Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

EvilTokens PhaaS scales device code phishing for low-skilled cybercriminals

Threat Actor Meta
First reported
Last updated
Happening score
H score 41
1 unique sources, 1 articles

Summary

Hide ▲

EvilTokens is turning device code phishing into a phishing-as-a-service market, expanding access for low-skilled cybercriminals and accelerating competition among phishing kits. The shift matters because turnkey services lower the barrier to account takeover and help the technique spread across cloud login flows. Researchers said the kit has become a prominent driver of mainstream adoption, with rival platforms already competing in the same ecosystem. The broader market now includes at least 11 kits using SaaS-themed lures, cloud hosting, and anti-bot protections.

Related Happenings

TeamPCP uses Shai-Hulud release to build access-broker monetization pipeline

Threat Actor Meta
First: 18.05.2026 22:53 Last: 18.05.2026 22:53 Sources 1

About this happening: **TeamPCP** is being framed as using the **Shai-Hulud** source-code release to drive an **access broker** business, turning worm distribution into a credential-monetization pipeli...

Open Happening

QR code phishing surged across email threats in Q1 2026

Target Trend
First: 05.05.2026 09:35 Last: 05.05.2026 09:35 Sources 1

About this happening: **Q1 2026** email-threat telemetry shows **QR code phishing** and **CAPTCHA-gated phishing** rising quickly, increasing the risk of **credential theft** across **organizations**....

Open Happening

Shifty Corsair evolves open-source supply-chain tradecraft with fake firms, layered packages, and AI-assisted deception

Threat Actor Meta
First: 29.04.2026 17:43 Last: 29.04.2026 17:43 Sources 1

About this happening: **Shifty Corsair** has expanded its operating model into a more convincing developer-lure ecosystem, increasing the risk of open-source supply-chain compromise against **Web3** ta...

Open Happening

Triad Nexus investment scam and brand impersonation campaign targeting emerging markets

Campaign
First: 14.04.2026 15:00 Last: 14.04.2026 15:00 Sources 1

About this happening: The **Triad Nexus** campaign is continuing to run **large-scale investment scams** and **brand impersonation**, expanding into **emerging markets** and driving higher fraud losses...

Open Happening

W3LL Microsoft 365 adversary-in-the-middle phishing campaign

Campaign
First: 13.04.2026 21:55 Last: 13.04.2026 21:55 Sources 1

About this happening: The **W3LL** phishing operation turned into a high-volume **Microsoft 365** credential-theft campaign, exposing **more than 17,000 victims worldwide** to **BEC** risk. The kit use...

Open Happening

Timeline

  1. 04.04.2026 17:17 2 articles · 1mo ago

    EvilTokens drives device code phishing market growth

    Technical Analysis Update

    Sekoia and Push Security characterize EvilTokens as a phishing-as-a-service operation that is helping turn device code phishing into a scalable account-takeover market, with Push Security reporting a 37.5x increase in detected pages and at least 11 phishing kits using SaaS-themed lures, anti-bot protections, and cloud-hosted infrastructure.

    Show sources
    Open in new tab