'Organized crime operates like a tech startup': EvilToken PHaaS group to increase AI-enabled attacks by 1,380% in 2026

Huntress report highlights “EvilTokens” PhaaS increased phishing attacks by 1,380% in early 2026 compared to last year
AI integration enables personalization at scale per victim, without going through MFA, with subscription levels from $600 to $1,500
Service openly sold on Telegram, showing how PhaaS now operates as a startup with powerful and affordable attack capabilities.

Cybercriminals offering phishing as a service (PhaaS) increasingly operate like a tech startup, and a good one at that. They are also using Artificial Intelligence (AI), which has helped them scale significantly. This is according to a new report from cybersecurity researchers Huntress, called “EvilTokens and the Rise of AI-Powered Phishing.”

In the report, Huntress claims that this particular PhaaS operation, called EvilTokens, was used to execute 1,380% more phishing attacks in early 2026 compared to the same period last year.

“We are seeing a clear maturation of the phishing-as-a-service (PhaaS) market as threat actors increasingly integrate AI workflows into their product offerings,” the report reads. “The result can be seen directly in our telemetry: a 1,380% increase in device code phishing attacks detected between July-December 2025 and January-April 2026, with more than 50% of those incidents linked to two major waves of correlated incidents.”

A cheap service

“Furthermore, in hundreds of incidents associated with EvilTokens, no two phishing lures were identical. This level of per-victim customization was previously limited to manually designed and targeted campaigns. Now, any threat actor can achieve this at scale at the price of a subscription service.”

Therefore, AI is not only used to scale the operation, but is also used for personalization at an unprecedented level. At the same time, the service is relatively cheap to use: it is sold on Telegram for just $600.

If this seems like a lot, keep in mind that a single successful phishing attack is enough to steal hundreds of thousands worth of data on the black market, or even millions, in ransom negotiations.

The EvilTokens service also has levels. The cheapest package costs $600, while two more expensive ones cost $1,000 and $1,500, respectively. For criminals, it is probably worth the investment as this PhaaS is also capable of bypassing multi-factor authentication.