“Organized Crime Runs Like a Tech Startup”: EvilToken PHaaS Group Accelerates AI-Based Attacks by 1,380% in 2026

The Huntress report highlights that “EvilTokens” PhaaS increased phishing attacks by 1,380% in early 2026 compared to last year.
AI integration enables per-victim personalization at scale, bypassing MFA, with subscription levels ranging from $600 to $1,500
Service sold openly on Telegram, showing how PhaaS now operates as a startup with cheap, powerful attack capabilities

Cybercriminals offering phishing as a service (PhaaS) are increasingly operating like a tech startup, and a good one at that. They also use artificial intelligence (AI), which has helped them scale significantly. That’s according to a new report from cybersecurity researchers Huntress, titled “EvilTokens and the Rise of AI-Powered Phishing.”

In the report, Huntress claims that this particular PhaaS operation, called EvilTokens, was used to launch 1,380% more phishing attacks in early 2026 compared to the same period last year.

“We are seeing a clear maturation of the phishing-as-a-service (PhaaS) market as threat actors increasingly integrate AI workflows into their product offerings,” the report said. “The result is directly observable in our telemetry: a 1,380% increase in device code phishing attacks detected between July-December 2025 and January-April 2026, with more than 50% of these incidents linked to two major waves of correlated incidents.

A cheap service

“Additionally, across hundreds of incidents associated with EvilTokens, no two phishing lures are the same. This level of per-victim personalization was previously limited to targeted, hand-crafted campaigns. It is now achievable at scale by any threat actor, at the cost of a subscription service.”

So, AI is not only used to scale the operation, but it is also used for personalization at an unprecedented level. At the same time, the service is relatively cheap to use: it is sold on Telegram for only $600.

If that seems like a lot, keep in mind that a single successful phishing attack is enough to steal data worth hundreds of thousands of dollars on the black market, or even millions, in ransom negotiations.

EvilTokens’ service is also tiered. The cheapest plan costs $600, while two more expensive plans cost $1,000 and $1,500, respectively. For criminals, the investment is probably worth it, since this PhaaS is also capable of bypassing multi-factor authentication.