A recent surge in phishing-as-a-service (PhaaS) activity has linked over 17,500 phishing domains to 316 brands across 74 countries. The platforms behind this activity, known as Lighthouse and Lucid, are making large-scale phishing campaigns more accessible to cybercriminals.
Netcraft reported that “PhaaS deployments have risen significantly recently. Operators charge monthly fees for phishing software with pre-installed templates impersonating hundreds of brands worldwide.”
Lucid was first documented by Swiss cybersecurity firm PRODAFT in April 2025. The phishing kit can send smishing messages via Apple iMessage and Android RCS messages. The platform is believed to be operated by the Chinese-speaking XinXin group (also called changqixinyun), which has also used other kits like Lighthouse and Darcula. Darcula was created by a threat actor named LARVA-246 (aka X667788X0), while Lighthouse’s development is linked to LARVA-241 (aka Lao Wang or Wang Duo Yu).
Lucid allows its users to launch large-scale phishing campaigns across industries, including government, postal services, toll companies, and financial institutions. Campaigns can restrict access to phishing URLs using criteria such as mobile User-Agent, proxy country, or attacker-defined paths. Non-target users visiting the URL are served a generic fake storefront instead.
Netcraft noted that Lucid-hosted phishing URLs have targeted 164 brands in 63 countries, while Lighthouse campaigns have affected 204 brands in 50 countries. Both platforms offer template customization and real-time monitoring, with Lighthouse supporting phishing templates for over 200 platforms globally. Lighthouse subscriptions range from $88 per week to $1,588 per year.
PRODAFT explained that although Lighthouse operates independently of XinXin, its infrastructure and targeting overlap with Lucid, highlighting collaboration and rapid innovation in the PhaaS ecosystem. Past campaigns using Lighthouse have mimicked the Albanian postal service, Posta Shqiptare, for targets, while presenting a generic fake site to others, hinting at potential coordination between Lucid and Lighthouse.
Netcraft researcher Harry Everett said, “Lucid and Lighthouse demonstrate how fast these platforms can evolve and how challenging it can be to disrupt them.”
The report also shows that phishing attacks are moving away from messaging platforms like Telegram and returning to email, with a 25% increase in attacks observed over a month. Cybercriminals are also using services like EmailJS to harvest login credentials and two-factor authentication codes, bypassing the need for their own infrastructure.
Security researcher Penn Mackintosh noted, “The federated nature of email makes takedowns harder, as each address or SMTP relay must be reported individually. Creating a throwaway email address is also quick, anonymous, and free.”
Additionally, attackers are increasingly using homoglyph attacks, substituting characters like the Japanese Hiragana “ん” to mimic legitimate domains. Over 600 such fake domains have been observed targeting cryptocurrency users, tricking them into installing malicious wallet apps for Phantom, Rabby, OKX, Coinbase, MetaMask, Exodus, PancakeSwap, Bitget, and Trust. These apps are designed to steal seed phrases and system data, giving attackers control over wallets.
Netcraft explained, “The small character swap in the domain makes phishing sites look legitimate, which is the goal for stealing logins, personal information, or distributing malware.”
Recent scams have also impersonated major US brands such as Delta Airlines, AMC Theatres, Universal Studios, and Epic Records. These scams promise earnings for completing tasks, like acting as flight booking agents, but victims are required to deposit at least $100 in cryptocurrency, generating illicit profits for attackers.
Netcraft researcher Rob Duncan commented, “These task scams show how attackers are using API-driven brand-impersonation templates to scale financially motivated fraud across multiple industries.”
