Normal view

Received — 23 April 2026 Threat Intelligence Blog | Flashpoint

The Phishing-as-a-Service Pipeline: How a Scalable Fraud Ecosystem Is Driving Global Attacks

Blogs

Blog

The Phishing-as-a-Service Pipeline: How a Scalable Fraud Ecosystem Is Driving Global Attacks

In this post, we examine how phishing-as-a-service (PhaaS) has evolved into a structured cybercrime ecosystem, how threat actors collaborate across infrastructure, delivery, and monetization layers, and why this model continues to drive large-scale financial fraud targeting global organizations.

SHARE THIS:
Default Author Image
April 10, 2026

Phishing is no longer a standalone tactic. It has matured into a service-based ecosystem where specialized actors provide each component of an attack lifecycle, from infrastructure and delivery to credential harvesting and cash-out.

Flashpoint analysts, working with partner financial institutions, have observed a growing number of PhaaS operations operating with a level of coordination and specialization more commonly associated with legitimate software platforms. These ecosystems bring together phishing kit developers, infrastructure providers, spam delivery services, and financially motivated actors into a single, scalable pipeline for fraud.

This shift has significantly lowered the barrier to entry for cybercriminals while increasing the scale, efficiency, and success rate of phishing campaigns.

From Phishing Kits to a Service-Based Fraud Economy

PhaaS emerged from early phishing kits into a full cybercrime-as-a-service model built on commercialization, modular tooling, and operational scalability.

Early phishing activity relied on standalone kits — basic login pages and scripts that allowed attackers to collect credentials. Over time, operators began centralizing these capabilities into subscription-based platforms offering hosting, domain management, campaign tooling, and ongoing support.

Modern PhaaS platforms now operate similarly to legitimate SaaS providers:

  • Subscription-based pricing models
  • Prebuilt templates for major brands and services
  • Integrated delivery mechanisms (email, SMS, QR phishing)
  • Real-time dashboards for campaign tracking and credential harvesting

This model has made sophisticated phishing accessible to low-skill actors. Kits can cost as little as US$10, while full platforms enable large-scale campaigns for relatively modest monthly fees.

MFA Bypass and AI Are Reshaping Phishing Capabilities

As organizations adopted multifactor authentication (MFA), PhaaS operators adapted.

Modern platforms increasingly rely on adversary-in-the-middle (AiTM) techniques, using reverse proxy infrastructure to intercept login sessions in real time. This allows attackers to capture not only credentials, but also MFA tokens and session cookies, effectively bypassing traditional authentication controls.

At the same time, AI is accelerating the scale and effectiveness of phishing campaigns.

Threat actors are using AI to:

  • Generate convincing, localized phishing lures
  • Clone brand interfaces with high fidelity
  • Optimize campaigns through automated testing and iteration

This combination of MFA bypass and AI-driven automation has transformed phishing from a volume-based tactic into a precision-driven access vector.

The PhaaS Pipeline: How the Ecosystem Operates

What distinguishes modern phishing operations is not just tooling, but coordination.

A typical PhaaS campaign follows a structured lifecycle:

This pipeline is supported by a network of specialized providers, each responsible for a different stage of the attack lifecycle.

Infrastructure, Delivery, and Exfiltration Are Increasingly Specialized

Flashpoint analysis highlights how different actors focus on distinct parts of the ecosystem.

Infrastructure and Kit Development

Phishing kit developers provide increasingly sophisticated tooling, including:

  • Reverse proxy (AiTM) capabilities for MFA bypass
  • Anti-bot protections to evade researchers
  • “Live panels” enabling real-time interaction with victims

Platforms such as GhostFrame, Rapid Pages, and MUH Pro Admin illustrate how these tools are being productized and distributed at scale.

SMS Delivery and Spoofing

Smishing has become a critical delivery vector.

Threat actors operate dedicated SMS gateway services capable of sending large volumes of messages via APIs or bulk uploads. Others actively seek advanced spoofing capabilities to bypass authentication controls such as SPF, DKIM, and DMARC, enabling phishing messages to appear legitimate at the protocol level.

Credential Exfiltration and Telegram Integration

Credential collection is increasingly automated and centralized.

Many campaigns exfiltrate stolen credentials directly to Telegram bots or channels, enabling real-time access to victim data. This infrastructure also allows for rapid scaling and coordination across actors participating in the same campaign or ecosystem.

