Chinese Phishing Service Haozi Resurfaces, Fueling Criminal Profits

A new report from cybersecurity firm Netcraft reveals a rise in a Chinese-language Phishing-as-a-Service (PhaaS) known as Haozi. This service makes it incredibly easy for criminals, even those without technical skills, to launch sophisticated phishing attacks. Rob Duncan, a security researcher at Netcraft, discovered this surge over the past five months.

According to Netcraft’s blog post, shared with Hackread.com, Haozi stands out for its user-friendliness, marketing itself with a cartoon mouse and emphasizing ease of use and strong support. Unlike older methods that require coding knowledge, Haozi provides a simple web panel.

Haozi phishing administration panel screenshot (Source: Netcraft)

Once a criminal buys a server and puts in the details, the phishing kit sets itself up automatically. This plug-and-play approach even surpasses other modern PhaaS tools that still require some command-line actions. Netcraft has found Haozi control panels on thousands of phishing websites, indicating its widespread use.

Beyond just offering phishing kits, Haozi operates like a full-fledged business. It sells advertising space to connect phishing kit buyers with other services, such as those that send text messages. Haozi also acts as a middleman in these deals. The digital wallet used for these advertisements and intermediary services, which uses Tether (USDT), has taken in over $280,000.

Recently, withdrawals from this wallet have often been in the thousands of dollars. The service also offers dedicated customer support through Telegram channels, providing tutorials, answering questions, and even allowing users to request custom phishing pages.

This strong support system, combined with the automated setup, makes Haozi highly attractive to those new to cybercrime. The original Haozi Telegram community had almost 7,000 members before it was shut down, but since April 28, 2025, a new community has quickly gained over 1,700 followers. Haozi charges around $2,000 for a yearly subscription, with options for shorter terms.

Phishing-as-a-Service (PhaaS) refers to online platforms that provide all the tools and support needed to carry out phishing attacks, often through a subscription model. Phishing itself is a type of cyberattack where criminals try to trick individuals into giving up sensitive information, like passwords or credit card details, by pretending to be a trustworthy entity.

Hackread.com has also highlighted this growing threat of PhaaS networks. In January 2025, we reported on Sneaky 2FA, a PhaaS targeting Microsoft 365 through a Telegram bot. In March 2025 Morphing Meerkat, a sophisticated operation using DNS vulnerabilities for years, was discovered and in April 2025, Netcraft warned about the Darcula-Suite upgrade, which now uses AI to create multilingual scam pages.

The rise of PhaaS like Haozi shows how easy it has become to commit cybercrime. While companies are improving their security, attackers are increasingly using social engineering and phishing because these methods don’t require breaking through protected infrastructure. All it requires is a human error, which shows the urgent need for employee cybersecurity training.