The “Spiderman” phishing kit is a newly discovered, full-stack phishing framework circulating on the dark web, designed to enable cybercriminals to impersonate dozens of major European banks and financial services with minimal technical expertise. First reported by cybersecurity firm Varonis on December 9, 2025, it automates the creation of pixel-perfect fake login pages, allowing attackers to steal credentials, one-time passwords (OTPs), credit card details, and even cryptocurrency seed phrases in real time. Unlike basic phishing tools, Spiderman consolidates templates for multiple institutions into a user-friendly control panel, reducing attacks to a few clicks—no coding required.
How It Works
Spiderman operates as a turnkey phishing service:
• Selection and Cloning: Attackers choose a target bank or service from the panel, which instantly generates a cloned login page mimicking the real site.
• Victim Interaction: Lures (e.g., emails or SMS) direct users to the fake page, where they’re prompted for multi-step inputs like usernames, passwords, 2FA codes (e.g., OTP or PhotoTAN), and personal/financial data.
• Data Harvesting: Stolen info is captured live and filtered for validity (e.g., checking if an email domain matches the target bank), then exfiltrated to the attacker.
• Advanced Features: Includes support for cryptocurrency wallets, government portals, and tools for broad campaigns across borders.
This lowers the barrier for novice fraudsters, enabling large-scale operations targeting customers in multiple countries.
Primary Targets
The kit focuses on European financial institutions, with pre-built templates for:
• Germany: Deutsche Bank, Commerzbank, ING, Comdirect, Volksbank.
• Spain: CaixaBank.
• Other Services: Fintech like Klarna (Sweden), PayPal, and various crypto platforms.
It spans at least five countries, making it a versatile tool for cross-border theft.
Risks and Advice
Victims risk full account takeovers, identity theft, and financial loss, as the kit steals comprehensive profiles. To protect yourself:
• Verify URLs before entering credentials—hover over links and check for mismatches.
• Use unique passwords and hardware 2FA where possible.
• Report suspicious messages to your bank immediately.
This threat highlights the evolving sophistication of phishing-as-a-service models, with Spiderman potentially expanding as it’s only days old.