Modern phishing is no longer a scattershot criminal tactic but a highly organized, service-driven underground economy built for scale, speed, and profit, according to new research released this week by threat intelligence firm Flare.
The report, The Phishing Kits Economy in Cybercrime Markets, analyzes more than 8,600 discussions across underground forums, dark web marketplaces, and encrypted messaging platforms. Its central finding is that phishing kits, particularly so-called “combo kits” that impersonate multiple brands and services simultaneously, have become the primary engine of today’s phishing operations.
Flare’s researchers found that 43.8% of the analyzed underground listings referenced multi-brand phishing panels, enabling attackers to deploy a single kit against multiple services simultaneously. This model enables rapid victim targeting, diversified monetization, and quick reuse of infrastructure—key characteristics of what Flare describes as a mature phishing-as-a-service (PhaaS) economy.
“Phishing often looks chaotic from the outside, but at scale it follows very clear economic logic,” said Assaf Morag, a cybersecurity researcher at Flare. “Attackers optimize what works, discard what doesn’t, and continuously refine their tooling based on results.”
Combo kits and the “fraud trifecta.”
At the center of this economy are combo kits designed to impersonate entire clusters of high-value consumer services. In multi-target phishing kits analyzed by Flare, more than 80% impersonated major banking brands. Large e-commerce platforms appeared in 76.4% of kits, while PayPal was targeted in 75.1%, forming what researchers labeled a “fraud trifecta” underpinning mass-scale consumer fraud.
Rather than focusing on a single organization or brand, attackers increasingly favor breadth. One deployment can target banks, payment services, and online retail platforms simultaneously, increasing the likelihood of a successful credential theft and accelerating time to cash-out.
Two platforms in particular—EvilProxy and Typhoon 2FA—stood out as dominant players in recent underground activity. Together, they accounted for hundreds of references and were linked to the majority of recent PhaaS-related incidents observed in the dataset.
Phishing without borders—or skill barriers
The report also underscores how phishing operations have shed traditional constraints. Kits are often developed in one region, sold in another, and deployed globally within hours. Language, geography, and technical skill are no longer meaningful barriers to entry.
Nearly half of the actors involved in phishing-related discussions did not fit the profile of traditional threat actors. Flare identified researchers, brokers, bot operators, malware developers, buyers, sellers, and automated accounts as significant participants in the ecosystem. This diffusion of roles reinforces phishing’s evolution from a hacker-driven activity into a distributed cybercrime supply chain.
Technically, the tools themselves have advanced well beyond fake login pages. The dominant kits now rely on reverse proxy and adversary-in-the-middle techniques that can bypass one-time password (OTP) multi-factor authentication and steal live session cookies. As a result, account takeovers can occur even when MFA is enabled, challenging long-standing defensive assumptions.
Speed to monetization drives targeting
Flare’s analysis shows a clear divide between single-target and multi-target campaigns. Single-target phishing efforts were heavily targeted at cryptocurrency platforms, which accounted for 53.9% of those campaigns, followed by Microsoft and Office 365 environments at 21.4%. These targets offer rapid monetization and access to downstream enterprise systems.
By contrast, combo kits concentrated on consumer financial ecosystems, where volume and reuse offset lower per-account value. In both cases, speed to monetization emerged as a defining priority, influencing everything from kit design to brand selection.
While English-dominated underground phishing discussions account for roughly 77% of observed activity, the report noted that a smaller Russian-language segment, representing about 5%, remains disproportionately influential in high-value tooling and advanced tradecraft.
Implications for defenders
As phishing kits become more capable and widely accessible, Flare argues that traditional point defenses are no longer sufficient. Security teams must assume that MFA bypass is possible and shift toward behavior-based detection and systemic disruption of attacker workflows.
Recommended defensive strategies include closer monitoring of underground communities and key phishing actors, expanding intelligence coverage beyond English-language sources, and using open-source intelligence to enrich signals from dark web activity. Just as importantly, user awareness programs need to move beyond simple URL inspection to address modern phishing techniques that convincingly spoof browsers and authentication flows.
Taken together, these changes represent a shift from reactive detection toward proactive reduction of phishing risk at scale.
The full report provides detailed insight into how phishing kits are built, sold, and operated, as well as what live phishing infrastructure looks like during real-world attacks and where defenders can most effectively intervene.