Global PhaaS Surge: 17,500 Phishing Domains Target 316 Brands in 74 Countries — What Lucid and Lighthouse Mean for Your Security

Phishing has gone pro. If it feels like every week there’s a new scam targeting your bank, your postal service, or your crypto wallet, you’re not imagining it. Behind the scenes, phishing-as-a-service (PhaaS) platforms are industrializing cybercrime—letting anyone with a credit card launch tailored, global attacks at scale.

Here’s the headline: researchers have linked the PhaaS platforms Lucid and Lighthouse to more than 17,500 phishing domains targeting 316 brands across 74 countries. That’s not a handful of bad actors—it’s an ecosystem.

If you run security for a business, manage a brand, or simply want to avoid getting conned, this matters. In the next few minutes, I’ll unpack what’s happening, who’s behind it, how these campaigns avoid detection, and the practical steps you can take to reduce risk—today.

Let’s dive in.

The Short Version: What’s New and Why It Matters

PhaaS platforms, notably Lucid and Lighthouse, are powering a wave of global phishing campaigns.
These services sell ready-to-run phishing kits with real-time victim monitoring and templates for hundreds of brands.
Attackers are using smart gating (by device type, country, and custom paths) to hide from analysts and scanners.
Exfiltration is shifting away from Telegram. Criminals are returning to email-based data collection and services like EmailJS to harvest credentials and 2FA codes.
Homoglyph domains (e.g., using the Japanese character “ん”) are tricking users with URLs that look legitimate at a glance.
Scams are expanding beyond banking into “task” and gig-style fraud, sometimes requiring crypto deposits from victims.

Here’s why that matters: the barrier to “professional-grade” phishing is crumbling. Your employees, customers, and brand are exposed—no matter your size or sector.

Inside the PhaaS Economy: Lucid and Lighthouse

According to Netcraft and research first documented by PRODAFT, two platforms—Lucid and Lighthouse—have become major nodes in the PhaaS ecosystem.

What is PhaaS, really?

Think of it like Shopify for cybercrime:

Pre-built templates for hundreds of brands
Built-in hosting and management dashboards
Real-time victim data capture and monitoring
“Plug-and-play” distribution (SMS, RCS, and more)
Subscription pricing and customer support

You don’t need technical chops to run a phishing campaign anymore. You need a budget and a goal.

Who’s behind it?

Lucid has been linked to a Chinese-speaking threat actor known as the XinXin group (changqixinyun), who have also used kits like Lighthouse and Darcula.
Darcula is attributed to an actor known as LARVA-246 (aka X667788X0 or xxhcvv).
Lighthouse’s development has been linked to LARVA-241 (aka Lao Wang or Wang Duo Yu).
Lighthouse operates independently of XinXin, but its infrastructure and targeting patterns overlap with Lucid—suggesting collaboration and code sharing across the ecosystem.

What can these kits do?

Target a wide range of industries: postal services, tolling, government services, and financial institutions.
Send smishing via Apple iMessage and RCS for Android (as documented by PRODAFT).
Customize templates for local brands and languages (over 200 platforms supported).
Gate content by user-agent, IP/proxy country, and even URL path. Non-targets get a generic fake shopping page.

In short: they mimic the brands your users trust—and they hide from the tools you use to find them.

How big is the problem?

Netcraft detected phishing URLs from Lucid targeting 164 brands across 63 countries.
Lighthouse campaigns targeted 204 brands across 50 countries.
Combined, researchers counted 17,500+ domains hitting 316 brands in 74 countries.
Pricing for Lighthouse ranges from $88 per week to $1,588 per year—cheap, given the potential return for criminals.

That scale is why defenders are feeling the heat.

Tactics That Evade Detection (and Fool Humans)

PhaaS operators know how security teams work. They optimize around our blind spots.

