Cybersecurity researchers at Netcraft have documented a significant resurgence of the Chinese-language Haozi Phishing-as-a-Service (PhaaS) operation, which has generated over $280,000 through its Tether (USDT) cryptocurrency wallet while serving thousands of cybercriminals worldwide.
The group distinguishes itself through unprecedented ease-of-use features and comprehensive customer support services that have democratized sophisticated phishing attacks for users with minimal technical expertise.
Zero-Configuration Deployment
Haozi has fundamentally transformed the phishing landscape by eliminating technical barriers that traditionally limited cybercriminal participation.
The service provides a streamlined web-based installation panel that automatically deploys phishing infrastructure once attackers input server credentials, requiring no command-line interaction or manual script configuration.
This represents a significant advancement over competing PhaaS platforms like the AI-enabled Darcula suite, which still necessitate basic command-line operations.
The administration panel, branded as “Hàozǐ xìtǒng,” functions as a comprehensive campaign management system where operators can configure traffic filtering, manage victim data, and coordinate multi-stage attacks.
Netcraft researchers have identified these administration panels deployed across thousands of phishing hostnames, indicating substantial operational scale and adoption rates among cybercriminal communities.
Advanced technical capabilities include sophisticated two-factor authentication (2FA) bypass mechanisms that dynamically present verification prompts based on real-time transaction responses.
The system enables operators to simulate card verification processes, display authentic-looking loading screens while processing stolen credentials, and adaptively request 2FA codes only when necessary for successful account compromise.
Enterprise-Grade Customer Service
Haozi operates with a customer-centric business model that mirrors legitimate Software-as-a-Service (SaaS) organizations, maintaining dedicated Telegram channels for technical support, frequently asked questions, and resource sharing.
This comprehensive support ecosystem includes debugging assistance, campaign optimization guidance, and custom phishing page development services that have attracted nearly 7,000 community members at peak activity levels.
Following the shutdown of their original Telegram community, Haozi demonstrated remarkable resilience by rapidly rebuilding their user base, acquiring over 1,700 new followers since April 28, 2025.
The organization operates multiple specialized Telegram channels that facilitate knowledge transfer, service commissioning, and intelligence sharing among subscribers.
The service employs a subscription-based pricing model, charging approximately $2,000 for annual access with premium rates for shorter-term commitments.
Additionally, Haozi monetizes its platform by selling advertising space to third-party service providers, particularly SMS vendors, positioning itself as an intermediary that captures additional revenue streams from ecosystem transactions.
The success of Haozi reflects broader industry trends toward social engineering and phishing as primary attack vectors, driven by increasingly sophisticated enterprise security measures that have hardened traditional network perimeters.
PhaaS platforms like Haozi democratize advanced attack capabilities through automation, community support, and subscription-based access models that function more like legitimate technology businesses than traditional criminal enterprises.
The cryptocurrency-based payment infrastructure, evidenced by the $280,000 in documented transactions with frequent multi-thousand-dollar withdrawals, demonstrates the financial viability and operational sustainability of modern PhaaS ecosystems, presenting significant challenges for law enforcement and cybersecurity professionals.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
