No Kit, No Kill Chain: Disrupting a Phishing Operation at the Backend

Carrie Jung

For over a year, a cluster focused on account compromise has been systematically targeting multiple email marketing and CRM platforms to launch crypto-themed phishing campaigns at scale, steadily hardening their infrastructure across multiple operational phases. This talk traces their evolution from initial kit identification through a critical backend pivot, to a coordinated December 2025 takedown that knocked them offline for nearly four months. They've since returned — but clumsy and struggling with unfamiliar tooling. This is a case study in what infrastructure disruption actually looks like: what it breaks, and what it doesn't.