‘Organized crime acts like a tech startup’: EvilToken PHaaS group increased AI-enabled attacks by 1,380% in 2026

Huntress Report Highlights “EvilToken’s” PhaaS Scaling of Phishing Attacks 1,380% in Early 2026 Compared to Last Year
AI integration enables per-victim personalization at scale, bypassing MFA, with subscription levels from $600 to $1,500
The service is openly sold on Telegram and shows how PhaaS now works as a startup with cheap, powerful attack options

Cybercriminals offering phishing-as-a-service (PhaaS) are increasingly operating as a tech startup, and a good one at that. They also use artificial intelligence (AI), which helped them scale significantly. This is according to a new report by cybersecurity researchers Huntress, called “EvilTokens and the Rise of AI-Powered Phishing.”

In the report, Huntress claims that this particular PhaaS operation, called EvilTokens, was used to run 1,380% more phishing attacks in early 2026 compared to the same period last year.

“We see a clear maturation of the phishing-as-a-service (PhaaS) market as threat actors increasingly integrate AI workflows into their product offerings,” the report said. “The result is directly observable in our telemetry: a 1,380% increase in device code phishing attacks detected between July-December 2025 and January-April 2026, with over 50% of these incidents linked to two large waves of correlated incidents.”

A cheap service

“Furthermore, across hundreds of incidents associated with EvilTokens, no two phishing decoys were identical. This level of personalization per victim was previously limited to targeted, manually crafted campaigns. Now it can be achieved at scale by any threat actor for the price of a subscription service”

So AI is not only used to scale the operation, but it is also used for personalization at an unprecedented level. At the same time, the service is relatively cheap to use: it is sold on Telegram for as little as $600.

If this sounds like a lot, keep in mind that a single successful phishing attack is enough to steal data worth hundreds of thousands on the black market, or even millions – in ransom negotiations.

EvilTokens’ service is also divided. The cheapest package costs $600, while two more expensive ones cost $1,000 and $1,500, respectively. For criminals, it is probably worth the investment, as this PhaaS is also capable of bypassing multi-factor authentication.