-
A newly identified threat actor is selling a phishing-as-a-service panel on underground forums for $759 per month, capable of bypassing every form of two-factor authentication in real time.
-
The kit ships with over 17 active modules targeting major banks, cryptocurrency exchanges, payment platforms, retail giants, and social media networks.
-
Each module runs on a rotating pool of more than 10 phishing domains, updated around the clock to dodge browser security warnings and blocklists.
A sophisticated phishing toolkit is now circulating on underground hacking forums, and it is putting millions of accounts at serious risk.
A threat actor operating under the alias PHISHLAB is actively marketing the product called PhishLab V1 as a fully undetected phishing-as-a-service (PhaaS) panel.
The listing places advanced credential-theft capabilities directly in the hands of low-level cybercriminals, requiring nothing more than a subscription fee to get started.
The panel’s core mechanism is straightforward but dangerous. Attackers generate phishing links from a central control panel and push them to targets.
Once a victim clicks the link and enters their login details, the panel captures credentials, one-time two-factor authentication codes, and live browser session cookies simultaneously.
The operator receives an instant notification through Telegram. From there, a single click imports the stolen cookies into the attacker’s browser, granting full authenticated access to the victim’s account without ever needing the original password.
New Panel Hits Crypto, Banking, and Social Media All at Once
What separates PhishLab V1 from earlier phishing tools is the sheer width of its targeting. The kit arrives with more than 17 active modules, each built to impersonate a legitimate service across several high-value industries.
Major cryptocurrency exchanges sit at the top of the target list, with OKX, Bybit, Binance, and Coinbase all confirmed. Leading American banks follow closely, including Chase, Bank of America, Wells Fargo, and Citi. Payment services like PayPal and Stripe are also in scope, while Venmo and Cash App remain in active testing.
Retail and social platforms round out the targeting range. The kit includes modules for Amazon, Walmart, eBay, and Target, alongside Instagram, Facebook, WhatsApp, and TikTok. PHISHLAB has also teased more than 15 additional modules currently described as pending, signaling that the list of targets will expand in the weeks ahead.
Rotating Domains and Anti-Detection Keep the Operation Running
The listing places heavy emphasis on staying invisible. Each module draws from a pool of more than 10 unique phishing domains, which the operator rotates and refreshes continuously to stay ahead of browser-level security warnings and known blocklists.
PHISHLAB explicitly claims that operators face no risk of red-page detections, the security alerts browsers display when a URL matches a known phishing address. That claim points to an active backend team maintaining clean infrastructure around the clock.
Pricing follows a tiered subscription structure. The first month costs $759, with ongoing access billed at $250 per month thereafter. That entry price is notable, but the lower renewal rate places sustained phishing operations within reach of a much broader pool of actors who lack the technical background to build such tools independently.
The underground economy has increasingly trended toward this model, where turnkey platforms lower the barrier to entry and expand the number of people capable of running coordinated attacks.
Why Traditional 2FA No Longer Holds Up
PhishLab V1 exposes a critical weakness in how most people currently protect their accounts. When a phishing panel acts as a live relay between the victim and the real service, standard two-factor authentication offers very little protection.
Security researchers have consistently flagged adversary-in-the-middle (AiTM) attacks of this design as capable of defeating SMS codes, app-based authenticators, and email verification with equal ease. Hardware-based FIDO2 passkeys and physical security keys remain the only authentication methods resistant to this style of attack by design.
The importance of robust security measures extends beyond phishing. Even major exchanges are constantly under threat, as illustrated by a recent unverified dark web leak claiming a breach at Kraken. Our coverage examines what we know so far, hackers claim breach of crypto exchange Kraken in an unverified dark web leak.
Users on any of the targeted platforms should enroll in FIDO2-compliant authentication wherever the option exists, treat unsolicited links in emails, text messages, or direct messages with serious caution, and check accounts regularly for unfamiliar login activity.
Organizations should push phishing-resistant authentication policies across their workforce and invest in training that helps staff spot the subtle visual differences between a real login page and a convincing phishing replica.
The rise of PhishLab V1 is a clear signal that phishing has matured into a fully commercialized service industry, and the platforms people trust most are the primary targets.
