“By utilizing live administration panels, attackers can interact with victims in real-time to capture one-time passcodes (OTPs), allowing them to bypass multifactor authentication (MFA) instantly,” noted the Google Threat Intelligence Group (GTIG) researchers.
Real-time credential interception: the new frontline
GTIG’s May 25 report documents a marked move away from static credential harvesting toward live, interactive fraud. When victims enter login details on a phishing page, those entries now appear immediately on attacker-controlled administration panels. Operators use those panels to trigger authentication flows on their own devices and capture OTPs seconds before they expire, effectively neutralizing MFA protections.
The report also details monetization paths tied to these live takeovers: attackers provision victims’ payment cards into digital wallets on attacker-controlled devices, enabling high-value transactions, contactless payments and ATM withdrawals. Some platforms even offer brokerage-focused templates intended to facilitate account takeovers for wire fraud and stock manipulation.
Encrypted messaging and richer lures: RCS and iMessage
GTIG found Chinese-language PhaaS operators increasingly deliver phishing lures via Rich Communication Services (RCS) and Apple iMessage instead of traditional SMS. Those protocols’ end-to-end encryption, GTIG notes, makes it significantly harder for infrastructure-level filters to detect and block malicious links. At the same time, higher-fidelity features — read receipts, high-resolution media and typing indicators — make phishing messages appear more convincing to potential victims.
AI, automation and the Darcula example
GTIG flagged a growing reliance on AI and browser automation to scale campaigns and evade signature-based defenses. The Darcula PhaaS platform, which GTIG linked to threat actor UNC5814, has reportedly abandoned static templates in favor of AI-powered page generators and browser automation tools that clone legitimate websites by replicating their HTML, CSS, JavaScript and visual elements. Because each generated phishing page is unique, GTIG warned, traditional signature-based detection methods become less effective.
Full criminal suites and the commercialization of phishing
According to GTIG, the most sophisticated Chinese PhaaS platforms no longer sell only kits; they sell services. Offerings observed by GTIG include the sale of personally identifiable information (PII), domain registration and virtual private server (VPS) hosting, money laundering, IMSI catchers, spam messaging assistance and stolen payment card trading. GTIG also noted uneven operational security among some operators, with individuals openly advertising on Telegram and posting photos that flaunt luxury lifestyles.
GTIG pointed to the November 2025 lawsuit Google filed against the operator of the “Lighthouse” SMS phishing kit as one visible enforcement action, but the report said that Lighthouse was “just the tip of the iceberg.” GTIG observed at least a dozen other active PhaaS offerings in the Chinese underground.
What this means for security teams, policymakers, and the general public
- Security teams: GTIG’s findings signal that defenders must anticipate live interception workflows, token theft, and rapid provisioning of payment credentials into digital wallets — exposures that extend beyond static web-page detection.
- Policymakers and regulators: the report highlights cross-border targeting, noting that nearly all impersonated organizations are non-Chinese entities and that top targeted countries include Japan, the US, Australia, Hong Kong and the United Arab Emirates — facts that underline international dimensions of the abuse GTIG describes.
- General public: GTIG’s work shows attackers are shifting channels and techniques — from SMS to encrypted messaging, from static pages to AI-generated replicas — increasing the difficulty of spotting convincing lures and raising the stakes for individuals who receive unsolicited login or payment prompts.
GTIG’s May 25 report sketches an economy of phishing that is faster, more automated and more commercially complete than prior models: platforms that intercept OTPs in real time, provision payment cards into digital wallets, and generate unique cloned pages by AI. With at least a dozen active Chinese-language PhaaS offerings identified and visible enforcement limited to cases such as the November 2025 Lighthouse lawsuit, GTIG’s account poses a pointed question for defenders and regulators alike — can detection, legal action and cross-border cooperation keep pace with an ecosystem that treats phishing as a live, monetizable service?




