For research institutions
PhishNet is designed for empirical phishing and fraud research: longitudinal country comparison, source-quality measurement, mule-route behavior, kit/campaign reuse, evidence readiness and public-safe observation modules derived from cached Belgian snapshots.
Advanced technical studies
CT-to-URLScan-to-liveness early-warning chains
How certificate timing, public scans and technical reachability create an early-warning chain.
Email-header clustering and campaign identity
How Message-ID, DKIM selectors, return paths and relay chains connect phishing campaigns.
Kit fingerprinting with DOM, JS, favicon and redirect features
How repeated technical features reveal phishing kit reuse across fast-changing domains.
Panel-path and exposed-artifact weakness intelligence
How CERT-safe kit weakness intelligence can help expose attacker operations without publishing exploit steps.
QR, PDF and OCR extraction for payment-route research
How images and documents hide payment, link and contact routes from text-only pipelines.
TDS and cloaking measurement without unsafe interaction
A defensive method for studying traffic-direction systems, geofencing and scanner evasion.
Country comparison
Belgian brand impersonation beyond .be domains
Why Belgian relevance must be based on brands, language, lures and infrastructure, not only `.be` domains.
Belgium, France, Germany and the UK: cross-border campaign reuse
How campaigns migrate between larger neighboring markets and Belgium.
Belgium, Netherlands and Luxembourg: phishing differences
How Benelux markets differ in language, brands, TLDs, payment flows and source visibility.
Official baselines and false-positive suppression
Why trusted baselines are as important as suspicious-source intake.
Economics
IBAN, QR and payment-reference mining
How OCR and QR extraction reveal payment patterns in phishing evidence.
Malicious ads and search arbitrage in phishing
How attackers convert paid or manipulated visibility into victims.
Mule recruitment marketplaces and cash-out logistics
How mule recruitment and payment routing create a reusable monetization layer.
Mule-route intelligence: IBAN, phone and wallet reuse
How payment and contact artifacts connect phishing to financial harm.
The economics of fake investment platforms
How fake trading, crypto and recovery-room scams turn attention into payment routes.
The economics of phishing-as-a-service
How kits, traffic, ads, hosting, mules and credentials form a repeatable fraud economy.
Wallet and crypto off-ramp correlation
How wallets and crypto payment routes appear in phishing and fake investment flows.
Kit families
Banking login kit fingerprints
How banking kits reuse visual assets, form logic, panels and exfiltration routes.
Crypto drainer and fake-wallet kit signals
How wallet-drainer and fake crypto support campaigns expose reusable technical artifacts.
Evilginx-style reverse-proxy markers
Safe defensive indicators for reverse-proxy phishing patterns.
M365 and AiTM kit families in phishing campaigns
How reverse-proxy and Microsoft 365-focused kits change evidence requirements.
OTP bot and MFA interception kit intelligence
How OTP bot ecosystems connect kits, handles, phone routes and operator chatter.
Parcel-delivery and smishing kit families
How parcel-themed mobile kits reuse templates, shortlinks and payment flows.
Kit weakness intelligence
PhishNet field observations
Belgian brand abuse on .top, .xyz, .shop and other non-local TLDs
Why country relevance must look at brand, language, lure and evidence instead of only Belgian registry space.
Belgian brand pressure and multilingual lure adaptation
How Dutch, French and English lure variants shape Belgian brand-targeting research.
Evidence readiness as the bottleneck in phishing response
Why the difference between a suspicious URL and an action-ready case matters for CERTs, researchers and abuse desks.
How public warnings and OSINT feeds reinforce each other
Why official Belgian warnings and open OSINT sources become more valuable when fused.
Mule-route behavior in Belgian phishing
How IBANs, phones, wallets, QR payloads and payment references connect phishing pages to fraud monetization.
Shortlink and callback-route behavior in Belgian smishing
Why SMS phishing should be studied as a route graph rather than a final-domain list.
Source overlap as a confidence signal in phishing OSINT
How independent source families turn weak signals into stronger review candidates without hiding uncertainty.
What 93 unique attack-kit captures reveal about phishing infrastructure
A public-safe analysis of 93 production kit-vault captures, showing what deduplicated raw evidence can teach police officers, researchers and CERT teams without publishing the kits.
Why current-feed presence is not liveness
A research note on why feeds, screenshots and technical reachability must remain distinct.
Why raw cyber evidence needs an observation dataset
Raw vault material becomes useful to police, researchers and insurers only when every artifact has collection time, source, method, target, provenance, policy and safe derived features attached.
