Inside the Underground Economy of Social Engineering

The phishing site was live for less than six hours. You've equipped your team with excellent threat intelligence and takedown services. Or so you thought.

By the time the takedown request reached the appropriate provider, the infrastructure had already shifted. A new domain appeared with the same login page, your branding, and the same lure. The hosting provider was different. The language was different. That's when you realize, the campaign never really stopped, it just rerouted.

In the moment, it feels like chaos. But to threat actors, it's commerce.

Modern social engineering is no longer driven by lone scammers improvising emails or phone calls. It operates as a coordinated underground economy, complete with developers, resellers, service desks, subscription models, and performance optimization. Phishing kits are licensed. Impersonation assets are packaged. AI tools automate targeting, language, and timing. Every stolen credential is treated as inventory. Every campaign feeds the next.

What appears to defenders as a flood of disconnected scams is, in reality, a market-driven system built for efficiency and scale. And as ZeroFox Intelligence continues to track activity across the surface, deep, and dark web, one pattern is clear. The most dangerous social engineering attacks are not powered by creativity alone. They are powered by economics.This article explores how social engineering evolved into an industrialized business model, why AI has accelerated its growth, and what it takes to disrupt an ecosystem that profits from human trust.

From Lone Scammers to Supply Chains

A decade ago, many social engineering attacks could be traced back to individuals or small, loosely organized groups. Success depended on personal skill: writing convincing messages, maintaining fake personas, and manually managing infrastructure. Moreover, scale was limited by time, language, and effort.

In 2026 that constraint no longer exists.

ZeroFox Intelligence analysis shows that today’s most effective social engineering campaigns resemble supply chains more than scams. Distinct roles handle each stage of the operation, allowing threat actors to specialize, outsource, and scale with efficiency that mirrors legitimate SaaS businesses.

At the top of the chain are developers, who build and maintain phishing kits, impersonation frameworks, and automation tools. These kits are updated regularly to evade detection, integrate MFA bypass techniques, and support new brands or financial platforms. Updates are pushed quickly, often within hours of a technique being flagged by defenders.

Next are operators and resellers, who license or rent these tools. They deploy campaigns across disposable domains, SMS gateways, social platforms, and search results. Many never modify the underlying infrastructure at all. Their value lies in distribution, timing, and volume.

Supporting them are facilitators: hosting providers advertising bulletproof services, proxy networks that obscure origin, voice-cloning vendors, and AI persona generators. These services reduce friction and skill requirements, allowing even inexperienced actors to launch professional-grade campaigns.

Finally, brokers monetize the output. Stolen credentials, session cookies, and verified access are sold onward to fraud crews, initial access brokers, or ransomware affiliates. In this economy, compromise becomes a product more than simply the end goal.

This division of labor explains why takedowns feel fleeting. Removing one domain or account rarely disrupts the system behind it. The infrastructure is designed to absorb losses, reroute quickly, and continue generating profit.

The Marketplace Model of Social Engineering

Once social engineering became modular, it became marketable. Modern social engineering operations are structured around marketplaces that closely resemble legitimate software ecosystems. Much like modern B2B sales, these platforms do not simply sell tools, rather they market outcomes.

Listings advertise phishing kits by brand compatibility, MFA bypass capability, and success rate. Sellers highlight features, update cadence, and evasion techniques with many including screenshots of dashboards and customer testimonials to establish credibility. Pricing is tiered, with entry-level kits offered at low monthly rates and premium packages commanding significantly higher fees for financial services, payroll platforms, or enterprise SaaS targets.

And similar to legitimate SaaS marketplaces, buyers shop by use case. Some want bulk credential harvesting. Others want executive-targeted Business Email Compromise workflows. Still others purchase brand impersonation packages designed to exploit seasonal demand, regulatory deadlines, or customer service surges. SEO poisoning and LLM manipulation are increasingly sold as placement services, steering users and AI assistants toward attacker-controlled portals instead of legitimate sites.

What elevates these markets beyond simple tool exchanges is their level of professionalization. ZeroFox analysts have observed dark web marketplaces offering service desks, ticketing systems, and even dispute resolution mechanisms. Some vendors advertise operational security guidance, legal disclaimers, or “safe use” recommendations to reduce buyer risk. In effect, these platforms mirror the customer experience of legitimate SaaS providers while enabling criminal activity at scale.

This marketplace model accelerates innovation. When a new technique proves effective, such as a novel MFA relay method or a convincing voice-clone workflow, it is rapidly packaged, priced, and resold. Traditional defensive controls may take weeks or months to adapt while underground markets can pivot in days.

