Platform capability

OSINT fusion for phishing and fraud

PhishNet is graph-based phishing OSINT: source intake, enrichment, evidence, graph relationships, analyst decisions and exports in one model.

Request demoRead researchOpen dashboard

Direct answer

Is this a blocklist? No. It is an OSINT fusion and evidence workflow that keeps provenance, confidence and confirmation state visible.

Research framing

OSINT fusion means joining independent evidence classes rather than stacking feeds. A single domain can be weak; the same domain connected to CT timing, URL evidence, brand targeting, liveness, source quality and a repeated kit marker becomes actionable intelligence.

Attack mechanism

The platform separates collection, enrichment, correlation and action. Workers collect feeds, official warnings, DNS, CT, URLScan-style evidence, active OSINT, ads/search, credential metadata, mule routes and baselines. User pages read snapshots and graph projections.

Evidence and source model

Evidence includes provenance, source tier, confirmation state, freshness, liveness, screenshots, redirect chains, hashes, extracted entities, source contribution and export history.

Belgian and European relevance

For CCB/CERT and Belgian operators, fusion is what makes non-`.be` brand abuse, mule routes, smishing, fake investment platforms and kit reuse visible in one place.

How PhishNet operationalizes this

PhishNet operationalizes fusion through Belgian Live Feed, Fusion Graph, Entity Workbench, Evidence, Kit Intelligence, Active OSINT, Source Factory and CCB/CERT export profiles.

Analyst implications

The operational question is not whether an isolated row looks interesting. The question is whether the signal is fresh, provenance-rich, corroborated, evidence-ready and connected to brands, sectors, infrastructure, kits, mule routes or public-warning context. PhishNet therefore presents confirmed, corroborated suspicious, review-candidate and context-only states separately.

Limits and uncertainty

Fusion does not remove uncertainty. Weak or context-only data is never upgraded to confirmed without official, trusted, corroborated or analyst-confirmed support.

Research takeaway

Phishing intelligence becomes valuable when repeated structure appears: the same brand on new infrastructure, the same kit across domains, the same phone or IBAN route after takedowns, the same ad/search pathway, or the same evidence pattern in multiple independent source families.

How PhishNet uses this

Inside PhishNet this topic is treated as operational graph context: observations are linked to sources, evidence, Belgian relevance, confirmation state, liveness, campaigns and exports. Public pages explain the method; authenticated users can pivot into the full platform workflow when a signal needs investigation or handoff.

Selected sources and research

These pages combine PhishNet platform knowledge with public research, official Belgian sources and open OSINT documentation.

APWG Phishing Activity Trends Reports ENISA Threat Landscape 2025 Why Phishing Works, Dhamija, Tygar and Hearst, CHI 2006 CCB Belgium: phishing messages surge urlscan.io API documentation Microsoft Ad Library API Common Crawl CDX Index

Common questions

Is this a blocklist?

No. It is an OSINT fusion and evidence workflow that keeps provenance, confidence and confirmation state visible.

Does public browsing trigger collection?

No. Public pages use static content and cached daily modules; heavy work runs in workers.

Related reading

Knowledge

The phishing knowledge graph

Why phishing intelligence becomes more powerful when indicators are connected into a graph.
Knowledge

The phishing attack chain

How phishing moves from preparation to delivery, capture, monetization and reuse.
Knowledge

Phishing OSINT research

How open-source phishing research becomes operational intelligence for public-sector and CERT teams.