Cybercrime has industrialized. What once required technical expertise and criminal connections now comes with subscription pricing, customer support, and feature roadmaps.
The most unsettling aspect of modern fraud isn’t its sophistication—it’s its accessibility. Criminal operations that once required years of technical training and underworld connections can now be purchased as monthly subscriptions, complete with dashboards showing campaign metrics that would look at home in any legitimate marketing department.
Phishing-as-a-Service kits have grown 21% year over year, according to Bright Defense research, giving even low-skilled actors the tools to run large-scale campaigns against targeted sectors. The EvilProxy framework alone launches over one million attacks monthly. These aren’t isolated criminal actors working alone in basements; they’re customers of sophisticated service providers who have transformed fraud into a turnkey business model.
The shift from artisanal cybercrime to industrial fraud-as-a-service represents a fundamental change in the threat landscape. When attackers can subscribe to enterprise-grade tooling for $50 per month, the technical barrier that once limited sophisticated attacks to skilled operators effectively disappears.
The service economy of cybercrime
Modern fraud-as-a-service platforms operate with disturbing professionalism. According to AU10TIX research, these operations now function like SaaS companies, complete with subscription pricing tiers, customer support channels, and regular feature updates. The commoditization has compressed the time from initial probing to full-scale exploitation, with 2024 seeing a 30% reduction in “dwell time” between account compromise and monetary extraction.
The service model encompasses multiple layers of criminal infrastructure. Modular attack kits provide plug-and-play phishing templates, synthetic identity generators, and deepfake toolkits; customers select their target industry, customize branding elements, and launch campaigns without writing code or understanding the underlying technology. On-demand botnets offer outsourced credential stuffing services that automatically harvest and test credentials against multiple targets, scouring dark web data dumps for fresh databases and pivoting to secondary targets when primary ones harden their defenses.
Campaign management dashboards display real-time metrics on click-through rates, credential harvests, and successful account compromises, interfaces that would look familiar to anyone who’s used legitimate marketing automation platforms. Some services even offer customer support to help subscribers troubleshoot technical issues, optimize campaign performance, and adapt to defensive measures, with money-back guarantees if campaigns underperform.
Inside the Treyshop storefront
Allure Security’s research team has documented specific FaaS operations, including Treyshop—a fraud-as-a-service storefront operating openly on the internet. These storefronts represent the retail layer of the cybercrime economy, where technical capability becomes purchasable product.
Operations like Treyshop sell everything from stolen credentials to complete phishing kits, synthetic identity packages to pre-built scam campaigns. Pricing varies by target value: financial institution phishing kits command premium prices, while generic credential harvesting templates sell for less than a restaurant meal. The existence of these storefronts reflects a mature criminal ecosystem with specialized roles that mirror legitimate industry structures.
Within this ecosystem, some actors focus on initial access by compromising systems and harvesting credentials, while others specialize in monetization, converting stolen data into cash through fraud or resale. FaaS platforms serve as the marketplace connecting these specialists and providing tools for less technical criminals to participate, much as legitimate platforms connect service providers with customers who lack the expertise to perform work themselves.
The AI acceleration
Generative AI has supercharged fraud-as-a-service capabilities in ways that compound existing threats.
AI-enhanced social engineering now crafts phishing emails that mimic tone, style, and context with uncanny accuracy, boosting click-through rates by up to 45%. What once required fluent English writers and skilled social engineers can be generated in seconds. The economics of fraud have shifted decisively: IBM researchers found that AI can generate an effective phishing campaign with just five prompts in five minutes, compared to the 16 hours previously required by human experts.
Voice cloning and deepfake video have entered FaaS offerings, enabling impersonation attacks that bypass voice-based verification systems entirely. The Arup deepfake incident, where an employee transferred $25 million after a video call with AI-generated executives, demonstrated capabilities now available through service providers rather than requiring custom development.
Autonomous attack orchestration represents the next frontier. Machine-driven frameworks can conduct reconnaissance, identify vulnerabilities, launch attacks, and adapt to defensive responses without human intervention, putting continuous pressure on defensive systems designed around human response times.
