Phishing kits (and ShinyHunters!)
I wrote this a week before ShinyHunters took down Canvas. Luckily I sent it in for my class before Canvas was down too.
Chapter Eleventeen
Easy money; phishing kits are accessible for the beginner scammer
Overview
Here’s how easy it is to set up a scam. All you need to do is gain access to a Discord or Signal group chat, where other scammers share their tactics and gain from their scams. Just like a legal gig company like Uber or Fiverr, people are vying for ways to make their scams easier to achieve and make money faster.
Phishing kits are the solution that removes the barrier of entry for an attacker. They no longer need to crack passwords or even create websites. All they need to do is collect active email addresses and phone numbers, put contacts in a website, and they can start collecting info.
This chapter will go into specifically voice phishing kits that evade two-factor authentication. These interact with websites that are all controlled by scammers, to create a scam to steal credentials. ShinyHunters has claimed responsibility for several attacks using voice phishing campaigns, including an attack against Betterment. Betterment is an investing and banking app, with at least 1.4 million customers that all had personal information leaked due to this incident.
Timeline
On January 9th, 2026, an employee received a phone call from ‘Betterment IT’. The employee likely saw the ID caller and assumed good faith from the call. Falsified caller IDs are becoming more common to circumvent current cybersecurity protections.
The employee talked on the phone with who they thought was the IT department. During this call, the IT department asked for a one-time passcode, which the employee gave. From this call, the threat actor was now logged in to Betterment’s systems.
ShinyHunters claims credit for this attack, and the phishing kit that was used during this attack is linked to their organization. It’s possible that the scammer wasn’t linked to ShinyHunters and instead just used one of their phishing kits, but ShinyHunters did post about the attack on their data leak site as well.
From this registered device, the threat actor collected contacts from Betterment’s systems. Five hours later, the threat actor had 1.4 million contacts. These included names and email addresses of Betterment customers, but a small percentage of contacts had more information stolen.
During the attack, the threat actor sent a message to half of these custoemrs while pretending to be Betterment. For reference, this happened about two hours after the initial social engineering compromise. Twenty minutes after this mass email campaign, Betterment declared an incident and suspended the user account.
Three days later, on January 12th, Betterment emailed all customers about the incident. The attacks didn’t stop there, however.
A criminal group, likely ShinyHunters (the incident report doesn’t clarify), demanded a crypto payment. Afterwards, Betterment received DDoS attacks. Betterment mitigated the DDoS attacks.
Finally, on January 23rd, ShinyHunters posted the data on a leak site. This data was later removed.
Phishing kits
What do these phishing kits look like for the scammer? The answer is: pretty boring.
This is a phishing kit called BlueKit, discovered by Varonis Threat Labs and documented on April 29th, 2026. This isn’t the exact phishing kit that ShinyHunters used for this attack as it doesn’t have calling capabilities, but it’s an example of just one of many phishing kits flooding the market. BlueKit makes it easy to phish people. It sets up fake sites, sends emails and SMS messages, and even has an AI assistant to help generate scam texts. It all looks like a regular email campaign kit, which is interesting as well. The norms around security somewhat portray hacking with cool green text on a terminal, but this is what the scammers are doing behind the scenes.
Motives
The motive for these scammers, on the surface, seems simple. It’s all about money, and about making money quickly. Before, scamming took time and effort. Sending mass emails and texts is tricky since so many non-malicious email marketing tools ban anything that could scam people. AI assistants, as well, will have safeguards to attempt to avoid misuse of the tools.
These phishing kits solve all of that. It automates so many aspects of the scamming experience. From generating text to sending emails, so much is simplified. All a scammer needs to do is collect contact information, which is exactly what occurred in the Betterment incident. The incident report reveals that the scammer didn’t escalate within the system to gain more privilege. There’s a few possible explanations for this. One is that the scammer focused on just collecting customer’s information, so they could add this list to their phishing kit later. Another explanation is that this scammer doesn’t have the technical ability to escalate privileges in a computer system. A hacker (as opposed to a scammer) needs to have the ability to escalate privileges in a system, in order to create the most damage against the system.
