17,500 Phishing Domains Mimic 316 Global Brands

Cybersecurity researchers at Netcraft have uncovered two sophisticated phishing campaigns linked to the Lucid and Lighthouse Phishing-as-a-Service (PhaaS) platforms, revealing a massive operation that has deployed over 17,500 phishing domains targeting 316 brands across 74 countries.

This discovery highlights the growing threat of commercialized cybercrime infrastructure that enables low-skilled attackers to conduct sophisticated phishing operations at unprecedented scale.

The emergence of Phishing-as-a-Service platforms represents a significant shift in the cybercrime landscape, making sophisticated attacks accessible to criminals without extensive technical expertise.

These platforms operate on a subscription model, charging monthly fees for comprehensive phishing software packages that include pre-installed templates impersonating hundreds of legitimate brands worldwide.

Since Netcraft began tracking the popular Darcula PhaaS platform in 2023, the cybersecurity firm has observed a dramatic increase in similar services utilizing modern technologies and offering user-friendly interfaces.

The scale of this threat became particularly evident in June 2025, when PhaaS detections reached their highest levels to date, with 13.5% of all phishing hostnames detected by Netcraft being powered by tracked PhaaS platforms. 

Lucid PhaaS: Advanced Evasion

The Lucid Phishing-as-a-Service platform, matching fingerprints previously identified by Prodraft, demonstrates remarkable sophistication in both its targeting capabilities and evasion techniques.

The platform enables cybercriminals to launch phishing campaigns against diverse industries, including toll companies, government agencies, postal services, and financial institutions.

Each Lucid phishing template receives a unique identifier, such as the “kuda295” theme used to impersonate the finance company Kuda.

The platform’s anti-monitoring capabilities are particularly advanced, requiring specific conditions to display malicious content: visitors must access predetermined paths, originate from specific proxy countries, and use mobile user agents.

When these criteria aren’t met, victims see generic fake shops selling shoes or women’s clothing instead of the actual phishing page.

Netcraft’s analysis reveals that Lucid has been used to create phishing URLs targeting 164 brands from 63 different countries, demonstrating the platform’s global reach and adaptability to various regional markets and languages.

The Lighthouse Phishing-as-a-Service kit, developed by an individual known as WangDuoYu, represents the premium tier of cybercrime infrastructure.

With subscription prices ranging from $88 weekly to $1,588 annually, Lighthouse offers frequent updates and specialized capabilities for stealing two-factor authentication credentials through customizable phishing templates.

Researchers linked a heavily obfuscated phishing campaign to Lighthouse through several key indicators, including identical templates shown in the platform’s sales materials and deployment on WangDuoYu’s demonstration domain.

The campaign has targeted 204 brands across 50 countries, utilizing the same anti-monitoring techniques as Lucid, including the distinctive “LOAFING OUT LOUD” fake shop template.

Connected Criminal Infrastructure

The investigation revealed intriguing connections between different PhaaS operations. Both Lucid and Lighthouse utilize nearly identical anti-monitoring pages, suggesting either shared development resources or deliberate collaboration between criminal groups.

Additionally, researchers discovered links to the previously documented Haozi group through shared Telegram administration and overlapping infrastructure.

These connections highlight the interconnected nature of modern cybercrime ecosystems, where different criminal organizations share resources, techniques, and infrastructure to maximize their operational effectiveness while minimizing individual risk.

In response to these threats, Netcraft has deployed targeted automation specifically designed to enhance detection of Lucid PhaaS URLs.

This proactive approach involves correlating campaigns, identifying common infrastructure patterns, and implementing rapid disruption mechanisms to reduce the impact of these sophisticated operations.

The cybersecurity community’s ability to track and disrupt PhaaS operations remains crucial as these platforms continue evolving in sophistication and scale.

The Lucid and Lighthouse campaigns demonstrate how quickly these services can grow and adapt, making traditional reactive security measures insufficient against modern phishing threats.

As Phishing-as-a-Service platforms become increasingly sophisticated and accessible to low-skilled criminals, the cybersecurity industry must maintain vigilant monitoring and develop innovative countermeasures.

The scale of operations revealed in this investigation—17,500 domains targeting over 300 brands across 74 countries—underscores the urgent need for proactive intelligence gathering and rapid response capabilities to protect users and organizations worldwide from these evolving threats.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.