The economics of criminal marketplaces
Understanding FaaS economics illuminates why the threat continues to grow despite increased security investment.
The barrier to entry has collapsed. Where sophisticated phishing campaigns once required technical teams and infrastructure investment, FaaS platforms provide everything needed for a monthly fee, enabling criminals who previously lacked technical capability to launch attacks indistinguishable from those conducted by expert teams.
Specialization has improved efficiency across the criminal ecosystem, with division of labor now matching legitimate industries. Initial access brokers focus exclusively on compromising systems, credential sellers aggregate and price stolen data, and monetization specialists handle the conversion of access into cash. FaaS platforms coordinate these specialists, reducing friction and accelerating attack cycles in ways that would be familiar to any supply chain manager.
Scale has transformed the economics as well. When the marginal cost of launching additional attacks approaches zero, attackers can pursue lower-value targets profitably, which means organizations that once felt protected by being “too small to matter” now find themselves targeted alongside enterprise victims. Revenue sharing models align incentives further: many FaaS platforms operate on percentage cuts of successful attacks, creating powerful motivation for operators to improve tools, maintain infrastructure, and support customer success. These are exactly the dynamics that drive legitimate SaaS growth, now applied to criminal enterprise.
The defensive challenge
FaaS platforms create challenges that traditional security approaches struggle to address.
The democratization of sophisticated attacks means organizations face threats previously reserved for high-value targets. When any criminal can subscribe to enterprise-grade phishing infrastructure, attack volumes increase dramatically while attack quality remains high—a combination that overwhelms defenses designed for less frequent, less capable adversaries.
Takedown whack-a-mole becomes exhausting under these conditions. FaaS platforms can spawn new phishing campaigns faster than defenders can remove them, and rapid takedown capabilities remain essential but insufficient alone. Reducing time-to-takedown from days to hours still leaves substantial windows for victim harvesting; the goal must be compressing that window while simultaneously disrupting the infrastructure that enables rapid campaign creation.
Attribution becomes harder as well. When attacks use shared infrastructure, common templates, and similar techniques, distinguishing between threat actors and understanding their capabilities becomes challenging. The criminal who subscribed to a platform last week can launch attacks indistinguishable from experienced operators, which complicates both defense and prosecution.
The Bottom Line
The transformation of cybercrime into a service industry represents an irreversible shift in the threat landscape. Criminal marketplaces will continue to mature, prices will continue to fall, and capabilities will continue to expand.
Organizations that understand this reality focus less on preventing attacks entirely, an increasingly unrealistic goal, and more on minimizing the window of opportunity attackers have to exploit their brands and customers. This means continuous monitoring for the infrastructure that enables fraud, rapid response when attacks emerge, and intelligence gathering about the criminal services targeting their industry. The criminals running FaaS platforms treat their work as a business; defenders who bring similar professionalism and investment to their response are better positioned to compete.
Key Takeaways
Fraud-as-a-service describes criminal operations that sell attack capabilities as subscription services. These platforms provide phishing kits, credential stuffing tools, deepfake generation, and campaign management dashboards with pricing tiers and customer support, enabling less technical criminals to launch sophisticated attacks.
AI-enhanced social engineering now crafts convincing phishing content that boosts click-through rates by up to 45%. Voice cloning and deepfake video capabilities have entered FaaS offerings. Autonomous attack frameworks can conduct reconnaissance and launch campaigns without human intervention.
Using FaaS platforms, attackers can generate effective phishing campaigns in five minutes with five prompts, compared to the 16 hours previously required by human experts. The EvilProxy framework alone launches over one million attacks monthly.
The barrier has collapsed. Criminals who previously lacked technical capability can subscribe to enterprise-grade attack tools for $50 per month. Fraud-as-a-service platforms provide everything needed to launch sophisticated campaigns without technical expertise.
Attack volumes increase dramatically because any criminal can now access sophisticated tools. Attacks that once targeted only high-value organizations now hit smaller targets profitably. The scale of threats generated by FaaS platforms exceeds what traditional takedown approaches can manage.