Here’s what’s showing up in the wild:

Smart audience-gating: Sites only show the phishing page if:
The visitor matches a specific mobile user-agent (e.g., iPhone or Android).
The IP geolocates to a target country.
The visitor uses a fraudster-configured URL path.
Decoys for non-targets: If you don’t match the criteria, you’re redirected to a harmless-looking fake store. That keeps crawlers, researchers, and even some sandboxes from seeing the real content.
Real-time victim tracking: Operators watch stolen credentials come in. If a victim enters their login, the attacker can prompt for a 2FA code immediately—drastically raising success rates.

The result is a campaign that looks small to scanners but feels massive to the people who actually get hit.

Exfiltration Is Shifting: From Telegram Back to Email

Netcraft observed attackers moving away from Telegram-based exfiltration and returning to email to harvest stolen credentials and one-time codes. They’ve even seen PhaaS actors leverage services like EmailJS to send captured credentials directly to inboxes, no bespoke infrastructure needed.

Why email? Two reasons:

Email is federated. There’s no single company to pressure for takedowns. Each address or SMTP relay must be reported individually.
Convenience. It’s quick, cheap, and anonymous to create throwaway email addresses.

Netcraft notes a 25% increase in email-based exfiltration in a month, highlighting the trend. As a defender, this means your mail security stack—and your ability to detect suspicious outbound email flows—matters more than ever.

For general safety guidance on phishing, bookmark resources from CISA and the FTC.

The Homoglyph Trap: “ん” and Lookalike Domains

Attackers are using internationalized domain names (IDNs) to register lookalike domains that pass a quick visual scan. One example cited by Netcraft uses the Japanese Hiragana character “ん,” which at a glance can resemble punctuation—creating URLs that look nearly identical to the real thing.

Key points:

At least 600 of these domains have targeted cryptocurrency users since late 2024.
Many impersonate popular Chrome extensions (Phantom, Rabby, OKX, Coinbase, MetaMask, Exodus, PancakeSwap, Bitget, Trust).
The goal: trick users into installing fake wallet extensions, then harvest seed phrases or system data.

How they succeed:

Our eyes skim. We don’t parse every character.
Browsers often display IDNs in native script instead of punycode, depending on locale and risk heuristics.
Extension stores and search ads can be spoofed and abused.

If this feels gnarly, it is. But there are practical checks (see the defense section below). For a deep dive on confusables, see the Unicode technical report on security considerations: UTS #39.

“Task” Scams: The New Face of Brand Abuse

It’s not just logins anymore. Scammers are leveraging API-driven brand-impersonation templates to run “earn money by completing tasks” schemes. They’ve impersonated well-known U.S. brands like Delta Air Lines, AMC Theatres, Universal Studios, and Epic Records to recruit “agents.”

The catch: to start, victims must deposit at least $100 in cryptocurrency. The fraudsters pocket the funds and push victims deeper with sunk-cost tactics.

This is a masterclass in social engineering: – Borrow the trust of a known brand. – Offer easy money. – Require a small “commitment.” – Scale with automation.

Why This Matters to You (Even If You’re Not a Bank)

You’re a target if you accept payments, ship goods, run loyalty programs, or hold customer data.
Your brand can be weaponized against your own customers.
Your employees can be tricked into sharing VPN or SSO credentials, even 2FA codes.
Your customers will blame you, not a shadowy PhaaS vendor.

Even small organizations get hit because automation narrows the cost per attack. PhaaS turns “spray and pray” into “spray and prey.”

Practical Defense: What to Do Today

Let’s separate this into steps for individuals, security teams, and organizations.

For individuals and customers

Slow down on links, especially from texts and DMs:
Delivery issues, tolls, tax refunds, and bank alerts are common lures.
Navigate to the site yourself. Do not click links in unsolicited messages.
Inspect domains:
Copy and paste the URL into a punycode/IDN checker to reveal lookalikes. Try Verisign’s IDN tool.
Use urlscan.io or VirusTotal to preview risky links safely.
Use a password manager:
Managers only auto-fill on exact domain matches. If it won’t fill, that’s a clue the site isn’t legit.
Turn on phishing-resistant MFA:
Prefer security keys or passkeys (FIDO2/WebAuthn). Learn more at the FIDO Alliance.
Protect SMS and messaging:
Set a carrier PIN to reduce SIM-swap risk.
On iPhone, filter unknown senders and reduce link preview trust; treat iMessage and RCS links like email links—skeptically.
Crypto safety:
Never share seed phrases. Legitimate support will never ask for them.
Install wallet extensions only via the official vendor link. Verify the publisher and reviews. See Google’s guidance on Chrome extension safety.
Report phishing:
In the U.S., forward to reportphishing@apwg.org and file at reportfraud.ftc.gov.
Report fake domains and ads to the platform and registrar.

For security teams (SOC/CTI/IT)

Focus on coverage where attackers are winning.

Harden identity and email – Enforce phishing-resistant MFA (security keys, platform passkeys) for high-value users first. – Deploy DMARC at p=reject, with SPF and DKIM aligned. Start with monitoring, then enforce. Guides: DMARC.org. – Monitor for outbound exfil via email:
- Look for scripted SMTP or API usage to consumer email services from web assets.
- Flag suspicious connections to transactional email APIs when originating from non-mail infrastructure.
Web and brand protection – Monitor certificate transparency for brand terms to catch new lookalike domains: crt.sh. – Track IDN registrations that mix scripts. Consider alerting on confusables per UTS #39. – Establish a takedown playbook with your registrar and a brand protection vendor.
Threat detection for PhaaS behaviors – Crawl suspicious URLs with:
- Mobile user-agents (iOS/Android).
- Geo-proxied IPs for target regions.
- Multiple path variants to discover gated routes.
- Instrument detections for real-time credential harvesting flows (e.g., repeated 2FA prompts, quick POST to third-party endpoints).
- Use threat intel from sources like Netcraft and PRODAFT to track kit fingerprints.
Browser and extension controls – For managed fleets, restrict extension installs via allowlists. Apply Chrome/Edge enterprise policies. – Audit installed extensions for overbroad permissions (e.g., clipboard, webRequest, file:// access).
Network and application controls – Implement EDR with malicious browser injection detection. – Enforce TLS and MTA-STS for mail transport security (RFC 8461), alongside TLS-RPT. – Use web proxies/filters that can recognize and block IDNs known for abuse.
People and process – Run micro-trainings focused on current lures: postal delivery, toll fees, government notifications, and wallet-update prompts. – Simulate smishing and brand impersonation (with consent and safety guardrails). – Measure time-to-detection and takedown. Optimize escalation paths to hosting, registrars, and platforms.

For marketing, customer support, and legal

Publish a “How we contact you” page. Share how you’ll never ask for passwords or seed phrases. Link to it in all customer comms.
Offer a verified support channel and a clear reporting email (e.g., abuse@yourbrand.com).
Coordinate with legal/PR on a rapid takedown program and victim comms. The first public statement matters.

Red Flags You’ll See in the Real World

Short, urgent messages about missed deliveries, taxes, or tolls—often with local brand names.
URLs that look right but feel off. Extra characters. Unfamiliar subdomains. International characters.
“Verify your account” pages that prompt for 2FA codes immediately after login.
Crypto or gig “job” offers that require a deposit to get started.
Browser extension prompts outside official stores, or extensions that ask for unusual permissions.

When in doubt, assume it’s hostile. Then verify.

How This Wave Changes the Defender’s Playbook

A few strategic shifts follow from the rise of Lucid and Lighthouse:

Treat phishing as an engineering problem. Training helps, but layered technical defenses and rapid takedowns win the day.
Tune for mobile-first detection. Many campaigns only render for mobile user agents.
Expand beyond URL/reputation-only controls. Content, behavior, and exfil patterns matter more than ever.
Invest in identity hardening. Passkeys and security keys change the risk equation—even when users click.
Get serious about brand abuse response. Your customers will encounter fakes. Prepare, don’t react.

What We Know From the Research (and Where to Learn More)

Netcraft’s reporting surfaces the scale and tactics of Lucid and Lighthouse, the targeting of postal and financial services, and the rise of homoglyph domains and email-based exfiltration. Read the latest on the Netcraft Blog.
PRODAFT’s earlier analysis documents Lucid’s smishing capabilities via iMessage and RCS, and links to broader actor activity. Explore PRODAFT’s research updates: PRODAFT Blog.
For broader trends and quarterly phishing data, the APWG publishes open reports.

Quick Checklist: Reduce Risk in the Next 30 Days

Enforce passkeys or security keys for admins and execs.
Move DMARC to p=reject (after monitoring).
Lock down extension installs on managed browsers.
Set up CT log monitoring for brand terms via crt.sh.
Add IDN/homoglyph alerts and punycode decoding to your brand monitoring.
Build a smishing-aware training module with real examples.
Create a public “verify before you click” guidance page for customers.
Stand up a takedown runbook and owner.

Small moves now beat big promises later.

FAQ: People Also Ask

What is phishing-as-a-service (PhaaS)?

PhaaS is a subscription model for cybercrime. Operators sell phishing kits with hosting, templates, and dashboards so buyers can run campaigns without technical skills. Think turnkey phishing, paid monthly.

Who are Lucid and Lighthouse?

They’re PhaaS platforms linked to large-scale phishing operations. Research by Netcraft and PRODAFT connects Lucid to the XinXin group, while Lighthouse appears to be developed by a separate actor but shows overlaps in infrastructure and targeting.

How do these phishing kits avoid detection?

They gate content by device type, country, and URL path. If you’re not a target, they show decoy pages. They also use real-time dashboards to prompt victims for 2FA codes right after login.

Are attackers still using Telegram to exfiltrate data?

Less so. According to Netcraft, many are returning to email-based exfiltration and services like EmailJS. Email’s federated design makes takedowns harder and setup faster.

What are homoglyph or IDN attacks?

They use lookalike characters from different alphabets to make a fake domain appear real. For example, certain Unicode characters can resemble Latin letters or punctuation. Learn more from Unicode’s security guide: UTS #39.

How can I check if a URL is fake?

Paste it into an IDN/punycode tool like Verisign’s converter.
Use urlscan.io for a safe preview.
Let a password manager auto-fill; if it doesn’t, the site may be fake.

What’s the best protection against phishing for logins?

Use passkeys or hardware security keys (FIDO2). They’re phishing-resistant because they bind authentication to the real domain. More info: FIDO Alliance.

How do I report phishing?

Forward emails to reportphishing@apwg.org.
File a report at reportfraud.ftc.gov.
Notify the impersonated brand and the domain registrar/host if known.

What brands are being targeted?

Netcraft observed attacks against 316 brands across 74 countries, including postal services, tolling agencies, government services, and banks. Crypto wallet brands and browser extensions are also prime targets.

How much do these phishing services cost?

Pricing varies. Lighthouse subscriptions reportedly range from about $88 per week to $1,588 per year.

The Bottom Line

Phishing has scaled up—and out. Platforms like Lucid and Lighthouse lower the barrier to entry, blend in with normal traffic, and exploit human trust at industrial scale. You can’t train your way out of this alone. But you can change the math:

Harden identity with passkeys/security keys.
Lock down email, domains, and extensions.
Monitor for brand abuse and IDN lookalikes.
Prepare your takedown and customer comms playbook.

If you found this useful, consider subscribing for more practical, plain-English breakdowns of emerging cyber threats—and how to stay a step ahead.

Discover more at InnoVirtuoso.com

I would love some feedback on my writing so if you have any, please don’t hesitate to leave a comment around here or in any platforms that is convenient for you.

For more on tech and other topics, explore InnoVirtuoso.com anytime. Subscribe to my newsletter and join our growing community—we’ll create something magical together. I promise, it’ll never be boring!

Stay updated with the latest news—subscribe to our newsletter today!

Thank you all—wishing you an amazing day ahead!

Global PhaaS Surge: 17,500 Phishing Domains Target 316 Brands in 74 Countries — What Lucid and Lighthouse Mean for Your Security

The Short Version: What’s New and Why It Matters