| TechCrunch
Zack Whittaker
10:55 AM PST · December 3, 2025
Marquis said ransomware hackers stole reams of banking customer data, containing personal information and financial records, as well as Social Security numbers, belonging to hundreds of thousands of people. The number of affected people is expected to rise.
Fintech company Marquis is notifying dozens of U.S. banks and credit unions that they had customer data stolen in a cyberattack earlier this year.
Details of the cyberattack emerged this week after Marquis filed data breach notices with several U.S. states confirming its August 14 incident as a ransomware attack.
Texas-based Marquis is a marketing and compliance provider that allows banks and other financial institutions to collect and visualize all of their customer data in one place. The company counts more than 700 banking and credit union customers on its website. As such, Marquis has access to and stores large amounts of data belonging to consumer banking customers across the United States.
At least 400,000 people are so far confirmed affected by the data breach, according to legally required disclosures filed in the states of Iowa, Maine, Texas, Massachusetts, and New Hampshire that TechCrunch has reviewed.
Texas has the largest number of state residents so far who had data stolen in the breach, affecting at least 354,000 people.
Marquis said in its notice with Maine’s attorney general that banking customers with the Maine State Credit Union accounted for the majority of its data breach notifications, or around one-in-nine people who are known to be affected throughout the state.
The number of individuals affected by the breach is expected to rise as more data breach notifications roll in from other states.
Marquis said the hackers stole customer names, dates of birth, postal addresses, and financial information, such as bank account, debit, and credit card numbers. Marquis said the hackers also stole customers’ Social Security numbers.
According to its most recent notices, Marquis blamed the ransomware attack on hackers who exploited a vulnerability in its SonicWall firewall. The vulnerability was considered a zero-day, meaning the flaw was not known to SonicWall or its customers before it was maliciously exploited by hackers.
Marquis did not attribute the ransomware attack to a particular group, but the Akira ransomware gang was reportedly behind the mass-hacks targeting SonicWall customers at the time.
TechCrunch asked Marquis if it is aware of the total number of people affected by the breach, and if Marquis received any communication from the hackers or if the company paid a ransom, but we did not hear back by the time of publication.
sicuranext.com
Claudio Bono
01 Dec 2025
Earlier this year, our CTI team set out to build something we'd been thinking about for a while: a phishing intelligence pipeline that could actually keep up with the threat. We combined feeds from hundreds of independent sources with our own real-time hunt for suspicious SSL/TLS certificates. The goal was simple: get better visibility into what attackers are actually doing, not what they were doing six months ago.
Last quarter's numbers hit harder than we expected: 42,000+ validated URLs and domains, all actively serving phishing kits, command-and-control infrastructure, or payload delivery.
This isn't your grandfather's phishing problem. We're not talking about misspelled PayPal domains and broken English. What we're seeing is organized, efficient, and frankly, impressive in all the wrong ways. This research breaks down the infrastructure, TTPs, and operational patterns behind modern phishing—and what it means for anyone trying to defend against it.
Finding #1: All Roads Lead to Cloudflare
Here's the headline: 68% of all phishing infrastructure we tracked lives on Cloudflare.
Provider Domains % of Total
Cloudflare 17,202 68.0%
GCP 3,414 13.5%
AWS 2,185 8.6%
Azure 1,355 5.4%
This isn't random. Cloudflare's free tier is a gift to threat actors—zero upfront cost, world-class DDoS protection (yes, really), and proxy services that completely mask origin servers. Good luck tracking down the actual host when everything's bouncing through Cloudflare's edge network.
We're seeing thousands malicious domains clustered on AS13335 alone. That's Cloudflare's primary ASN, and it's become the de facto home base for phishing operations worldwide.
The CDN Divide: Two Strategies, One Ecosystem
When we looked at the 12,635 unique IPs hosting these IOCs, a clear pattern emerged. The threat landscape has forked:
51.54% direct hosting – Think disposable infrastructure. Spin it up fast, burn it down faster. Perfect for smishing blasts and hit-and-run campaigns.
48.46% CDN/proxy-protected: The long game. These setups are built to survive, leveraging CDNs (92% Cloudflare, naturally) for origin obfuscation and anti-takedown resilience.
Here's the problem: your IP-based blocking protection? It works on roughly half the threat landscape. The other half just laughs at you from behind Cloudflare's proxy. You need URL filtering, domain heuristics, and TLS fingerprinting now. IP blocks alone are a coin flip.
And before anyone says "these domains must be unstable", we saw a 96.16% mean DNS resolution rate. These operators run infrastructure like a Fortune 500 company. High availability, minimal downtime, proper DevOps hygiene. It's professional-grade crime.