From Credential Theft to Financial Monetization

The ultimate goal of PhaaS operations is monetization.

Stolen credentials are used to enable account takeover (ATO), which allows attackers to:

  • Access financial accounts
  • Lock out legitimate users
  • Initiate fraudulent transactions
  • Launch follow-on scams

Flashpoint analysis of actors such as “JUN JUN,” associated with the Squirtle group, illustrates how these operations extend into structured financial fraud and laundering.

Observed activity shows a progression from acquiring phishing logs (“fish material”) to targeting high-value accounts and ultimately laundering funds through complex mechanisms, including tax fraud and credit card repayment schemes designed to recycle illicit funds.

This highlights how phishing is only the entry point into a broader fraud pipeline.

A Distributed Ecosystem of Threat Actors

The PhaaS landscape is not controlled by a single group, but by a network of loosely connected actors and clusters.

Examples include:

  • Fluffy Spider: Focused on large-scale infrastructure deployment and domain generation
  • IVAN: A more exclusive, high-tier operation leveraging SEO poisoning and advanced evasion techniques
  • Smishing Triad: A highly coordinated group conducting global SMS phishing campaigns
  • System Bot: A modular phishing toolkit with credential harvesting and OTP bypass capabilities

These actors operate across different regions and languages but demonstrate comparable levels of technical capability and operational maturity.

Many of these groups function with enterprise-like structures, including support teams, affiliate models, and performance-based operations, further reinforcing the industrialization of phishing-driven fraud.

Law Enforcement Pressure Is Increasing, but the Model Persists

Recent takedowns, including operations targeting platforms such as Tycoon 2FA, demonstrate growing coordination between public and private sector defenders.

These efforts have:

  • Disrupted infrastructure
  • Increased operational costs for threat actors
  • Accelerated collaboration between intelligence providers and law enforcement

However, the underlying PhaaS model remains resilient.

Even as major platforms are dismantled, operators frequently rebrand, migrate infrastructure, or fragment into smaller services. The demand for scalable, low-cost phishing capabilities continues to sustain the ecosystem.

What This Means for Security Teams

Phishing-as-a-service has evolved from a tactic to an ecosystem that industrializes fraud.

Flashpoint assesses that the increasing coordination between phishing kit developers, infrastructure providers, and financial fraud actors will continue to drive large-scale credential harvesting and account takeover activity targeting global organizations.

For defenders, this means that effective mitigation requires more than user awareness and traditional controls. Organizations must account for:

  • MFA bypass techniques such as AiTM
  • Rapid infrastructure rotation and evasion
  • The integration of phishing into broader fraud and access broker pipelines

Protecting Your Organization from the PhaaS Ecosystem

Understanding how phishing ecosystems operate — from infrastructure and delivery to monetization — is critical for disrupting attacks before they result in fraud.

Flashpoint provides intelligence that helps organizations track phishing campaigns, identify emerging threat actors, and detect compromised credentials in real time. By correlating activity across the full attack lifecycle, security teams can better anticipate threats and respond before they escalate.

To learn how Flashpoint can support your team with actionable intelligence on phishing and fraud ecosystems, schedule a demo.

Begin your free trial today.

The post The Phishing-as-a-Service Pipeline: How a Scalable Fraud Ecosystem Is Driving Global Attacks appeared first on Flashpoint.

Tax Refund Fraud in 2026: How Threat Actors Exploit Identity, Verification, and Cash-Out Channels

Blogs

Blog

Tax Refund Fraud in 2026: How Threat Actors Exploit Identity, Verification, and Cash-Out Channels

In this post, we examine how threat actors are executing tax refund fraud schemes, from sourcing identity data to bypassing verification and cashing out fraudulent returns, and what these patterns reveal about evolving fraud ecosystems.

SHARE THIS:
Default Author Image
April 9, 2026

Tax refund fraud remains a persistent and evolving threat within cybercrime and fraud communities. Threat actors actively advertise and refine schemes designed to file fraudulent returns and intercept refund payments from legitimate taxpayers.

Across illicit forums, Telegram channels, and marketplaces, discussions point to a structured ecosystem built around identity data, social engineering, verification bypass, and increasingly sophisticated cash-out methods.

