Custom Phishing Kits: How Cybercriminals Create Bespoke Brand Impersonation Attacks

Phishing attacks are getting a bespoke upgrade.

Traditionally, cybercriminals have relied on generic phishing kits—one-size-fits-all packages with templates for various brands. A single kit might include fake login pages for dozens of companies, allowing attackers to cast a wide net. However, this scattershot approach can be less effective, leading threat actors to adopt a new strategy.

Abnormal researchers have uncovered an increase in the availability of custom-built live phishing panels designed for specific brands—from banks and cryptocurrency exchanges to ecommerce sites.

These specialized tools are finely tuned to convincingly impersonate a single trusted brand and target one individual at a time, making them more convincing—and more expensive—than the old generic scam pages.

Not so long ago, dark web phishing tools were fairly basic: threat actors would purchase a bundle of static web pages and a simple script to email stolen passwords. Then, they would make small modifications to the kit in order to impersonate different companies.

In recent years, though, the DIY scene has evolved into the development and distribution of full-blown phishing-as-a-service (PhaaS) platforms, complete with interactive dashboards and subscription models. Now, instead of using one generic template for every bank or email provider, criminals are investing in phishing panels tailor-made for specific brands.

By customizing a kit to a single company’s exact logos, colors, phrasing, and workflow, attackers exploit the trust and familiarity that customers have with that brand. One custom phishing panel discovered by Abnormal touted a “Coinbase-inspired design” that is sleek, user-friendly, and fully mobile-responsive, meaning it appears genuine on any device.

When every pixel of a page aligns with expectations, the fabricated user experience won’t raise the usual red flags. These custom pages can even replicate site-specific processes—such as additional security questions or unique verification steps—that generic kits wouldn’t include. The result is a far more believable scam.

Today’s phishing kits aren’t just static fake websites that collect login credentials; they’re interactive solutions that allow attackers to monitor and control the target’s session in real-time. These platforms come equipped with advanced features that make scams more convincing, dynamic, and dangerous. Key capabilities often found in these live phishing panels include:

1. Pixel-Perfect Impersonation

The fake site mirrors the real brand’s site in both appearance and behavior. Everything from logo placement to error messages is cloned, and pages are mobile-responsive to ensure a convincing experience on any device. This attention to detail keeps targets unaware throughout the attack.

2. Live Session Monitoring

Attackers can watch a target’s actions in real time via the admin control panel. As soon as a user begins typing credentials, the attacker sees it on their screen. This live feedback loop allows the attacker to react instantly—for example, prompting a retry after a failed login or capturing a 2FA code the moment it’s entered.

3. One-Time Password Interception

Many brand-specific panels are built to bypass two-factor authentication. When the real site sends a one-time passcode via SMS, email, or authenticator app, the phishing page prompts the user to enter it. The tool then captures and relays the code to the attacker. Some kits can even intercept 3D Secure codes used in online payments. By capturing these tokens, the attacker can complete the login or transaction on the legitimate site, despite 2FA protections.

4. Instant Attacker Notifications

The moment a target submits data, the phishing panel sends the attacker an alert—commonly via Telegram (a third-party messaging app) or email. Telegram integration enables real-time updates and remote control, and some panels include Telegram “action buttons” to push the next step or take over the session manually. These alerts enable attackers to capitalize on compromise opportunities immediately before the target realizes anything is amiss.

5. Detailed Target Profiling

In addition to login credentials, these panels can collect details like the target’s IP address, browser, device type, and location. This data gives attackers context to tailor social engineering tactics and even helps them evade fraud detection. For example, if the attacker is able to mask their real location with the target’s location before attempting to access their account, it’s less likely to trigger a “suspicious login” alert.

Nowhere is the boom in brand-specific phishing attacks more apparent than in the cryptocurrency space.

Multiple dark web forum listings offer custom live panels impersonating top crypto exchanges, like Coinbase, Binance, and OKX. These cryptocurrency phishing panels are designed to mimic the real exchange login pages exactly, often including the same two-factor authentication prompts and even personal ID verification upload forms.

Because brand-specific targeting increases the likelihood of success, cybercriminals are highly motivated to invest effort in customized phishing kits—especially those designed to impersonate cryptocurrency exchanges. Successfully compromising an account on Coinbase, Binance, or OKX can yield direct access to valuable digital funds. And since cryptocurrency transactions are immutable, once those funds have been stolen, there’s no way to reverse the transfer. This creates a huge incentive to invest in high-quality phishing infrastructure for these brands.

