Spiderman
Spiderman is a phishing kit circulating on the dark web that enables cybercriminals, including non-technical operators, to launch large-scale phishing campaigns against customers of European banks, financial services, government portals, and cryptocurrency platforms. It creates pixel-perfect replicas of legitimate sites and provides an all-in-one platform for generating phishing pages, sending lures, capturing credentials, and managing stolen session data in real time.
Reported by Varonis, Spiderman targets financial institutions across at least five countries and includes modules for brands and services such as Deutsche Bank, Commerzbank, ING, CaixaBank, Volksbank, Klarna, PayPal, Blau, O2, and crypto wallet providers. It can steal login credentials, credit card data, one-time passcodes, PhotoTAN codes, and seed phrases for wallets including Ledger, MetaMask, and Exodus. The operator dashboard supports real-time monitoring of victim sessions, data export, and logging of sessions with unique identifiers. Operators can also trigger additional prompts to collect full identity packets including names, phone numbers, dates of birth, card details, user-agent data, and IP metadata.
Spiderman is modular and can be updated to support new banks, portals, and authentication methods. It includes anti-analysis and targeting controls such as country whitelisting, ISP/ASN whitelisting, device-type filtering, geo-blocking, and redirect logic for visitors who do not meet targeting criteria, which helps evade researchers and automated scanners. A Signal group linked to the seller reportedly has about 750 members, indicating active adoption. The stolen data can enable account takeover, SIM swapping, credit card fraud, and identity theft. The kit has been described as a significant threat to the European financial sector due to its scale, ease of use, and real-time interception capabilities.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Phishing kit used for credential theft at scale (details not expanded in provided text).
Phishing kit enabling large-scale impersonation of banks and crypto platforms, facilitating credential and OTP theft for financial fraud.
Spiderman is a modular phishing kit that enables cybercriminals to create convincing fake websites targeting banks, fintech companies, and cryptocurrency wallets. It captures credentials, 2FA/OTP codes (including PhotoTAN), credit card data, and seed phrases for crypto wallets. The kit is configurable, supports real-time victim session monitoring, and is popular among cybercriminals.
Spiderman is a full-stack phishing kit designed to enable non-technical attackers to easily launch large-scale phishing campaigns targeting customers of European banks and cryptocurrency platforms. It provides pixel-perfect clones of login pages, real-time data theft, OTP interception, and modules for stealing crypto seed phrases, facilitating account takeover and identity theft.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.