AiTM panels and sellers
rik van duijn and Wesley Neelen
Adversary-in-the-Middle (AiTM) phishing kits have matured into full-service SaaS platforms. This talk dives into the infrastructure, control panels, and sellers behind modern AiTM attacks. From Dockerized environments to Telegram bot-based UIs, we unpack how these platforms operate, scale, and monetize. We also highlight how this SaaS model is spreading. Expect a technical walkthrough of the ecosystem fueling today’s phishing economy.
This talk offers a deep dive into the infrastructure and operational models behind modern Adversary-in-the-Middle (AiTM) phishing attacks. These aren't hobbyist scripts—they are mature, productized platforms that resemble legitimate SaaS offerings.
We explore how these platforms work under the hood:
How attackers deploy dockerized phishing kits
The use of CDNs, Telegram bots and proxy networks
Panel features like token capture, mailers, and multi-user support
Revenue models, actor branding, and upsells
We will showcase real examples of AiTM panels (including EvilProxy, Tycoon, Mamba2FA, and Raccoon), backed by original research and detection data gathered from over 2,000 incidents across hundreds of Microsoft 365 tenants. Attendees will walk away with an understanding of how these platforms scale, how attackers manage their infrastructure, and how defenders can detect and preempt them using techniques like pixel beacons and certificate transparency.
Licensed to the public under https://creativecommons.org/licenses/by/4.0/