Chinese-Language Phishing Services Adopt AI and Real-Time MFA Bypass, GTIG Says
Published
Key Takeaways
- Ecosystem Expansion: Google Threat Intelligence Group analysis reveals rapid growth in Chinese-language phishing-as-a-service platforms.
- Authentication Bypass: Attackers leverage live administration panels to capture one-time passcodes and circumvent multifactor authentication.
- Targeted Localization: The YY Lai Yu service deploys hundreds of localized templates primarily targeting Japanese consumers.
Google Threat Intelligence Group (GTIG) recently analyzed a dozen active Chinese-language phishing-as-a-service (PhaaS) offerings, identifying a rapidly growing underground ecosystem. Departing from traditional static password harvesting, these sophisticated threat actors now prioritize real-time interception and tokenization techniques.
By utilizing live administration panels, attackers can instantly capture one-time passcodes (OTPs) and successfully bypass multifactor authentication (MFA) protocols.
Delivery and Digital Wallet Exploitation
To distribute these threats, Chinese-language operators heavily leverage encrypted communication protocols, specifically RCS and Apple iMessage, according to GTIG. The primary tactical objective focuses on exploiting digital wallet provisioning.
“This shift represents an emerging development where the goal is no longer just a login, but securing direct, unauthorized control over a victim's financial accounts,” the report says.
Furthermore, the ecosystem exhibits a widespread adoption of AI-based automation to enhance scalability and stealth. The Darcula platform, which Google links to the threat actor UNC5814, exemplifies this shift by utilizing AI-powered page generators and browser automation tools like Puppeteer to bypass conventional detection mechanisms.
The Chinese-language PhaaS ecosystem:
- Targets the general public more opportunistically,
- Often operates openly with less regard for operational security,
- Posts advertisements on Telegram rather than channels such as WeChat (Weixin) or Tencent QQ,
- Offers numerous ancillary services, such as selling personally identifiable information (PII), domain name registration and virtual private server (VPS) hosting, server rentals, money laundering, eavesdropping devices, message sending services, and sometimes trading stolen payment card information.
Highly Localized Campaigns
A prominent case study within this ecosystem is YY Lai Yu, a platform first advertised in August 2024. While the infrastructure supports phishing operations across 119 countries, its largest strategic focus remains on Japan. The service provides extensive localized targeting capabilities, offering more than 400 specific phishing templates to its affiliates since November 2025.
These sophisticated lures target users of major regional and international brands, including Amazon, Apple, DMM, Epos Card, JA Bank, JCB Card, JR, Matsui Securities, Mercari, Monex, Nintendo, Nomura Securities, Orico Card, PayPay, Rakuten Securities, and Sagawa Express.
GTIG says the proliferation of the Chinese-language PhaaS ecosystem underscores a need for technical security controls that go beyond user education and recommends:
- Transitioning to FIDO2/WebAuthn infrastructure paired with risk-based verification and device fingerprinting against the real-time interception of account authentication OTPs.
- Making the victim's credentials technically impossible to weaponize.
The Talos 2025 Year in Review report last month said global cybersecurity risks are led by state-sponsored groups, with China-nexus threat activity increasing by 75%.
Security researchers linked 2025 phishing attempts targeting US E-ZPass toll payment systems via iMessage and SMS to the PhaaS services Darcula and Lucid. In March, an INTERPOL report said AI-enhanced scams are four times more profitable.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular