So Long, and Thanks for All the Phish

Presented at DEF CON 33 (2025), Aug. 8, 2025, 3:30 p.m. (45 minutes).

A rare look behind the scenes of a global phishing-as-a-service operation. We tell the story of how we infiltrated a phishing group, cracked their software, exploited a hidden backdoor, and followed an OSINT rabbit hole to uncover the identify of the primary software developer.

Presenters:

• Harrison Sand
  Harrison is a software and application security specialist with experience in embedded devices and IoT. He has worked closely with penetration testing, incident response, embedded security, and vulnerability management. He has a passion for cybersecurity research and has had work featured in publications such as TechCrunch, PC Magazine, The Register, Ars Technica, Hackaday, Aftenposten, and NRK.
• Erlend Leiknes
  Erlend is a man of many towels (and talents)—a security consultant and retired bus driver, electrical engineer, and masters degree in technical societal safety. Erlend has gravitated towards hacking and IT since his teens and spent more than a decade at mnemonic as a security consultant, where he performs penetration testing, red teaming and conducts security research. A handful of CVEs have his name on it and some are even favored by the usual APTs—and in the spirit of Douglas Adams, there's no need to panic.

Similar Presentations:

• RVAsec 2018 / Doxing Phishers: Analyzing Phishing Attacks from Lure to Attribution
• Hackfest 2016 / This Phish Goes To 11
• THOTCON 0x5 (2014) / Phishing Frenzy: 7 seconds from hook to sinker