Psychology
Loss aversion and account-lock phishing
How attackers use the fear of losing access, money or identity to accelerate risky decisions.
Multilingual phishing lures in Dutch, French and English
Why multilingual campaigns create country-specific detection challenges.
The psychology of urgency, authority and trust in phishing
Why phishing succeeds by borrowing institutional trust and compressing decision time.
Trust transfer in Belgian public-service lures
How attackers borrow credibility from tax, identity, police and administrative services.
Quarterly flagship reports
Belgium phishing landscape: a quarterly research framework
A flagship quarterly report template for Belgium phishing pressure, sources, brands, kits, mules, smishing, fake finance and evidence readiness.
Benelux smishing and mule route report
A cross-border report template for smishing, shortlinks, callbacks, IBAN/phone routes and campaign reuse across Belgium and neighbors.
Phishing kit reuse and weakness intelligence
A defensive quarterly report on kit families, safe weakness categories, exposed artifacts, campaign DNA and CERT handoff value.
Research method
Research methods
Ethics and legal boundaries in active OSINT research
How authorized active collection can support public-interest phishing research without unsafe disclosure.
Graph modeling for phishing infrastructure
How domains, routes, evidence, kits and sources become a research graph.
Longitudinal country comparison design for phishing research
How to compare Belgium, Benelux and neighboring countries without confusing source bias with threat pressure.
Measuring source uniqueness and noise in phishing OSINT
A method for judging whether a source increases usable intelligence or only volume.
Redaction methodology for dangerous public IOCs
How to publish useful phishing research without distributing operationally dangerous indicators.
Reproducible public phishing snapshots
How daily fixed snapshots make public cybercrime research more auditable.
Survivorship bias in phishing datasets
Why fast-disappearing campaigns and failed evidence captures distort public phishing research.
Societal and economic studies
Fake investment funnels and recovery-room fraud
How fake trading platforms and recovery scams blend phishing, persuasion and payment routing.
Mule recruitment as fraud infrastructure
Why mule recruitment should be studied as infrastructure, not only as an after-effect.
Phishing harm beyond credentials
A broader harm model covering payments, identity, malware, trust erosion and institutional workload.
Public-sector trust abuse and institutional impersonation
How attackers exploit citizen trust in identity, tax, police, health and administrative journeys.
Technical
Callback number watch and support-route spoofing
How phone routes bridge phishing, vishing and payment fraud.
Certificate Transparency as phishing early warning
How certificate issuance can reveal brand abuse before full deployment.
Common Crawl and public web OSINT for phishing
How public web archives and indexes provide context without live scanning.
Email-header clustering for phishing campaigns
How Message-ID, Return-Path, DKIM selectors and relay chains support campaign clustering.
Homoglyph, IDN and lookalike domain monitoring
How Unicode, keyboard proximity and lexical similarity affect early-warning detection.
Malware and credential theft after phishing
How phishing can lead to stealers, loaders, credential theft and session compromise.
Passive DNS, ASN and hosting reuse
How infrastructure recurrence connects campaigns across changing domains.
QR phishing and PDF evidence
How QR codes, PDFs and metadata move phishing away from visible URLs.
Sender-ID abuse and Belgian mobile trust
How sender labels, timing and local brands shape smishing conversion.
Smishing, shortlinks and callback routes in Belgium
Why mobile phishing needs sender, shortlink, redirect and phone-route intelligence.
TDS, cloaking and anti-bot phishing infrastructure
Why phishing pages behave differently by scanner, country, browser or timing.
URLScan evidence and redirect-chain analysis
Why screenshots, DOM, redirects and network traces matter for phishing evidence.
Weekly public reports
Belgian smishing routes this week: shortlinks, callbacks and mobile lures
A public-safe weekly report template for understanding Belgian smishing through shortlinks, callback numbers, sender patterns and lure families.
Brand abuse on non-local TLDs: why Belgian phishing is not only .be
A country-relevance report on Belgian brands abused through .top, .xyz, .shop and other non-local TLDs.
Evidence readiness and takedown bottlenecks in phishing response
A weekly report structure for measuring what is ready for action, what needs evidence, and where response gets delayed.
Fake investment platforms and celebrity-ad abuse: a weekly evidence view
A report format for celebrity investment scams, cloned firms, fake trading brands, recovery-room narratives and ad/search evidence.
Kit reuse and exposed attacker infrastructure: what public evidence can show
A report on phishing kit fingerprints, panel-path reuse, exposed artifacts, redirect patterns and CERT-safe weakness intelligence.