In March 2026, researchers at Push Security gained direct access to phishing panels actively operated by two well-known threat groups: ShinyHunters and BlackFile. Their investigation identified four separate infrastructure clusters controlling more than 400 phishing domains. The confirmed breach list is significant: SoundCloud (30 million records), Match Group (10 million+), Betterment (20 million), Crunchbase, Bumble, CarMax, and Panera Bread.
What sets this investigation apart is that Push Security didn't analyse these panels from the outside. They accessed the live operator interfaces, observed the panels in active use, and mapped the full infrastructure. The result is one of the most detailed public accounts of how modern adversary-in-the-middle phishing operations work from the inside.
For security teams, the findings challenge a common assumption: that multi-factor authentication is sufficient protection against credential theft.
This isn't a mass phishing campaign. It's a targeted, human-operated attack combining social engineering with technical interception infrastructure. Every victim session is managed by a live operator.
The attack begins with a phone call. An operator contacts the target while impersonating IT support or a company helpdesk, and directs them to visit a specific URL for account verification or a security check. The delivery vector is voice, which means standard email-based phishing detection doesn't apply at all.
Vishing exploits the trust most employees place in phone calls from apparent internal teams. It's harder to detect than a suspicious email link and more difficult to train against, because the interaction feels completely normal. Your employee is doing something they've done before, on what appears to be a legitimate request.
Before the victim reaches the cloned login page, they pass through an anti-bot gate. This blocks automated security scanners, headless browsers, and known threat intelligence crawlers. Only sessions that the operator manually approves get through to the malicious page.
This is why URL reputation services and automated phishing detection consistently fail against these panels. The malicious content is never shown to the tools designed to detect it.
Once the victim reaches the cloned login page, their credentials aren't captured and stored for later. They're relayed in real time to the legitimate identity provider: Google, Microsoft Entra, Okta, or a major cryptocurrency exchange. The victim's MFA challenge is triggered, captured, and completed by the operator, who then receives a valid authenticated session token.
The victim gets redirected to a benign page immediately after, often the real login page, making them think they simply need to try again. The session token is already in the attacker's hands. Stolen credentials are forwarded instantly to a Telegram channel controlled by the operator.
This is the defining characteristic of adversary-in-the-middle attacks: they don't steal passwords and replay them later. They intercept active sessions and bypass MFA entirely, in real time.
Standard MFA relies on the assumption that only the legitimate user has the second factor at the moment of authentication. That applies to TOTP codes, SMS one-time passwords, and push notifications alike. Adversary-in-the-middle attacks break that assumption entirely.
When your employee enters credentials on the phishing page, the operator relays them to the real service immediately. The real service sends an MFA challenge to the employee's phone. The employee completes it, believing they're logging into the real platform. The operator captures the resulting session token, authenticated and valid.
The only MFA method that resists this attack is phishing-resistant MFA: FIDO2 hardware keys and passkeys. These bind authentication to the origin domain. A hardware key that works on accounts.google.com won't respond to a request from a phishing domain, regardless of how convincing the clone looks. There's nothing for the operator to intercept.
This is why detecting compromised sessions early matters so much. By the time the phishing page is identified, the session may already be in use.
Push Security's analysis of the panel code found evidence of LLM-generated modifications. Sections of the infrastructure appeared to have been written or updated with AI coding tools, identifiable from characteristic patterns in code structure and commenting style.
What this means in practice: the barrier to building and maintaining sophisticated phishing infrastructure is lower than it's ever been. The operators running these panels don't need to be skilled developers. They need to know what to ask for.
The four clusters identified by Push Security controlled more than 400 active phishing domains at the time of analysis. These domains were purpose-built clones of login pages for high-value targets: Google Workspace, Microsoft Entra, Okta, and major cryptocurrency exchanges.
The confirmed breach list spans social platforms, financial services, food delivery, automotive, and enterprise software. This isn't a targeted campaign against one industry. It's a general-purpose credential theft operation that selects targets based on the attacker's current interests and which credentials fetch the best prices on criminal marketplaces.
Knowing your organisation's external attack surface includes understanding which credentials tied to your domain are actively targeted, not just after they surface in a breach notification.
The controls that work against phishing emails are largely ineffective here. The delivery vector is a phone call, the malicious page is hidden from automated scanners, and MFA is bypassed in real time. Effective defence requires a different set of controls.
Adversary-in-the-middle phishing panels aren't new. They've been available as-a-service for several years. What's changed is the scale, the sophistication of the evasion techniques, and the integration of AI-assisted development that accelerates iteration. The ShinyHunters and BlackFile panels documented here represent a mature, professionalised operation with dedicated infrastructure and real-time human operators.
The implication is direct: MFA is no longer a sufficient answer to credential theft on its own. It's a necessary control. But organisations that have ticked the MFA box and considered the problem solved are operating with incomplete protection. The question isn't whether your users have MFA. It's whether the MFA you've deployed can resist the attack techniques actually being used.
Monitoring for active threats targeting your organisation means having visibility beyond your perimeter, into the criminal infrastructure that's already targeting your employees before any internal alert fires.
An adversary-in-the-middle attack places a proxy between the victim and the legitimate service they're trying to access. The victim interacts with what appears to be the real login page, but all traffic is relayed through the attacker's infrastructure. This lets the attacker capture credentials and MFA codes in real time, then steal the authenticated session token issued after a successful login, bypassing MFA entirely.
Yes, against most common MFA methods: TOTP codes (Google Authenticator, Authy), SMS one-time passwords, and push notifications (Duo, Microsoft Authenticator). The only MFA methods that resist this attack are phishing-resistant options: FIDO2 hardware security keys and passkeys. These bind authentication to the specific origin domain, so they can't be triggered by a phishing site even if it's an exact clone of the real login page.
Each domain typically has a short operational lifespan and is rotated frequently. More importantly, these panels deploy anti-bot gates that block the automated scanners used by threat intelligence services to detect phishing pages. The malicious login page is only shown to sessions that pass manual operator review, meaning detection tools never see the content they're looking for.
Act immediately. Revoke all active sessions for the affected account across every connected service. Reset credentials and force re-enrolment of MFA. Review access logs from the time of the suspected event forward for any unusual activity: new OAuth grants, email forwarding rules, data exports, or changes to security settings. Assume the attacker had full access to whatever the compromised account could access.
The confirmed breaches linked to these panels include both large enterprises and mid-size businesses. Operators select targets based on the value of the credentials, not the size of the organisation. Any business whose employees use Google Workspace, Microsoft 365, or Okta is a potential target. The vishing delivery vector is also highly scalable: operators can run multiple victim sessions simultaneously with relatively low effort.
