Over the past few years, the Adversary-in-the-Middle (AitM) phishing threat has evolved into a highly professionalised market featuring numerous Phishing-as-a-Service (PhaaS) platforms. For a subscription costing a few hundred dollars, these platforms offer fully-featured phishing kits with regular updates and professional support. In this presentation, we will demonstrate how this professionalised ecosystem empowers low-skilled threat actors to conduct phishing campaigns, and how to investigate them.

First, we will analyse the PhaaS market, where Telegram serves as the central hub for sales and support. To present an overview of the threat landscape, we will provide a timeline, statistics, and context for major PhaaS platforms, including Tycoon 2FA, Storm-1167, NakedPages, Sneaky 2FA, and Mamba 2FA, supported by our telemetry data. We will also examine the evolution of delivery techniques, from QR codes in 2023 to SVG files in 2025.

Next, we will detail our research methodology for unveiling emerging AitM phishing kits through proactive threat hunting using common TTPs. We will present Sneaky 2FA as a case study, providing context on code reuse and its evolution into two previously undocumented variants: Kratos (a decentralised kit) and Smile Cookies (featuring centralised infrastructure). We will share actionable tracking methods including infrastructure fingerprinting, and detection opportunities from authentication log anomalies.

Finally, we will present an attribution case study of the threat actor “Dr. James Wilson”, who operated four PhaaS platforms and whose operational security failures led to exposure via infostealer logs. Our analysis of browsing data revealed two digital identities - one for AitM phishing operations and another for personal activities. By profiling the attacker, we will share valuable insights into the ecosystem and services facilitating AitM phishing, from domain registration to cryptocurrency platforms.