Chinese-language phishing-as-a-service (PhaaS) communities are expanding in an area historically dominated by Russian-speaking cybercriminal groups.
The Google Threat Intelligence Group (GTIG) analyzed a dozen active PhaaS offerings operating in Chinese-language underground communities and found mature services, with several likely linked to broader criminal activity in the region.
Nearly all legitimate organizations mimicked by these phishing services were non-Chinese entities, suggesting that activity rarely targets China itself.
Researchers noted that Telegram serves as a common channel for promoting phishing services, a pattern consistent with activity in the broader Chinese-language cybercrime ecosystem.
GTIG identified a “fundamental move” from static password harvesting toward real-time interception and tokenization.
Attackers use live administration panels that allow them to interact with victims during phishing activity. These systems can capture one-time passcodes as users enter them, creating a path around MFA protections.
“Instead of simply gaining account access, these operations focus on exploiting digital wallet provisioning to transform stolen payment data into tokenized assets within ecosystems,” Google wrote.
“This shift, combined with the use of encrypted delivery channels like RCS and iMessage to bypass traditional carrier security filters on SMS messages, represents an emerging development where the goal is securing direct, unauthorized control over a victim’s financial accounts.”
AI is becoming big part of phishing activity
Multiple Chinese-language PhaaS operators adopted AI tools to increase scale and reduce reliance on static phishing infrastructure.
Darcula, a PhaaS platform linked to UNC5814, shows how AI is becoming part of phishing services. The platform replaced static templates with AI-powered page generators and browser automation tools such as Puppeteer.
“This enables users to clone legitimate websites by replicating their HTML, CSS, JavaScript, and visual elements using a target website URL. As each phishing page is unique and does not rely on static templates, signature-based detection methods become increasingly ineffective.”
Phishing operators tap into daily consumer habits
YY Lai Yu, a phishing-as-a-service platform first advertised in 2024, offers a look at how localized these phishing operations have become.
The service supports phishing in 119 countries and has focused heavily on Japan. Since late 2025, the platform has offered more than 400 phishing templates covering Japanese brands and services.
A graph of countries targeted by YY Lai Yu (Source: Google)
The campaigns extended beyond banking lures and moved into everyday consumer activity, using themes tied to loyalty points, rewards programs, and electricity subsidy offers. The platform also deployed domains imitating local transit services, payment apps, e-commerce platforms, and gaming brands.
“To protect this highly localized infrastructure, the phishing sites featured a unique human verification anti-bot screen that appeared prior to the actual phishing page. By requiring a manual click to proceed, this mechanism successfully hindered automated analysis by security vendors, adding a layer of stealth to the localized campaign,” researchers noted.
GTIG also observed phishing services deploying automated infrastructure targeting users in the Americas, Europe, Australia, and the Middle East.
“The multitude of sophisticated PhaaS platforms available for purchase and the threat actors’ focus on the exploitation of digital wallet tokenization and MFA bypass demonstrates that the China-based criminal ecosystem continues to evolve, enabling threat actors with limited technical skills to conduct phishing operations,” Google concluded.
