December 12, 2025 A new phishing-as-a-service platform called Spiderman is helping attackers harvest banking credentials across Europe, according to new research. Security analysts say the service is already being used in active campaigns, giving low-skill operators tools that can capture passwords, one-time codes and identity documents.

Researchers at Prodaft, who uncovered the kit, say Spiderman’s templates mimic login portals used by banks in France, Spain, Italy, Germany and the Netherlands. Some of the major brands targeted are Deutsche Bank, Blau, CaixaBank, Comdirect, Commerzbank and ING. The phishing kit can also create phishing pages for websites of fintech companies like PayPal and Klarna. Beyond phishing pages, it can steal seed phrases for cryptocurrency wallets on platforms, such as Ledger and Exodus. 

Unlike older kits that simply collected passwords, Spiderman supports multi-step flows that prompt victims for additional factors, enabling attackers to bypass stronger authentication now required under European banking rules. The platform also embeds built-in proxying and traffic filtering to avoid detection.

Spiderman reportedly operates as a subscription model familiar in other crimeware markets. Customers can choose specific bank templates and deploy the phishing pages without hosting infrastructure of their own. The operators also provide dashboards where criminals can monitor stolen credentials in real time. Prodaft linked the service to recent campaigns across Europe, where retail customers were redirected to Spiderman-hosted pages via email and SMS lures.

European financial regulators have warned for years that phishing kits are becoming increasingly modular and harder to trace, as operators move to cloud-based delivery. Spiderman extends that trend by providing capabilities that resemble full software-as-a-service offerings, including updates, customer support and preconfigured integrations for messaging platforms. According to investigators, the kits are already being used in campaigns targeting retail customers, particularly those who rely on mobile banking. And because they use an organised ecosystem rather than the one-off kits that dominated earlier waves of credential theft, the operators have more resilience. 

While takedown efforts are ongoing, financial institutions across Europe continue to issue advisories urging customers to navigate directly to official websites and mobile apps. All phishing efforts rely on unsuspecting victims clicking on a link that directs them to a fake login page. Therefore, confirming the official domain of sites and apps before entering one’s credentials is a solid protection against potential attacks. Links from unsolicited emails or SMS messages should also be avoided.