EvilToken Phishing Attacks Jump 1,380% in 2026: ‘Organised Crime Operating Like a Tech Startup’
A criminal group called EvilToken has ramped up its AI-enabled phishing attacks by a shocking 1,380% in 2026. “Phishing” is a scam where criminals trick you into handing over passwords or access. They pretend to be someone you trust, like your bank or your boss. EvilToken now runs this scam at huge scale using artificial intelligence. Security researchers say it works “like a tech startup” — slick, organised, and sold by subscription.
The warning comes from a report by security firm Huntress. The findings are scary because the tools are cheap and easy to buy. Anyone with a little money can rent this attack kit. AI makes each attack feel personal and real. That is what makes EvilToken so dangerous to businesses everywhere, including in India.
What is EvilToken and how does it work?
EvilToken is a “phishing-as-a-service” operation, often shortened to PHaaS. This means crime is sold like a product. Just as you might pay monthly for Netflix, a criminal can pay monthly for a ready-made phishing kit. No coding skills needed. You rent the tool and start attacking.
The service is openly advertised on Telegram, a popular chat app. Buyers pick a price tier and get a working attack kit. The kit is built to bypass multi-factor authentication, or MFA. “MFA” is the extra step where an app sends you a code to confirm it is really you. EvilToken is designed to get past this safety check.
The AI is the scary part. It writes a different scam message for each victim. No two lures are the same. In the past, only skilled hackers could craft such custom traps. Now AI does it automatically, at machine speed, for anyone who pays.
Key facts about the EvilToken threat
| Detail | Figure |
|---|---|
| Rise in attacks | 1,380% in 2026 vs the year before |
| Type of threat | Phishing-as-a-service (PHaaS) |
| Reported by | Huntress (security firm) |
| Sold on | Telegram |
| Subscription price range | $600 to $1,500 |
| Key danger | Bypasses multi-factor authentication (MFA) |
| AI role | Creates a unique scam message for each victim |
Crime sold like software: the subscription model
The price tags show how cheap this is. EvilToken’s subscriptions cost between $600 and $1,500. For that small sum, a criminal gets a powerful, AI-driven attack machine. That is a tiny price compared to the millions a successful scam can steal.
This “startup” approach is what worries experts. The group keeps improving its kit, just like a real software company ships updates. It offers support, tiers, and easy access. Crime has been turned into a clean, repeatable product. The lower the skill needed, the more attackers can join.
AI also speeds up the after-attack steps. Once it captures access, the kit can quickly draft fake emails in the victim’s own writing style. That makes “wire fraud” — tricking a company into sending money to the wrong account — much easier to pull off. This is the dark mirror of the same AI boom driving deals like Animoca’s bet on AI agents and wallets.
FAQ
What does phishing-as-a-service mean?
It means phishing tools are sold like a paid product. A criminal rents a ready-made kit, often by subscription, and uses it to attack. No coding skill is needed. EvilToken sells this on Telegram for $600 to $1,500.
How does EvilToken use AI?
AI writes a unique scam message for each victim, so no two lures look alike. It can also draft fake emails in the victim’s own style after gaining access. This makes the scams far more convincing and harder to spot.
Can EvilToken get past multi-factor authentication?
Yes. The kit is built to bypass multi-factor authentication (MFA), the extra code-based check meant to keep accounts safe. That is why this threat is so serious for businesses.
Why it matters (especially for India / founders)
India runs on digital business. Startups, banks, and small firms all depend on online accounts. A cheap AI attack kit that bypasses MFA is a direct threat to them. One tricked employee can cost a company a fortune. The risk is real and growing fast.
Founders should act now. Train staff to spot scam emails. Use stronger logins like security keys, not just codes. Double-check any request to move money, especially urgent ones. Governments are taking AI risk seriously too, as seen in the White House push to review Meta’s AI models. Defence has to keep pace with these new AI-powered crimes.
The takeaway
EvilToken shows the dark side of the AI boom. Crime now runs like a startup: cheap, slick, and sold by subscription. Attacks jumped 1,380% in 2026, and AI makes each one feel real. For every business, including Indian startups, the lesson is urgent. Train your people, harden your logins, and treat money requests with care. The attackers have upgraded. Your defences must too.
