Inside the cybercrime economy: How Phishing-as-a-Service became a billion-dollar black market

Explore the booming cybercrime-as-a-service market through the rise of PhaaS vendors like verb0. Understand the business behind modern phishing attacks.

TAGS

What Is Driving the Rise of Phishing-as-a-Service in 2025?

In 2025, the is no longer dominated by lone hackers or elite collectives. Instead, it operates like a decentralized, service-driven ecosystem, powered by a new breed of vendors who sell turnkey attack tools to anyone willing to pay. One of the fastest-growing segments within this underground marketplace is Phishing-as-a-Service (PhaaS), a model that has transformed phishing from a technical art into a scalable, subscription-based business.

At the center of this evolution is a new class of operators—like the vendor known as —who offer everything from real-time reverse proxy phishing kits to fully hosted credential harvesting platforms. These platforms don’t just provide the tools for phishing; they also include full customer service, service-level guarantees, and dashboards that track the success rates of phishing campaigns. What was once a fringe market catering to low-level scammers has now grown into a billion-dollar cybercrime economy, with implications that extend to enterprises, regulators, and cybersecurity vendors alike.

How Does PhaaS Work as a Business Model?

Phishing-as-a-Service mimics the economics of mainstream Software-as-a-Service (SaaS) platforms. At its core, PhaaS vendors like verb0 operate on a multi-tier subscription model. Basic packages often include ready-made templates mimicking Microsoft 365, Outlook, or login pages, while premium tiers unlock features like real-time MFA bypass, session token replay, and dedicated customer support.

Rather than coding phishing kits from scratch or renting bulletproof hosting individually, threat actors can simply pay a monthly fee—ranging from $150 to $1,200, depending on the sophistication of the kit—and receive access to a control panel that lets them launch campaigns in minutes. Additional upsells include add-ons for domain obfuscation, IP rotation, or even automated delivery via email and SMS.

Inside the cybercrime economy: How Phishing-as-a-Service became a billion-dollar black market
Representative Image: Explore the booming cybercrime-as-a-service market through the rise of PhaaS vendors like verb0. Understand the business behind modern phishing attacks.

PhaaS vendors also monetize through affiliate programs, where experienced attackers resell services and earn referral fees. Others charge per-use access tokens or limit the number of active sessions to simulate exclusivity. This market segmentation mirrors that of cloud providers or CRM tools in the legitimate economy and has allowed vendors to scale operations rapidly while maintaining profit margins.

Who Is verb0, and Why Is the Vendor Gaining Attention?

Among PhaaS operators, verb0 has emerged as one of the most technically advanced and commercially savvy vendors. Operating since at least mid-2022, verb0 offers a reverse-proxy-based phishing platform tailored for high-value enterprise targets. Unlike static kits that simply clone login pages, verb0’s infrastructure allows real-time credential interception, including second-factor authentication tokens—making it one of the few vendors capable of bypassing hardened security environments like Citrix, Okta, and Microsoft Azure AD.

See also  Zen Technologies expands defense simulation capabilities with ARI acquisition

The platform supports custom domain binding, real-time session monitoring, and a stealth mode designed to avoid cloud-based detection engines. According to leaked communications analyzed in the June 2025 KELA report on Black Basta, verb0’s infrastructure was actively used in corporate breach campaigns last year, including those targeting , industrial manufacturers, and healthcare networks.

What sets verb0 apart is the professionalization of its offerings. Customers are onboarded through encrypted channels, provided with video tutorials and campaign support, and even granted access to usage analytics dashboards. Payment is accepted in cryptocurrency—typically Monero (XMR) or Bitcoin (BTC)—through decentralized mixing services that obscure traceability.

Why Is PhaaS So Profitable—and Scalable?

The profitability of PhaaS stems from its cost-to-impact ratio. For under $1,000, even inexperienced actors can obtain enterprise-grade phishing infrastructure that, if successful, could yield access to systems worth millions in extortable data. There is little upfront capital risk, and vendors bear the maintenance burden—ensuring high uptime, load balancing, and evasion module updates.

PhaaS platforms like verb0 are also easily replicable, enabling competitors to fork the underlying codebase and launch clone services with slight feature variations. This has led to an explosion of vendor diversity on cybercrime forums and Telegram markets, with operators differentiating on delivery methods, stealth capabilities, or niche targeting (e.g., B2B software, SaaS logins, financial apps).

