'Organised crime operating like a tech startup': EvilToken PHaaS group ramp up AI-enabled attacks by 1,380% in 2026

News
By published

AI is used for more than just scaling

A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
(Image credit: weerapatkiatdumrong / Getty Images)
  • Huntress report highlights “EvilTokens” PhaaS scaling phishing attacks 1,380% in early 2026 compared to last year
  • AI integration enables per‑victim personalization at scale, bypassing MFA, with subscription tiers from $600 to $1,500
  • Service sold openly on Telegram, showing how PhaaS now operates like a startup with cheap, powerful attack capabilities

Cybercriminals offering phishing-as-a-service (PhaaS) are increasingly operating like a tech startup, and a good one, at that. They are also using Artificial Intelligence (AI), which helped them scale significantly. This is according to a new report from cybersecurity researchers Huntress, called “EvilTokens and the Rise of AI-Powered Phishing”.

In the report, Huntress claims that this particular PhaaS operation, called EvilTokens, was used to run 1,380% more phishing attacks in early 2026 compared to the same period last year.

“We’re seeing a clear maturation of the phishing-as-a-service (PhaaS) market as threat actors increasingly integrate AI workflows into their product offerings,” the report reads. “The result is directly observable in our telemetry: a 1,380% increase in device code phishing attacks detected between July–December 2025 and January–April 2026, with over 50% of those incidents linked to two major waves of correlated incidents.”

Latest Videos From

A cheap service

“Furthermore, across hundreds of incidents associated with EvilTokens, no two phishing lures were identical. This level of per-victim personalization was previously limited to targeted, manually crafted campaigns. Now, it’s achievable at scale by any threat actor at the price of a subscription service”

So, AI is not only used to scale the operation, but it is also used for personalization at an unprecedented level. At the same time, the service is relatively cheap to use: it is being sold on Telegram for as little as $600.

If this sounds like a lot, keep in mind that a single successful phishing attack is enough to steal data worth hundreds of thousands on the black market, or even millions - in ransom negotiations.

EvilTokens’ service is tiered, too. The cheapest package costs $600, while two more expensive ones cost $1,000 and $1,500, respectively. For criminals, it is likely worth the investment, since this PhaaS is capable of bypassing multi-factor authentication, as well.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.