For intelligence teams, these conversations provide insight into how fraud operations are scaling and where defenses are being tested and adapted.

The Structure of Modern Tax Refund Fraud Schemes

At a high level, most tax refund fraud schemes follow a consistent model: obtain identity data, file a fraudulent return, bypass verification, and extract funds.

Flashpoint analysis shows that threat actors focus on several key stages:

  • Sourcing victims or identity “fullz” (complete PII packages)
  • Obtaining or bypassing identity and return verification
  • Leveraging social engineering to support fraud workflows
  • Using tutorials and shared methods to maximize refund amounts
  • Converting refunds into cash or cryptocurrency

These stages are not isolated. They are supported by overlapping communities that specialize in identity theft, financial fraud, and account access.

Identity Data as the Foundation of Fraud

The success of tax refund fraud depends heavily on access to high-quality identity data.

Threat actors typically rely on “fullz,” which include a victim’s name, date of birth, address, and Social Security number. In some cases, fraudsters also recruit “clients” or “tax heads” — individuals who knowingly or unknowingly provide accurate tax documents and assist in bypassing verification steps.

This distinction is important. While fullz can be purchased or harvested at scale, clients often provide more reliable and current information, increasing the likelihood that a fraudulent return will be accepted.

A threat actor shares a screenshot of a text exchange with a client in which they obtain access to their TurboTax account and tax forms accessible through the account. (Source: Telegram, Flashpoint Collections).

Threat actors also seek additional data points to legitimize filings, including:

  • Identity Protection (IP) PINs
  • Adjusted Gross Income (AGI) from previous tax years
  • Access to tax preparation accounts or IRS records

These elements are frequently obtained through compromised accounts, social engineering, or access to verified identity platforms.

Verification Bypass as a Critical Enabler

Filing a fraudulent return is only part of the process. Successfully passing identity and return verification is often the deciding factor.

Threat actors place significant emphasis on accessing or creating verified accounts tied to identity systems used by government agencies. These accounts allow fraudsters to:

  • Retrieve tax transcripts and historical data
  • Respond to IRS verification requests
  • Validate identity during filing and follow-up processes

In many cases, fraudsters rely on social engineering to obtain this access. Common approaches include:

  • Creating fake job postings or tax preparation services to collect documents
  • Running romance or employment scams to gather personal information
  • Coercing victims into creating or sharing verified accounts

Threat actors also prepare for additional verification steps, such as responding to IRS letters or completing phone and in-person identity checks. These workflows often involve scripts, impersonation tactics, and coordination with cooperating “clients.”

Fraud Tactics Are Increasingly Systematic

Beyond basic filing, threat actors share detailed tutorials and playbooks designed to maximize refunds and improve success rates.

These often include:

  • Using real or falsified income data to inflate returns
  • Targeting specific tax credits, such as the Child Tax Credit (CTC), Earned Income Tax Credit (EITC), or Employer Retention Credit (ERC)
  • Claiming dependents or benefits that increase refund amounts
  • Adapting methods based on state-specific programs or eligibility requirements

A notable development is the use of fraudulent income submission schemes, where threat actors pre-populate tax records with inflated income and withholding data before filing a return.

This process typically involves:

  1. Submitting false wage data to the IRS or Social Security Administration using employer identifiers
  2. Waiting for the data to appear on official tax transcripts
  3. Filing a return that matches the fabricated figures

By aligning submitted data with filed returns, fraudsters increase the likelihood that filings will appear legitimate during verification.

Social Engineering Extends Beyond Victims

Social engineering plays a central role throughout the fraud lifecycle—and not just at the initial data collection stage.

Threat actors also target:

  • IRS representatives, attempting to verify fraudulent returns over the phone
  • Clients, persuading them to attend verification appointments or share official correspondence
  • Government offices, including outreach to congressional staff to resolve refund holds

In some cases, fraudsters use AI-generated communications to scale these efforts, including drafting messages designed to appear legitimate and urgent.

These tactics highlight how fraud operations extend into real-world processes and human interactions, not just digital systems.

Cash-Out Methods Continue to Evolve

Once a fraudulent refund is secured, the focus shifts to converting funds into usable, untraceable assets.