However, this is no longer necessary for a scammer to have. What skills does a scammer need in order to use a phishing kit? As displayed in the screenshot above, Bluekit uses a subscription-based model and provides jailbroken AI assistants, in case a scammer needs help figuring out how to manipulate employees into giving their information. Even if the payout isn’t a lot, the amount of effort it takes to complete a scam like what occurred with Betterment is minimal.
Analysis
There is an entire economy within these phishing kits. If a phishing kit can be run on a subscription model, what does that say about the lifespan about these kits? If we’re assuming a monthly subscription model from the screenshot of Bluekit, this indicates that they anticipate that scammers will use Bluekit for several months. Maybe it’s even a yearly subscription model. Bluekit is just another example of a phishing kit as well. Do other phishing kits have lower prices? We can imagine a cybercriminal, looking at several of these phishing kits as one might compare prices of a streaming service.
Burnout used to be a common deterrent against cybercrime, according to Ben Collier. (Collier et al., n.d.) In previous years, scammers would be enticed by ‘get-rich schemes’, and quickly lose interest as it becomes monotonous. With an AI assistant to automate the boring part of the job, this no longer becomes an issue.
Betterment remediated the situation, but there are a million of their customers who will start getting phone calls. All from phishing kits like Bluekit.
Current proposals and solutions
Current attempts to curb phishing scams mostly comprise of phishing training for organizations. Phishing training usually teaches people to avoid emails with misspelled words and inaccurate details within the email or text message. However, in the case of Betterment, they faked the caller ID. Employees are told to avoid putting their credentials in malicious sites, and to not give away two factor codes, but most assume the IT department is trying to help. The IT department in many organizations will often need these credentials anyway.
Betterment did release a full report of the incident, with timestamps and explanations. They also worked with law enforcement and sent out emails to all customers. However, they were not required to do more for the customers whose information was leaked. In this case, where the customers are a casualty of this incident, they don’t have protection if they are also scammed as a result of the incident.
It is unknown what happened to the employee who initially compromised the systems. In many cases, the norm is to fire the employee who caused a breach of this scale. However, this doesn’t solve the problem of these phishing kits. Even if this prevents the employee from impacting the company, a different employee might fall for a different phishing scam.
Solutions
The question that might emerge from reading these reports is; who is making these phishing kits? Unfortunately, this is also fairly easy to do. With the advent of vibe coding, anyone can make a phishing kit easily, even with a professional UX looking design and a automatic subscription mechanism.
Considering that most scammers are involved in this new era because it’s easy and convenient, why not make it more difficult for them to do so? How can this be done?
One thought is for more strict punishment for cybercriminals. Many of the members of ShinyHunter are young men, who are looking for ways to make money fast without much effort. If the punishment is greater than the reward, this would reduce the numbers of people who are trying to complete phishing scams.
Additionally, stricter web-hosting policies can be put in place. Many phishing sites are hosted on cloud storage options. If Google, for example, was held responsible for a phishing scam where credentials were collected by a site they hosted, then they would be incentivized to prevent more of these phishing scams.
A hypothetical policy would punish cloud hosting services by requiring they compensate individuals if someone falls victim to a phishing scam. Cloud hosting is one of the biggest industries in the tech space, and have the best shot at using their power and resources in order to prevent scams.
Cloud hosting services could meet this policy with more rigorous checks of sites, and make sure the contents therein are not a prebuilt phishing site. This would discourage scammers, as it would become more difficult to host sites. Scammers would turn to other ways to make money, and the reputation of various cloud hosting services would improve if they promised security from the sites they host.
References and appendixes
https://www.varonis.com/blog/bluekit - Bluekit report
https://www.okta.com/blog/threat-intelligence/phishing-kits-adapt-to-the-script-of-callers/ - Vishing kits
https://www.betterment.com/resources/security-incident-report-january-2026 - Betterment incident report
https://cyberscoop.com/shinyhunters-voice-phishing-sso-okta-mfa-bypass-data-theft/ - Initial incident news article
Collier, B., Clayton, R., Hutchings, A., & Thomas, D. R. (n.d.). Cybercrime is (often) boring: Maintaining the infrastructure of cybercrime economies.
This paper was human-generated, with no LLM generated text.