From a market economics perspective, PhaaS behaves like a perfectly competitive market—except it operates in the shadows. Entry barriers are low, demand is rising, and prices are dynamic, fluctuating based on detection rates, law enforcement pressure, and real-time threat intelligence.

What Are the Implications for Enterprise Security Spend?

As phishing becomes more commodified and professionalized, enterprise security teams are under pressure to shift spending away from reactive technologies and toward proactive threat intelligence, identity protection, and behavioral analytics. Traditional email gateways and static blacklists no longer stop advanced PhaaS campaigns, particularly those leveraging reverse proxy infrastructure or session hijacking tactics.

See also  Home automation company Vivint Smart Home to merge with Mosaic Acquisition

Security firms are also beginning to track PhaaS vendors as persistent adversarial threats, similar to ransomware gangs. Several threat intel platforms now maintain internal watchlists of known PhaaS operators and attempt to predict campaign timing based on underground chatter or sales surges.

CISOs are increasingly redirecting resources toward dark web monitoring, credential stuffing defenses, and conditional access policies. Some have adopted deception technology—such as fake login environments—to trap PhaaS kits before they harvest real credentials. However, the general consensus is that defenders are playing catch-up, as PhaaS platforms continue to innovate faster than mainstream security controls can adapt.

How Much Is the PhaaS Market Worth?

While precise sizing is difficult due to the underground nature of the business, conservative estimates by cyber intelligence firms suggest that the PhaaS economy generated over $800 million in revenue globally in 2024, with projections surpassing $1.3 billion by the end of 2025. This includes direct revenues from service fees, upsells, affiliate commissions, and custom infrastructure orders.

This market expansion is fueled by growing demand from a broader actor base—ransomware gangs, corporate espionage cells, politically motivated groups, and low-skill cybercriminals seeking fast ROI. PhaaS has effectively lowered the barrier to entry for launching sophisticated campaigns, democratizing access to what was once considered elite tooling.

Just as SaaS reshaped global IT spending over the past decade, PhaaS is reshaping global cyber risk exposure, pushing enterprises, governments, and insurers to reconsider how they calculate security budgets, policy frameworks, and breach readiness.

What Can Be Done to Counter This Criminal SaaS Model?

Combating PhaaS requires a systemic approach. First, law enforcement agencies must prioritize vendor takedowns, not just arrest end-users. This means targeting hosting providers, payment handlers, and Telegram channels that enable the PhaaS supply chain.

Second, cybersecurity vendors must integrate threat actor economics into their product design, recognizing that platform availability, pricing, and ROI considerations influence when and how campaigns are launched. This could mean monitoring vendor pricing models for signs of imminent campaign activity or integrating underground service disruptions into SOC alerting systems.

See also  Pomelo raises $35m in Series A funding to expand consumer fintech services

Third, global cooperation is critical, especially between cloud infrastructure providers, financial regulators, and threat intelligence firms. As long as vendors like verb0 can register domains anonymously, process crypto payments through mixers, and host payloads on legitimate services, PhaaS will remain an elusive and fast-moving threat.

Finally, cyber insurers and auditors must update risk models to reflect the rise of outsourced phishing attacks. Legacy models that assume attackers require custom payload development or significant infrastructure investment no longer reflect reality. In 2025, cybercrime can be launched with the click of a button—and a $300 monthly subscription.

Final Word: Why PhaaS Is the Business Model to Watch in Cybercrime

Phishing-as-a-Service is more than a trend—it’s a transformation. What began as a set of amateur tools has become the backbone of a thriving underground economy that enables ransomware, espionage, and financial theft at scale. Vendors like verb0 exemplify this shift, offering not only cutting-edge phishing infrastructure but a fully operational criminal business with the efficiency and polish of any Silicon Valley startup.

For cybersecurity professionals, the challenge is urgent and complex. As PhaaS grows, so too does the sophistication of its users, and the consequences of failure are no longer limited to isolated breaches. The business of cybercrime has matured—and the response must be equally strategic, equally coordinated, and equally relentless.


Discover more from Business-News-Today.com

Subscribe to get the latest posts sent to your email.

CATEGORIES
TAGS
Share This