On underground forums, cybercriminals market offerings like a “1:1 Coinbase Scam Page” kit, boasting that it perfectly clones Coinbase’s interface, extracts ID documents, and sends Telegram alerts whenever a new target logs in. This panel doesn’t just steal login credentials; it allows threat actors to capture multi-factor authentication codes and even a copy of the target’s photo ID.

Creating highly realistic, custom phishing panels requires significantly more work, and dark web pricing reflects this increased effort.

Single-brand phishing kits tend to cost more than generic kits, but buyers are willing to pay for quality and effectiveness. Many sellers artificially limit supply by selling only a handful of copies, maintaining “exclusivity” that keeps the panels undetected for longer and also drives up the price. Compare this to old generic phishing pages, which might be sold for a few dollars or shared freely.

This premium pricing model extends well beyond cryptocurrency targets. The image above shows a phishing kit targeting account holders at Halifax (a UK bank), complete with the exact login workflow Halifax uses—down to multiple pages for credentials, one-time passcodes, and even “memorable information” prompts. The seller of that panel set a price of $750 for the package, emphasizing its authenticity and even offering to tweak the CSS styling to the buyer’s liking.

In the above Mobile.de panel listing, the advertiser is clearly catering to a specific niche (an automotive marketplace) and highlights a wide range of advanced features. The price scheme (starting at $600 for early buyers, rising to $999 for later ones) implies that this is no mass-market commodity, but a boutique platform.

Paying hundreds of dollars for a single-brand kit might seem steep, but if that dark web phishing tool deceives even a handful of targets, the criminal’s return on investment can be enormous (think drained bank accounts or maxed out credit cards).

While these sophisticated panels capture attention for their technical capabilities, email remains the primary attack vector, and the effectiveness of these custom phishing kits depends heavily on convincing email lures that drive targets to the spoofed sites.

Custom phishing campaigns typically use brand-specific email templates that mirror the visual design of their corresponding panels, creating a consistent, seamless experience that enhances believability and impact.

Initial Target Acquisition

Bespoke phishing operations typically launch with carefully crafted email campaigns designed to match their custom panels. A Coinbase-targeted attack doesn't just feature a pixel-perfect login page—it includes emails that perfectly replicate Coinbase's official communications, from subject line patterns and sender formatting to logo placement and footer disclaimers.

These emails might reference account security alerts, new feature announcements, or suspicious activity notifications—all designed to drive targets toward the custom-built panels.

Comprehensive Data Collection for Future Campaigns

Beyond capturing login credentials and financial information, custom phishing kits systematically harvest comprehensive victim profiles including email addresses, phone numbers, device information, and geographic locations. This creates valuable datasets for cybercriminals to launch subsequent targeted attacks.

Armed with detailed victim profiles and confirmed active email addresses, attackers can craft even more convincing follow-up campaigns that reference previous "interactions" or build upon established trust.

Implications for Email Security

Creating custom phishing kits that mimic brands flawlessly demonstrates the ingenuity of cybercriminals and shows how easily they can outmaneuver outdated email defenses. By tailoring scams down to the last pixel and interacting with targets in real time, attackers exploit gaps that legacy security tools cannot close.

Email security solutions must be advanced enough to identify the subtle behavioral anomalies that indicate coordinated bespoke phishing campaigns—even when individual messages appear completely legitimate.

Traditional secure email gateways depend on static rules and known threat signatures, which means a brand-specific phishing attack can slip through undetected. Research shows that these legacy solutions consistently miss advanced email threats, creating a serious blind spot. If organizations continue relying on yesterday’s defenses, they risk giving today’s cybercriminals the upper hand.

Defending against these threats requires a smarter and more adaptive approach. That is why security teams are shifting from signature-based detection to behavioral AI. Instead of scanning for known malicious indicators, behavioral AI learns what is normal for each user and organization, and flags subtle changes in tone, context, or behavior that may signal a phishing attempt.

This kind of context-aware defense can detect brand impersonation phishing attacks immediately—the same threats older tools often miss or only catch too late. By focusing on trusted behavior patterns, modern email security can identify when something feels off, even if a phishing message looks perfect.

See for yourself how Abnormal AI provides comprehensive email protection against attacks that exploit human behavior. Schedule a demo today.