The Discovery
It started sometime in late 2025. That's when security researchers first caught wind of something different circulating in criminal forums. Not just another phishing kit. Not another credential harvester. Something worse.
According to Krebs on Security, researchers recently identified an active phishing-as-a-service platform called 'Starkiller' that's operating with a technique most organizations aren't prepared to defend against. The platform uses relay proxy technology to intercept traffic between victims and legitimate websites—capturing both credentials and multi-factor authentication codes in real time.
The real question is: how many organizations got hit before anyone noticed?
The Discovery
Security researchers uncovered Starkiller through monitoring underground forums and active phishing campaigns, according to Krebs on Security's reporting. What caught their attention wasn't the usual telltale signs of phishing—no poorly copied logos, no domain name typos, no obvious red flags.
Instead, victims were seeing actual login pages.
Real ones. Legitimate ones. The kind you'd normally trust.
The researchers traced the infrastructure back to a coordinated service being offered to other threat actors. This wasn't a one-off campaign. It's an operational platform designed to be rented out, scaled, and deployed across multiple targets simultaneously.
Technical Analysis
So how does it actually work? Here's where it gets nasty.
Instead of hosting a fake login page on some sketchy server, Starkiller operators set up a relay proxy that sits between the victim and the real website. When you click a malicious link, you're forwarded to this proxy. The proxy then connects to the legitimate login page behind the scenes and displays it to you in real time. You type your credentials. The proxy captures them. You complete MFA. The proxy captures that too. Then it forwards everything legitimate—your actual credentials, your actual MFA code—to the real website on your behalf.
From your perspective? Everything feels normal. The page loads instantly. The SSL certificate is valid. The domain looks right. There's no reason to be suspicious.
This is particularly nasty because it answers a question organizations have been asking for years: can MFA be hacked? Technically, no. But it can be bypassed. Completely.
Traditional MFA security enhancement comes from the assumption that even if attackers get your password, they can't get your second factor. Starkiller eliminates that assumption. It doesn't break MFA. It just... intercepts it in transit.
Damage Assessment
How many victims? How many organizations compromised? Krebs on Security didn't provide specific numbers, and that's telling. The fact that researchers can't quantify the scope suggests the attacks are either still ongoing, still being discovered, or both.
What's clear is that every organization using traditional phishing detection tools is vulnerable. Most detection systems look for suspicious domains, fake SSL certificates, or malicious scripts. None of that applies here. The domain is legitimate. The certificate is legitimate. The page is legitimate.
This represents something security teams haven't had to prepare for at scale: an MFA security breach that doesn't involve compromised authentication servers or token theft, but rather real-time interception at the user level.
Mitigation
First: credential spraying and detection. Organizations need to monitor for impossible travel scenarios—someone logging in from two locations simultaneously. If you logged in to an account one minute from New York and thirty seconds later from Mumbai, something went sideways.
Second: push-based MFA over time-based MFA. TOTP and SMS codes get captured by Starkiller's proxy. Push notifications to authenticated devices don't. They're harder to intercept.
Third: security awareness training needs to evolve. Users can't rely on visual inspection anymore. They need to understand proxy attacks exist and watch for subtle behavioral cues—slight delays in page loading, unusual session behavior, requests to re-authenticate when they just logged in.
And frankly, this should have been caught sooner. The most secure multi-factor authentication methods combine what you know, what you have, and what you are. Organizations deploying only the first two factors are leaving the door open.
Starkiller isn't the future of phishing. It's the present. And it's only getting more sophisticated.