Finding #2: Abusing Trust at Scale
Forget .xyz and .tk domains. Attackers have moved upmarket.
TLD Count Why They Use It
.com 11,324 Universal legitimacy
.dev 7,389 Targets developers
.app 2,992 Mobile/SaaS impersonation
.io 2,425 Tech sector credibility
.cc 1,745 Cheap, minimal oversight
The surge in .dev and .app domains tells you everything. Attackers aren't just going after your CFO anymore: they're targeting developers. Fake GitHub OAuth flows, spoofed Vercel deployment pages, bogus npm package sites. They're hunting credentials from the people who actually understand security, betting (correctly) that a something.dev domain gets less scrutiny than something-phishing.tk.
Free Hosting: The Perfect Cover
Now pair this with free hosting platforms, and you get a disaster: 72% of domains in our dataset used obfuscation via legitimate services.
Vercel: 1,942 domains
GitHub Pages: 1,540 domains
GoDaddy Sites: 734 domains
Webflow: 669 domains
Try explaining to your CISO why you need to block github.io or vercel.app. You can't. Your developers need those. Your business uses those. Attackers know this, and they're weaponizing it. Domain reputation systems collapse when every phishing page sits under a trusted parent domain.
Finding #3: PhaaS and the Industrialization of Crime
We need to stop calling these "phishing kits." That undersells what we're dealing with.
What we're seeing is Phishing-as-a-Service (PhaaS): full-stack criminal SaaS platforms. Services like Caffeine - now offline - and W3LL offer subscription-based access to complete attack infrastructure: hosting, templates, exfiltration pipelines, even customer support. They've turned phishing into a commodity anyone can buy.
The real nightmare feature? MFA bypass. Kits like EvilProxy and Tycoon 2FA don't bother stealing passwords anymore. They operate as adversary-in-the-middle (AitM) proxies, sitting between the victim and the legitimate service. User authenticates, kit intercepts, passes creds through to the real site, then steals the resulting session cookie. No password needed. No MFA challenge. Just instant account access.
These platforms also ship with serious evasion tech:
Geofencing to block security researchers by IP range
User-Agent Based Cloaking that targets devices by browser user agent: often the final landing page is only visible on mobile devices browsers
DevTools detection (open F12, page immediately stop working)
Cloudflare CAPTCHA to filter out automated scanners
Over the past four months, we clustered 20 distinct phishing clusters based on shared infrastructure fingerprints: same rotated IPs, same registrars, identical evasion patterns and obfuscation methods. This isn't a bunch of script kiddies copying code. It's coordinated, engineered operations with centralized data management and exfiltration workflows.
Almost 60% of the observed IOCs are deemed to be linked with PhaaS, this means a global tendency to separate those who produce and manage actual infrastructure from those (often non-technical users) who use it (for a fee), hoping to make a significant profit by reselling stolen data.
Finding #4: Meta in the Crosshairs
If there's one target dominating the landscape, it's Meta. 10,267 mentions: 42% of all brand impersonation we tracked.
Brand Mentions Attack Type
Meta 10,267 Facebook/Instagram/WhatsApp creds
Amazon 2,617 Payment data, account takeover
Netflix 2,450 Subscription scams
PayPal 1,993 Financial fraud, redirects
Stripe 1,571 Merchant account compromise
Why Meta? Three billion users. Multiple attack surfaces. Credential reuse across platforms. It's target-rich and full of high-value accounts. The focus on Stripe and PayPal shows attackers aren't just after creds anymore: they're after money. Direct financial fraud, merchant compromise, payment interception.
What This Means for Defense
The era of "just block the domain" is over. We're up against industrialized, adaptive, professionally-run adversaries. Deterministic detection is dead. You can't regex your way out of this anymore, defenses need to evolve:
CDN-aware detection – IP blocking is 50% effective at best
Behavioral analysis – Focus on session anomalies, not just domains
TLS fingerprinting – Track certificate patterns and issuance velocity
Hunt for PhaaS indicators – Cluster campaigns by shared infrastructure
User education that doesn't suck – Stop educating people talking about domain typosquotting or http vs https concepts: teach people what real-scenario looks like in practice.
This isn't FUD. This is what 42,000 live phishing sites look like when you actually go hunting for them. The threat is real, it's organized, and it's not slowing down.
What Comes Next: Diving Deep into the Criminal Engine
In our next in-depth analysis, we will reveal the real infrastructure that powers this industrialization. We will guide you step by step through a modern and complex PhaaS platform, demonstrating exactly how the TTPs described in this article function in a real operational environment.
