Find notable cyber news and cases, enriched with sources, timelines, and signals.

Starkiller dark-web phishing platform scales credential theft as a SaaS-style criminal service

Threat Actor Meta
First reported
Last updated
Happening score
H score 36
1 unique sources, 1 articles

Summary

Hide ▲

The Starkiller phishing platform has emerged as a SaaS-style criminal service, raising the scale and durability of credential theft operations. It is sold on the dark web with a subscription model, updates, and customer support. The platform proxies live login pages through attacker-controlled infrastructure, making the phishing page harder to fingerprint or block. By forwarding one-time codes and authentication tokens in real time, it can bypass MFA and help attackers seize accounts across major online services.

Related Happenings

O-UNC-066 / Pink Microsoft Entra passkey vishing campaign

Campaign
H score37 First: 08.07.2026 19:47 Last: 08.07.2026 19:47 Sources 1

About this happening: The **O-UNC-066 / Pink** operation is using **voice-based phishing** to push **Microsoft 365** users into enrolling attacker-controlled **Entra passkeys**, creating a direct path...

REF6045 ClickFix banking fraud campaign targeting Mexican financial users

Campaign
H score36 First: 08.07.2026 15:52 Last: 08.07.2026 15:52 Sources 1

About this happening: The **REF6045** campaign is actively targeting **customers of Mexican banks, fintechs, payment processors, and cryptocurrency exchanges**, using **ClickFix** lures to push victims...

Bluekit adopts rrweb-based BitM session streaming for login theft

Technical Analysis
H score34 First: 25.06.2026 18:00 Last: 25.06.2026 18:00 Sources 1

About this happening: **Bluekit** has added **browser-in-the-middle (BitM)** login theft to its phishing stack, increasing the risk of **session-token theft** and **account takeover**. The mechanism us...

UK under-16 social media age-check ban

Public Sector Action
H score25 First: 16.06.2026 17:38 Last: 16.06.2026 17:38 Sources 1

About this happening: The **UK government** announced a ban on **under-16s** using social media, requiring **age checks** for new accounts and tightening access to major platforms. The rollout is set f...

Sniper Dz MENA fake Facebook phishing and monetization campaign

Campaign
H score30 First: 15.06.2026 09:30 Last: 15.06.2026 09:30 Sources 1

About this happening: A **Sniper Dz** fraud campaign is targeting **users across the Middle East and North Africa** with **fake Facebook accounts** that impersonate politicians, public figures, and tru...

Timeline

  1. 19.02.2026 14:00 2 articles · 4mo ago

    Starkiller dark-web phishing SaaS enables live credential theft

    Initial Disclosure

    Starkiller is a dark-web phishing platform sold with subscriptions, updates, and customer support. It proxies live login pages through attacker-controlled infrastructure in headless Chrome, supports real-time session monitoring and keylogging, and can bypass MFA by relaying one-time codes and authentication tokens in real time. The kit can mimic Google, Microsoft, Facebook, Apple, Amazon, Netflix, PayPal, various banks and other online services, and is likely distributed through phishing emails that imitate legitimate alerts and notifications.

    Show sources