If you purchase via links on our site, we may receive affiliate commissions.

Robin Banks resurrected after moving to Russian servers

Updated on: 07 November 2022

Vilius Petkauskas
Senior Journalist

Robin Banks DDoS-Guard — Image by Dado Ruvic, Reuters.

Robin Banks, the notorious phishing-as-a-service (PhaaS) platform, relocated its infrastructure to a Russian service known to harbor cybercriminals.

After staying relatively quiet for a few months, the PhaaS platform Robin Banks has returned. The service, known for distributing ready-made phishing kits to threat actors, came back after relocating to a Russia-based distributed denial-of-service (DDoS) protection service, DDoS-Guard.

According to researchers at cybersecurity company IronNet, DDoS-Guard is well known for aiding phishing sites and other domains tied to cybercrime services and online forums. The Russian service provided a safe haven for alt-right social network Parler, QAnon and 8chan movements, and the Hamas terrorist group.

Robin Banks’ illicit activities were exposed in July. Before that, the platform relied on the DDoS mitigation company Cloudflare for protection.

“In response, Robin Banks administrators made several changes, including relocating its infrastructure to a notorious Russian provider and changing features of its kits to be more evasive,” researchers claim in a blog post.

Ironically, Robin Banks also introduced additional security services, such as two-factor authentication (2FA), fearing somebody might hack the platform’s admin interface. Meanwhile, Robin Banks sells phishing kits to steal financial data from customers of well-known financial institutions.

The researchers also found that Robin Banks has updated their kit to include additional features, such as cookie-stealing functionality, that’s likely meant to cater to “advanced persistent threat (APT) groups that are looking to compromise specific enterprise environments.”