Common cash-out methods include:

  • Direct deposits into accounts controlled by the fraudster
  • Accounts opened by “clients” on behalf of the operation
  • Digital banking platforms and payment apps
  • Prepaid cards and alternative financial instruments

Increasingly, threat actors are moving funds into cryptocurrency to reduce traceability. This often involves:

  • Using verified exchange accounts to pass KYC requirements
  • Converting refunds into Bitcoin or other assets
  • Transferring funds to wallets controlled by the fraudster

In some workflows, the entire process — from filing to conversion — can occur within a single mobile or digital ecosystem.

Fraud Communities Enable Scale and Adaptation

Tax refund fraud does not operate in isolation. It is embedded within broader fraud ecosystems where identity data, tools, and tutorials are continuously shared.

Telegram remains a central hub for this activity, with large channels distributing:

  • Screenshots of successful refunds
  • Tutorials and “sauce” (paid or free methods)
  • Listings for identity data and services

Dark web forums also host discussions, though typically with lower volume and higher signal.

The structure of these communities allows fraud techniques to spread quickly, adapt to changing controls, and persist across multiple platforms.

What This Means for Threat Intelligence Teams

Tax refund fraud reflects a broader shift toward operationally mature, community-driven fraud ecosystems.

Flashpoint analysts assess that these schemes are becoming more structured, with clearly defined workflows for identity acquisition, verification bypass, and monetization.

For security and intelligence teams, this has several implications:

  • Identity data remains a critical point of exposure across multiple fraud types
  • Verification systems are actively targeted and tested by threat actors
  • Social engineering continues to bridge technical and human vulnerabilities
  • Fraud techniques are rapidly shared, refined, and scaled across communities

Understanding how these components connect is essential for identifying emerging fraud patterns and anticipating how threat actors will adapt.

Supporting Security Teams with Threat Intelligence During Tax Season and Beyond

Understanding how tax fraud schemes are executed from identity sourcing to verification bypass and cash-out provides critical context for detecting and disrupting fraudulent activity.

Flashpoint delivers leading intelligence that helps organizations monitor fraud communities, track evolving tactics, and identify emerging schemes before they scale. By combining primary source collection with contextual analysis, security teams can move from reactive detection to proactive defense.

To learn how Flashpoint can support your team with real-time intelligence and analysis, request a demo.

Frequently Asked Questions About Tax Refund Fraud

What is tax refund fraud?

Tax refund fraud is a form of identity-based financial crime in which threat actors file fraudulent tax returns using stolen or manipulated personal information to obtain refund payments before the legitimate taxpayer files.

How do threat actors obtain the information needed to commit tax fraud?

Threat actors typically rely on stolen identity data, often referred to as “fullz,” which includes a victim’s name, date of birth, address, and Social Security number. This information is sourced from infostealer malware logs, phishing campaigns, data breaches, social engineering, and illicit marketplaces.

In some cases, fraudsters also recruit “clients” who provide real tax documents or assist in verification processes.

How do fraudsters bypass identity verification for tax returns?

Fraudsters use a combination of tactics to bypass identity and return verification, including:

  • Accessing or creating verified identity accounts used for tax authentication
  • Obtaining prior-year tax data such as adjusted gross income (AGI)
  • Using stolen or socially engineered identity protection (IP) PINs
  • Responding to IRS verification requests using scripts, impersonation, or cooperating individuals

These methods allow fraudulent returns to appear legitimate during processing.

What are common tax fraud tactics used by threat actors?

Common tactics include:

  • Filing returns using stolen personal information
  • Inflating income or tax withholding amounts to increase refunds
  • Claiming fraudulent dependents or tax credits
  • Submitting false wage data to government systems before filing
  • Using real tax forms combined with manipulated data

These approaches are often shared and refined within fraud communities.

What is a “fullz” in tax fraud?

A “fullz” refers to a complete set of personally identifiable information (PII) about an individual, typically including name, date of birth, address, and Social Security number. Fullz are used by fraudsters to file tax returns, open accounts, and conduct other identity-based financial crimes.

How do fraudsters cash out fraudulent tax refunds?

After a fraudulent return is accepted, threat actors typically attempt to convert the refund into usable funds through:

  • Direct deposits into controlled or intermediary accounts
  • Accounts opened by recruited participants
  • Digital banking platforms or prepaid cards
  • Cryptocurrency conversion using verified exchange accounts

The goal is to move funds quickly and reduce traceability.

