---
title: "Robin Banks Phishing Service Back with Cookie Stealer and Russian Server | Phish Protection"
description: "The Robin Banks PhaaS platform is back with a new Russian server and a cookie stealer to bypass 2FA and compromise organizational accounts."
image: "https://phishprotection.com/og/blog/robin-banks-phishing-service-cookie-stealer-russian-server.png"
canonical: "https://phishprotection.com/blog/robin-banks-phishing-service-cookie-stealer-russian-server/"
---

Quick Answer

The Robin Banks PhaaS platform is back with a new \*\*Russian server\*\* and a cookie stealer to bypass 2FA and compromise organizational accounts. This article shares the history of Robin Banks, attack patterns, how Robin Banks evolved, the Robin Banks cookie stealer and Russian server, how Robin Banks's

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fphishprotection.com%2Fblog%2Frobin-banks-phishing-service-cookie-stealer-russian-server%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Robin%20Banks%20Phishing%20Service%20Back%20with%20Cookie%20Stealer%20and%20Russian%20Server&url=https%3A%2F%2Fphishprotection.com%2Fblog%2Frobin-banks-phishing-service-cookie-stealer-russian-server%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fphishprotection.com%2Fblog%2Frobin-banks-phishing-service-cookie-stealer-russian-server%2F "Share on Facebook") [ ](https://reddit.com/submit?url=https%3A%2F%2Fphishprotection.com%2Fblog%2Frobin-banks-phishing-service-cookie-stealer-russian-server%2F&title=Robin%20Banks%20Phishing%20Service%20Back%20with%20Cookie%20Stealer%20and%20Russian%20Server "Share on Reddit") [ ](mailto:?subject=Robin%20Banks%20Phishing%20Service%20Back%20with%20Cookie%20Stealer%20and%20Russian%20Server&body=Check out this article: https%3A%2F%2Fphishprotection.com%2Fblog%2Frobin-banks-phishing-service-cookie-stealer-russian-server%2F "Share via Email") 

![Phish Protection blog post image](https://media.mailhop.org/phishprotection/images/2022/11/anti-phishing-solutions-7835.jpg) 

The Robin Banks PhaaS platform is back with a new **Russian server** and a cookie stealer to bypass 2FA and compromise organizational accounts. This article shares the history of Robin Banks, attack patterns, how Robin Banks evolved, the Robin Banks cookie stealer and Russian server, how Robin Banks’s phishing kit works, and how organizations can stay protected against Robin Banks’s [phishing](/resources/what-is-phishing/).

Robin Banks, a popular [PhaaS (Phishing as a Service)](https://thehackernews.com/2022/10/researchers-warn-of-new-phishing-as.html) platform, has relocated its attack infrastructure after Cloudflare dissociated all threat activity by Robin Banks. The platform has relocated its infrastructure following a multi-day disruption to its services and switched to a Russian provider.

**Robin Banks** also appears to be developing advanced evasive features into the platform and enhancing its phishing offerings . Here is everything about Robin Banks and how the PhaaS platform has enabled [threat actors](/blog/threat-actors-using-phishing-as-a-service-phaas/) to rob banks and financial intermediaries.

\*\* \*\*

### Robin Banks History: The First Wave of Robin Banks

The PhaaS platform appeared in March 2022 and offered phishing kits to threat actors allowing them to access financial information and carry out **malicious activities** in the United States, Canada, Australia, and United Kingdom. The platform was[discovered](https://www.ironnet.com/blog/robin-banks-a-new-phishing-as-a-service-platform)by IronNet’s researchers, who outlined how simple it was to register on the malicious platform, requiring only an email and a payment **via Bitcoin**.

The threat actors are provided with a sophisticated dashboard with multiple features to monitor pages, add funds to wallets, and craft custom phishing kits for as low as $50 a month . Furthermore, the cyber criminals who registered on the platform to create multiple **phishing pages** got access to future updates and 24/7 support at just $200 a month.

![Anti phishing solutions](https://media.mailhop.org/phishprotection/images/2022/11/anti-phishing-solutions-7835.jpg) 

IronNet also shared information regarding a **large-scale phishing campaign** in June that utilized the Robin Banks platform to target its victims. The campaign targeted victims via emails and SMS to steal Citibank accounts’ login credentials and financial information. Robin Banks also stole Google and Microsoft credentials on phishing pages pointing to advanced threat actors looking to _breach organizational networks_ for malicious activities such as ransomware deployment,[ data breaches](/blog/data-breaches-how-they-impact-small-businesses/), and more.

\*\* \*\*

### How Do Robin Banks Phishing Artists Attack?

Any threat actor using the Robin Banks platform could create single or multiple phishing pages to carry out phishing. For this, the **phishing email** was sent via SMS or email that contained the phishing link to the fake portal. The page also evaded detection by requiring a **reCAPTCHA completion** if a potential bot was found.

