'Organised crime operating like a tech startup': EvilToken PHaaS group ramp up AI-enabled attacks by 1,380% in 2026

• Huntress report highlights “EvilTokens” PhaaS scaling phishing attacks 1,380% in early 2026 compared to last year
• AI integration enables per‑victim personalization at scale, bypassing MFA, with subscription tiers from $600 to $1,500
• Service sold openly on Telegram, showing how PhaaS now operates like a startup with cheap, powerful attack capabilities

Cybercriminals offering phishing-as-a-service (PhaaS) are increasingly operating like a tech startup, and a good one, at that. They are also using Artificial Intelligence (AI), which helped them scale significantly. This is according to a new report from cybersecurity researchers Huntress, called “EvilTokens and the Rise of AI-Powered Phishing”.

In the report, Huntress claims that this particular PhaaS operation, called EvilTokens, was used to run 1,380% more phishing attacks in early 2026 compared to the same period last year.

“We’re seeing a clear maturation of the phishing-as-a-service (PhaaS) market as threat actors increasingly integrate AI workflows into their product offerings,” the report reads. “The result is directly observable in our telemetry: a 1,380% increase in device code phishing attacks detected between July–December 2025 and January–April 2026, with over 50% of those incidents linked to two major waves of correlated incidents.”

A cheap service

“Furthermore, across hundreds of incidents associated with EvilTokens, no two phishing lures were identical. This level of per-victim personalization was previously limited to targeted, manually crafted campaigns. Now, it’s achievable at scale by any threat actor at the price of a subscription service”

So, AI is not only used to scale the operation, but it is also used for personalization at an unprecedented level. At the same time, the service is relatively cheap to use: it is being sold on Telegram for as little as $600.

If this sounds like a lot, keep in mind that a single successful phishing attack is enough to steal data worth hundreds of thousands on the black market, or even millions – in ransom negotiations.

EvilTokens’ service is tiered, too. The cheapest package costs $600, while two more expensive ones cost $1,000 and $1,500, respectively. For criminals, it is likely worth the investment, since this PhaaS is capable of bypassing multi-factor authentication, as well.