Why is tax refund fraud difficult to detect?

Tax refund fraud can be difficult to detect because it leverages legitimate systems and processes, including real identity data, authentic tax preparation services, and verified accounts. Fraudsters also adapt quickly by sharing new techniques and bypass methods across online communities.

How do fraud communities support tax refund fraud schemes?

Fraud communities, particularly on platforms like Telegram and dark web forums, enable threat actors to share tutorials, tools, and identity data. These communities accelerate the spread of techniques, allowing fraud schemes to scale and evolve rapidly.

What should security and fraud teams monitor to detect tax fraud activity?

Teams should monitor for:

  • Unusual access to identity data or tax-related accounts
  • Indicators of compromised credentials or identity verification systems
  • Discussions of tax fraud methods, tutorials, or cash-out techniques in illicit communities
  • Patterns in fraudulent filings or refund activity

Incorporating intelligence from fraud communities can provide early visibility into emerging tactics.

How does Flashpoint help organizations detect and prevent tax refund fraud?

Flashpoint helps organizations detect and respond to tax fraud by providing intelligence on how threat actors source identity data, bypass verification systems, and cash out fraudulent returns.

Through primary source collection across platforms like Telegram and dark web forums, Flashpoint enables teams to monitor fraud communities, identify emerging tactics, and understand how schemes are evolving. This intelligence helps organizations move from reactive detection to more proactive identification of fraud risk.

Begin your free trial today.

The post Tax Refund Fraud in 2026: How Threat Actors Exploit Identity, Verification, and Cash-Out Channels appeared first on Flashpoint.

Iran-Aligned Militias Signal Expanded Regional Risk Amid US–Israel–Iran Conflict

Blogs

Blog

Iran-Aligned Militias Signal Expanded Regional Risk Amid US–Israel–Iran Conflict

In this post, we examine how Iran-aligned militias and foreign terrorist organizations (FTOs) responded to the current US–Israel–Iran conflict, what their statements suggest about operational intent, and why this points to a wider risk environment for US and Israeli interests across the region.

SHARE THIS:
Default Author Image
March 19, 2026

The current phase of the US–Israel–Iran conflict is generating more than rhetorical support from militant actors aligned with Tehran. Public messaging from groups across Iraq, Lebanon, Yemen, and Gaza indicates a coordinated effort to frame the conflict as a regional, long-term confrontation rather than a contained exchange.

For threat intelligence teams, these statements matter not only because of what they say, but because of what they signal. Across multiple theaters, Iran-aligned groups are using similar language, emphasizing shared objectives, and in some cases pointing to an expanded target set that reaches beyond their traditional operating areas. Taken together, this messaging suggests continued alignment across militant networks and a heightened likelihood of retaliatory or opportunistic activity targeting US and Israeli interests.

Leadership Losses Are Being Used to Reinforce Mobilization

Several militant statements referenced the reported deaths of senior Iranian officials in strikes in Tehran, including Supreme Leader Ali Khamenei, Defense Minister Aziz Nasirzadeh, and IRGC Commander Mohammad Bagheri. These losses were framed not simply as blows against Iran, but as attacks on the broader resistance movement.

That framing is important. By portraying the strikes as an assault on a shared regional project rather than a national leadership event confined to Iran, these groups are reinforcing the rationale for broader mobilization. Statements from actors such as Akram al-Kaabi of Harakat al-Nujaba and Abdul-Malik al-Houthi of Ansarallah reflect that posture, emphasizing retaliation, readiness, and continued support for Iran.

This kind of messaging is consistent with efforts to maintain cohesion across the so-called resistance network during periods of escalation. It also helps set the informational conditions for follow-on activity by justifying future attacks as part of a collective response.

Messaging Points to a Longer Conflict Horizon

Some of the clearest signals in the reporting come from groups that described the conflict as a prolonged struggle rather than a short-lived escalation.

Kata’ib Hizballah called on fighters to prepare for a “long-term war of attrition,” while Kata’ib Sayyid al-Shuhada similarly urged readiness for a “long battle.” These statements go beyond symbolic solidarity. They suggest that at least some actors within Iran’s aligned militant ecosystem are preparing their audiences and personnel for sustained operations over time.