The victims were redirected to the phishing page with content hosted locally and centrally. T\_he victim’s browser was fingerprinted via the user agent string with the domain sending all form **data (POST Method)** to the API (Application Programming Interface) of Robin Banks.\_

Researchers at **IronNet** observed a [phishing attack](/content/phishing-prevention/phishing-attack-definition/) campaign where threat actors utilized Robin Banks and were able to acquire and sell the information of numerous victims on the dark web and Telegram . The researchers also noticed efforts that the mastermind behind the platform was employing by using _AWS, Microsoft, DigitalOcean, Google, Oracle, and Cloudflare_.

\*\* \*\*

### How has Robin Banks Evolved?

The PhaaS platform has evolved considerably in the last few months:

##### Robin Banks Changing Its Infrastructure

After IronNet’s researchers discovered Robin Banks and its attack campaigns, engineers at Cloudflare acted swiftly by marking all Robin Bank domains **malicious** and causing significant disruption in phishing operations utilizing the **PhaaS platform**.

However, the disruption in phishing attacks was short-lived, with only 3 days of no phishing before the threat actors revised the phishing kit and transformed its infrastructure. To avoid similar takedowns, Robin Banks relocated its entire front-end and back-end infrastructure to [DDOS-GUARD.](https://ddos-guard.net/en)

DDOS-GUARD is a Russian provider that hosts content and phishing websites for threat actors and is the official site for the terrorist group known as **Hamas**, according to[Brian Krebs](https://krebsonsecurity.com/2021/01/hamas-may-be-threat-to-8chan-qanon-online/). This is disturbing news, as the Russian provider has a history of non-compliance with takedown requests.

![Anti phishing software](https://media.mailhop.org/phishprotection/images/2022/11/anti-phishing-software-6436.jpg) 

##### Robin Banks Changing its Security

Adding to the news,[IronNet’s](https://www.ironnet.com/blog/robin-banks-still-might-be-robbing-your-bank-part-2)researchers also discovered that Robin Banks transformed its security procedures by enforcing increased security via using [2FA (Two Factor Authentication)](https://www.techtarget.com/searchsecurity/definition/two-factor-authentication) to access the Robin Banks **GUI (Graphical User Interface)**. Furthermore, the PhaaS platform provided versatility to the threat actors utilizing it to receive the phishing information on a Telegram bot rather than access it via the GUI.

The developers of the Robin Banks platform also tried to privatize **admin conversations**, moving them to a separate Telegram channel. However, there were disagreements amongst the platform’s admins, leading one of the admins to turn the private channel into a public one, exposing critical communications, and opening Robin Banks’ primary and private channels to **spamming**.

\*\* \*\*

### How does the Latest Robin Banks Phishing Kit Work?

The Robin Banks phishing kit was[analyzed](https://www.ironnet.com/blog/robin-banks-still-might-be-robbing-your-bank-part-2)by IronNet’s researchers, who revealed much about the PhaaS platform.

- **_Deobfuscation:_**The Robin Banks phishing kit utilizes standard code with **two primary index files** that are obfuscated using the PHP obfuscator. The first one, “ob.php,” comes from GitHub and is modified for Robin Banks. The deobfuscated code from the file resembles the core constructs of[Adspect](https://www.adspect.ai/en/), a tool used to detect and\*\* filter web traffic\*\* via blacklisting and _ML (Machine Learning) techniques_.
- **_Cookie Stealer:_** The Robin Banks phishing kit also utilizes a **cookie-stealing feature**. After the description of the PhaaS platform by IronNet in July, the platform’s developers added a new part of the cookie stealer. The cookie stealer primarily steals login session cookies, allowing threat actors using the phishing kit to bypass 2FA . Robin Banks developers boasted the feature as their\_ “own methodology.”\_ Still, it appears to be a modification of evilginx2, an open-source tool that allowed threat actors to launch [AITM (Adversary In The Middle) attacks.](https://cyware.com/news/new-adversary-in-the-middle-phishing-campaign-observed-acf54a93)

Since MFA (Multi-Factor Authentication) protects organizations and individuals, threat actors continuously look for ways to work around MFA. Robin Banks’ inclusion of the **cookie stealer** is just a way to entice [cybercriminals](/blog/cybercriminals-are-duping-millions-of-accounts-in-the-latest-facebook-phishing-campaign/) to turn to the platform to get unauthorized access to accounts, even with MFA enabled .

There is a growing trend amongst **threat actors** today who are evolving attack methods and tools to bypass MFA using _MFA fatigue and cookie stealers_. However, organizations and individuals should note that MFA is a significant part of the account security process and must be enforced within the organization.

### How to Protect Against Robin Banks Phishing Attacks

Protection against phishing attacks using the Robin Banks platform or any other platform requires multiple but easy steps.

- **_Communication Alertness:_** _Never click_ on links contained in SMS or email communication, especially if they require an account to access or take you to login portals.
- **_Employ Password Managers and MFA:_**Use _password managers_ to store credentials and implement MFA to ensure threat actors can’t take advantage even if they somehow get access to your credentials.
- **_Phishing Education and Training:_**Organizations should regularly provide comprehensive phishing education and **phishing awareness training**, highlighting the latest attack campaigns so the workforce can quickly identify phishing emails when received.
- **_Network Monitoring:_**Organizations should also invest in a good network monitoring and analysis tool to detect **suspicious activity** and flag phishing emails and websites.

