Google has identified a maturing tier of Phishing-as-a-Service (PhaaS) operations in the Chinese-language cyber crime underground that no longer stops at stealing logins, but goes after victims’ funds directly.
Google Threat Intelligence Group (GTIG) analyzed a dozen current PhaaS platforms sold in these communities and found a market that has moved away from static password harvesting. Rather than the login, the goal is now direct control over a victim’s funds.
GTIG framed this as a distinct ecosystem rather than a regional copy of the dominant Russian-speaking services, and observed that the operators rarely targeted China itself.
How the Money Gets Out
Two techniques worked together. The first was real-time interception: when a victim entered their credentials on a phishing page, the data surfaced instantly on the operator’s live panel.
As the victim was prompted for an OTP, the attacker triggered the same request on their own device and captured the code seconds before it expired. MFA completed, but for the attacker.
The second was wallet provisioning. Using the captured credentials and OTP, operators provisioned the victim’s card into a digital wallet they controlled. Once tokenized, the card could be used for high-value purchases, ATM withdrawals, and contactless payments, long after the phishing page was gone.
Delivery leaned on encrypted channels like RCS and Apple’s iMessage, whose end-to-end encryption (E2EE) made malicious links hard to filter while richer features made lures look legitimate.
One Platform’s Playbook
One service GTIG tracks, YY Lai Yu (YY来鱼), showed how localized these operations have become.
Active since 2024 and supporting phishing across 119 countries, it focused heavily on Japan, offering more than 400 phishing templates targeting Japanese consumers.
The operators tailored lures to local habits, including fake loyalty-point redemptions and a lure built around Japan’s winter electricity subsidy.
Other platforms, including Darcula, had adopted AI-powered page generators, cloning legitimate websites on demand and defeating signature-based detection by ensuring no two phishing pages were identical.
Why MFA and Training Are No Longer Enough
GTIG said the shift has a direct implication for defenders: awareness training and standard MFA no longer close the gap once an attacker is relaying OTPs in real time.
Google’s central recommendation is to move authentication to FIDO2/WebAuthn. Phishing-resistant security keys cannot be relayed through a live panel the way an OTP can, radically narrowing how long stolen credentials stay useful.
GTIG also advised pairing that with device fingerprinting and risk-based verification by issuing banks during wallet provisioning, closing the monetization path even if a credential leaks.