That distinction matters for defenders. A messaging environment centered on endurance, attrition, and regional confrontation raises the likelihood that groups will seek to maintain operational tempo across multiple fronts rather than respond with a single retaliatory action.

Militant Activity May Extend Beyond Traditional Operating Areas

Another notable feature of the reporting is the implied expansion of targeting scope.

Claims and statements referenced possible or actual activity in locations including Jordan, the Red Sea, and Israeli military sites near Haifa. This suggests that militant responses linked to the conflict may not remain confined to the actors’ most established operating environments in Iraq and Syria.

The claim by Rijal al-Bas al-Shadid of a drone strike on Muwaffaq Salti Air Base in Jordan is one example. Hezbollah’s claim of a strike south of Haifa is another. Together, these claims reinforce the broader picture presented in the messaging: a conflict environment in which Iran-aligned groups are attempting to demonstrate reach across multiple geographies and domains.

Even where operational claims remain difficult to verify independently, the messaging itself is still analytically significant. It helps illustrate how these groups want the conflict to be understood — as regional, coordinated, and capable of generating pressure well beyond a single front.

Responses Across the Network Reflect Coordinated Alignment

The organizational responses themselves show a high degree of consistency in tone and framing.

Hezbollah, Hamas, and the Houthis

Hezbollah claimed a strike on the Mishmar HaCarmel missile defense site south of Haifa using missiles and drone swarms, presenting the operation as a legitimate response within the broader confrontation. Although Hezbollah is actively engaged in countering the Israeli ground offensive into Southern Lebanon, the group could still pose a regional threat. Al-Qassam Brigades issued a eulogy for Iranian leadership figures and indicated that their deaths would intensify resistance rather than weaken it. Ansarallah declared full readiness for further military developments and signaled preparedness to target US bases and Israeli interests across the region.

Iraqi Militias and FTOs

Harakat al-Nujaba condemned the strikes and called for military retribution. Kata’ib Hizballah emphasized long-term attritional conflict. Saraya Awliya al-Dam declared maximum readiness and stated that it was prepared to target US military sites inside and outside Iraq. Kata’ib Sayyid al-Shuhada warned that US presence in the Middle East would lose any safe foothold as the conflict develops.

Specialized and Emerging Actors

Rijal al-Bas al-Shadid claimed a retaliatory drone attack in Jordan. Shabab al-Wa’ad al-Sadiq Forces announced its formation as a new entity aligned with Iran and the resistance axis. Ajnad Beit al-Maqdis used its first official statements to announce allegiance to al-Qaeda, tying that move to the current conflict and broader anti-US and anti-Israel narratives.

Taken together, these responses highlight not just ideological alignment, but messaging discipline. Similar themes appear across multiple organizations: retaliation for leadership losses, preparation for sustained conflict, and a shared portrayal of the United States and Israel as part of a unified adversarial front.

What This Means for Threat Intelligence Teams

From an intelligence perspective, the most important takeaway is not any single statement or claim. It is the degree of coordination visible across the messaging environment.

Flashpoint analysts assess that the current US–Israel–Iran conflict is generating aligned signaling among multiple militant organizations across the Middle East. This messaging indicates continued support for potential operations targeting US and Israeli interests and will likely contribute to increased militant activity across Iraq, Lebanon, Gaza, Yemen, and surrounding areas.

For security and intelligence teams, that means monitoring should extend beyond traditional flashpoints and beyond one-for-one retaliation models. The current environment suggests a broader risk picture shaped by networked militant cooperation, narrative synchronization, and the possibility of operations emerging across several theaters at once.

Supporting Security Teams with Threat Intelligence

Understanding how Iran-aligned militant networks communicate, coordinate, and signal intent is critical for anticipating how conflict dynamics may translate into real-world activity.

Flashpoint provides primary source intelligence that helps security teams track emerging threats, identify shifts in adversary behavior, and contextualize risk across regions and domains. From monitoring militant group messaging to analyzing operational indicators, our intelligence enables organizations to move from reactive response to informed, proactive defense.To learn how Flashpoint can support your team with real-time intelligence and analysis, schedule a demo.

Begin your free trial today.

The post Iran-Aligned Militias Signal Expanded Regional Risk Amid US–Israel–Iran Conflict appeared first on Flashpoint.

❌