Phishing-as-a-service kit 16shop enabled operators to deploy mass phishing sites targeting major brands and collect victims’ data for years, with administration and servers ultimately taken down in a Trend Micro–Interpol cooperation. The operation involved cloud hosting, multilingual configurations, license-based panels, and international law enforcement actions leading to arrests in Indonesia and Japan. #16shop #DevilScream #RNS #TrendMicro #Interpol #CashApp #DigitalOcean
Keypoints
- 16shop has been active since 2018 and targeted brands such as Amazon, American Express, PayPal, Apple, and Cash App.
- Trend Micro and Interpol coordinated arrests of 16shop operators and takedown of main servers in 2023, with actions in Indonesia and Japan.
- The kit provides a licensing mechanism and a web panel to generate numerous phishing sites by changing configuration files.
- Phishing pages support multiple languages and include anti-bot, anti-sandbox, and geo-restriction defenses to evade detection.
- Phishing infrastructure often runs on cloud services (notably Digital Ocean), with specific IPs and ASN details tying servers to hosting providers.
- Domain history shows a timeline from 2017–2021 (16digit.shop → 16shop.online → 16shop.us → 16shop.co → 16shop.vip), with OSINT linking responsible actors to aliases like RNS/DevilScream.
- The operation involved collecting and exfiltrating stolen data (e.g., PII, credit card data) and even using Telegram via API for data transfer.
MITRE Techniques
- [T1566.001] Phishing – The kit lets subscribers “set up their own phishing panel and generate a lot of phishing sites and potential victims.” …translated quote in English…
- [T1583.001] Acquire Infrastructure – Operators deploy the kit to a virtual private server (VPS), install PHP, and copy the kit to run phishing sites. …translated quote in English…
- [T1497] Virtualization/Sandbox Evasion – Anti-bot features like distinguishing security-related IP addresses, anti-sandbox, or geo-located restriction of access. …translated quote in English…
- [T1041] Exfiltration Over C2 Channel – Collected data (including via Telegram API) is exfiltrated from victims; “collecting the stolen PII in the form of email, log files, or even from chat apps like Telegram via API.” …translated quote in English…
Indicators of Compromise
- [IP Address] Phishing server IPs observed – 128.199.154.155, 178.128.104.179, and 68.183.236.100 (example contexts include hosting various 16shop kits)
- [Domain] Phishing-related domains – 16shop.co, 16shop.us, 16shop.vip, 16shop.online (contexts include hosting admin panels and phishing pages)
- [File/Archive] Phishing kit distributions – 16Shop-Apple-V2.zip, 16Shop-Apple-V1.9.7.zip (examples of kit packages used in deployments)
- [ASN] Hosting providers – AS14061 – DigitalOcean, LLC (context includes servers hosting multiple 16shop kits)