering as victims are emotionally vulnerable, mentally exhausted and desperately seeking assistance.

Bad actors exploit this vulnerability by masquerading as legitimate aid organizations, insurance providers, or government agencies, knowing that normal security precautions may be overlooked in times of distress.

Real-time threat detection becomes critical as these attacks often leverage newly registered domains and sophisticated impersonation techniques designed to appear legitimate to those seeking urgent help.

“The rapid deployment of these campaigns demonstrates the opportunistic nature of modern cyber threats and the need for advanced detection capabilities,” Kowski said.