MONTREAL, Jan. 15, 2026 (GLOBE NEWSWIRE) — Flare, the leader of Threat Exposure Management, today released new research titled The Phishing Kits Economy in Cybercrime Markets, which uncovered how modern phishing has evolved into a mature, service-driven underground economy. Findings showed that combo kits, which are built to impersonate entire clusters of services in one deployment, are the engine of modern phishing. Flare found 43.8% of entries leveraged these prepackaged sets of phishing tools and resources to scale: one kit, many victims, many monetization paths.
Based on analysis of more than 8,600 underground, deep web, dark web, and messaging platform discussions, Flare’s report reveals how phishing kits and phishing-as-a-service (PhaaS) platforms are engineered for scale, speed, and monetization, allowing even low-skill actors to bypass multi-factor authentication (MFA), steal sessions, and take over accounts with alarming efficiency. The report shows that modern phishing operations are no longer constrained by geography, language, or technical expertise. Kits are built in one region, sold in another, and deployed globally, often within hours.
“Phishing often appears chaotic, but when campaigns are conducted at scale, they follow clear structures and economic incentives,” said Assaf Morag, cybersecurity researcher at Flare. “When you analyze enough activity, you can see which approaches consistently succeed, which ones fail, and how attackers refine their operations over time, providing insights defenders can actually act on.”
Key Findings From the Report
- The “fraud trifecta” dominates phishing kits: In multi-target phishing kits, 81.9% impersonate banking brands, 76.4% target a massive e-commerce platform, and 75.1% target PayPal, forming the backbone of mass-scale consumer fraud.
- Combo kits are now the default: 43.8% of analyzed entries referenced multi-brand phishing panels, enabling attackers to target many services with a single deployment.
- Two popular kits dominate: EvilProxy (334 entries) and Typhoon 2FA (240 entries) were dominant and were responsible for most of the recent PhaaS incidents.
- It’s not just threat actors: Nearly 48% of phishing actors were not traditional threat actors, they could be classified as researchers, bots, malware developers, brokers, sellers/vendors, buyers/WBT and unknown actors.
- Phishing is now a service economy: The dominant tools are no longer fake login pages but reverse-proxy and adversary-in-the-middle platforms capable of bypassing OTP-based MFA and stealing live session cookies.
- Attackers prioritize speed to cash-out: Single-target campaigns heavily focus on crypto (53.9%) and Microsoft/O365 (21.4%), while multi-target kits concentrate on consumer financial ecosystems.
- The ecosystem is global but concentrated: English dominates underground phishing discussions (~77%), while a smaller Russian-language segment (~5%) remains disproportionately influential in high-value tradecraft.
As phishing kits become more advanced and widespread, security teams must shift their approach from point defenses to systemic disruption. This includes assuming MFA bypass is possible and prioritizing behavior-based detection, monitoring key threat actors and underground communities, expanding intelligence coverage beyond English-language sources, and leveraging OSINT to enrich underground threat signals. At the same time, user awareness programs must evolve beyond URL checks to reflect modern phishing techniques that convincingly spoof browsers and authentication flows. Together, these steps help organizations move from reactive detection to proactive reduction of phishing risk at scale.
The full report provides a deeper analysis of how phishing kits are built, sold and operated, along with what live phishing infrastructure looks like in real attacks and how defenders can disrupt attacker workflows. View the full report and learn more about Flare on the website.
About Flare
Flare is the leader in Threat Exposure Management (TEM), helping global organizations detect high-risk exposures found on the clear and dark web. Combining the industry’s best cybercrime database with a ridiculously intuitive user experience, Flare enables customers to reclaim the information advantage and make cybercrime irrelevant. For more information, visit https://flare.io. To experience the platform firsthand, start a free trial at https://try.flare.io/free-trial/. Join our Discord community and explore Flare Academy to stay up-to-date on the latest in threat intelligence.
Media Contact
Geena Pickering
Look Left Marketing
[email protected]
A photo accompanying this announcement is available at https://www.globenewswire.com/NewsRoom/AttachmentNg/5b982d5a-0351-49bb-8ca1-e9663f53163d