### Final Words

Robin Banks relies heavily on open-source code and can harm individuals as well as organizations alike. The platform’s cookie stealer **attempts to attract persistent** and significant threat actors to utilize Robin Banks. As more malicious actor groups and platforms are seeing the light of day, organizations must focus on [phishing attack prevention](/content/protection-from-phishing/how-to-stop-phishing/) and adhere to the best practices mentioned above to protect the confidentiality, integrity, and availability of their information assets.

## Topics

[ Cybersecurity ](/tags/cybersecurity/)[ Phishing ](/tags/phishing/)[ Phishing Awareness ](/tags/phishing-awareness/) 

![Brad Slavin](https://media.mailhop.org/phishprotection/images/authors/brad-slavin.jpg) 

[ Brad Slavin ](/authors/brad-slavin/) 

General Manager

Founder and General Manager of DuoCircle. Product strategy and commercial lead across DuoCircle's 2,000+ customer base.

[LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) 

## Protect your inbox from phishing attacks

Real-time email security with 60-day free trial. No credit card required.

[Start Free Trial](https://portal.duocircle.com/cart.php?a=add&pid=101&brand=phishprotection) [View Pricing](/pricing/) 

## Related Articles

[  Intermediate 5m  American Airlines Suffers Employee Email Data Breach, Personal Information at Risk  Oct 4, 2022 ](/blog/american-airlines-suffers-employee-email-data-breach-personal-information-risk/)[  Intermediate 5m  BitRAT Malware Threat Actors Leveraging Stolen Columbian Cooperative Bank Data in Phishing Campaign  Jan 18, 2023 ](/blog/bitrat-malware-threat-actors-leveraging-stolen-columbian-cooperative-bank-data-in-phishing-campaign/)[  Intermediate 5m  Find Out About the Latest Case of Threat Actors Utilizing Phishing-as-a-Service to Steal $120,000  Feb 20, 2023 ](/blog/find-out-about-the-latest-case-of-threat-actors-utilizing-phishing-as-a-service-to-steal-120000/)[  Intermediate 5m  GoDaddy Customers Beware: Hackers Have Been Stealing Source Code for Years  Mar 6, 2023 ](/blog/godaddy-customers-beware-hackers-have-been-stealing-source-code-for-years/)

```json
{"@context":"https://schema.org","@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://github.com/duocircle"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://phishprotection.com/contact/"},"knowsAbout":["Phishing Protection","Email Security","Anti-Phishing","Business Email Compromise","Ransomware Protection","Time of Click Protection","Office 365 Email Security","Advanced Threat Defense"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"Phish Protection","url":"https://phishprotection.com","description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","publisher":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}}
```

```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"Robin Banks Phishing Service Back with Cookie Stealer and Russian Server","description":"The Robin Banks PhaaS platform is back with a new Russian server and a cookie stealer to bypass 2FA and compromise organizational accounts.","url":"https://phishprotection.com/blog/robin-banks-phishing-service-cookie-stealer-russian-server/","datePublished":"2022-11-17T05:59:02.000Z","dateModified":"2026-04-17T15:43:10.000Z","dateCreated":"2022-11-17T05:59:02.000Z","author":{"@type":"Person","@id":"https://phishprotection.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://phishprotection.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. He founded DuoCircle in 2014 and has led the company's growth to 2,000+ customers across its email security product family. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/phishprotection/images/authors/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://github.com/duocircle"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://phishprotection.com/contact/"},"knowsAbout":["Phishing Protection","Email Security","Anti-Phishing","Business Email Compromise","Ransomware Protection","Time of Click Protection","Office 365 Email Security","Advanced Threat Defense"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://phishprotection.com/blog/robin-banks-phishing-service-cookie-stealer-russian-server/"},"articleSection":"intermediate","keywords":"Cybersecurity, Phishing, Phishing Awareness","wordCount":1312,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/phishprotection/images/2022/11/anti-phishing-solutions-7835.jpg","caption":"Phish Protection blog post image","width":1200,"height":630},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"FAQPage","mainEntity":[{"@type":"Question","name":"How Do Robin Banks Phishing Artists Attack?","acceptedAnswer":{"@type":"Answer","text":"Any threat actor using the Robin Banks platform could create single or multiple phishing pages to carry out phishing. For this, the **phishing email** was sent via SMS or email that contained the"}},{"@type":"Question","name":"How has Robin Banks Evolved?","acceptedAnswer":{"@type":"Answer","text":"The PhaaS platform has evolved considerably in the last few months:"}},{"@type":"Question","name":"How does the Latest Robin Banks Phishing Kit Work?","acceptedAnswer":{"@type":"Answer","text":"The Robin Banks phishing kit was"}}]}]
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://phishprotection.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://phishprotection.com/blog/"},{"@type":"ListItem","position":3,"name":"Intermediate","item":"https://phishprotection.com/intermediate/"},{"@type":"ListItem","position":4,"name":"Robin Banks Phishing Service Back with Cookie Stealer and Russian Server","item":"https://phishprotection.com/blog/robin-banks-phishing-service-cookie-stealer-russian-server/"}]}
```