For defenders, this explains why social engineering campaigns appear persistent and iterative. They are not improvised. They are purchased, optimized, and redeployed through an economy designed to reward speed, scale, and adaptability.

Phishing-as-a-Service: The Subscription Engine of the Underground Economy

If the marketplace is where social engineering is bought and sold, Phishing-as-a-Service (PhaaS) is the model that keeps it running.

PhaaS platforms transform complex fraud operations into subscription-based services that lower the barrier to entry for cybercrime. Instead of building infrastructure or crafting lures from scratch, buyers can rent ready-made attack environments. Pricing typically follows familiar SaaS patterns, with low-cost monthly plans for generic credential harvesting and premium tiers aimed at financial services, payroll systems, and enterprise SaaS platforms.

What makes PhaaS particularly dangerous is how thoroughly it removes skill from impact. Operators do not need deep technical knowledge to run sophisticated campaigns. The platform handles domain rotation, page cloning, and often real-time MFA interception. Some services provide pre-written “letters” designed to bypass spam filters, while others bundle voice-cloning or SMS delivery options to support multi-channel attacks.

Furthermore, vendors advertise onboarding guidance, update schedules, and responsive support channels. In some forums, buyers can submit tickets, request feature enhancements, or dispute service quality. This professionalization mirrors legitimate SaaS operations and reinforces trust between criminal sellers and customers.

From an economic perspective, PhaaS shifts incentives toward volume rather than precision. Platform operators profit whether individual campaigns succeed or fail, as long as subscriptions continue. Failed attempts generate data that refine templates and tactics, feeding back into the platform. The result is a self-improving system where lessons learned from one victim are rapidly applied to the next.

For defenders, PhaaS explains why phishing activity remains relentless even as individual domains and campaigns are disrupted. Blocking one instance does little to slow a subscription-based engine. Disruption must target the ecosystem, not just the surface artifacts it produces.

AI as the Force Multiplier

Before generative AI, even well-organized fraud crews faced constraints. Writing believable messages took time. Maintaining multiple personas required effort. Language barriers, time zones, and fatigue naturally capped how many victims one operator could manage at once. AI eliminated those constraints almost overnight.

Today, AI functions as the force multiplier that binds the underground economy together. Large language models generate region-specific, role-aware messaging that mirrors corporate tone, internal jargon, and geographic or cultural nuance. Voice-cloning tools reproduce cadence, accent, and emotion well enough to pass as trusted colleagues or executives. Image generators create convincing profile photos, documents, and branded assets that would have once required professional design skills.

More importantly, AI enables scale with consistency. Autonomous or semi-autonomous agents can manage dozens of conversations simultaneously, remember personal details, adjust emotional pacing, and introduce financial requests at precisely calibrated moments. What once required a skilled manipulator can now be executed by low-skill operators using pre-trained workflows.

ZeroFox Intelligence has observed AI being used not just to craft lures, but to optimize entire campaigns. Models analyze which messages generate higher response rates, which timing produces clicks, and which personas convert faster. These insights are fed back into phishing kits and PhaaS platforms, accelerating iteration cycles far beyond traditional defensive response timelines.

AI also plays a role in evasion. Generated content avoids the grammatical errors and formatting anomalies that legacy filters were built to detect. LLM poisoning techniques manipulate search engines and AI assistants so that malicious portals surface alongside or instead of legitimate resources. In this environment, it's easy to see how even cautious users can be steered toward fraudulent infrastructure without encountering obvious warning signs.

What we're seeing in 2026 is an underground economy that learns faster than it can be blocked. AI does not replace human intent, but it amplifies it, compressing the time between experimentation and exploitation. For defenders, this means that disruption strategies must assume automation on the adversary side. Static controls slow individual attacks. Intelligence-led detection and ecosystem-level disruption are required to slow the system that produces them.

Disrupting the Economy, Not Just the Attack

If social engineering now operates like a business, then defending against it requires more than reactive controls. It requires economic pressure. The goal is no longer to block every phishing email or take down every fake domain in isolation. It is to raise costs, slow operations, and dismantle the infrastructure that allows this underground economy to function.

That’s why ZeroFox approaches social engineering as an ecosystem problem rather than a series of incidents. Intelligence identifies patterns, but disruption changes outcomes. By targeting the services, assets, and dependencies that threat actors rely on to operate at scale, organizations can force attackers to expend more time, money, and effort for diminishing returns.

Removing Fuel From the Fire

Long before a phishing email is sent or a fake persona is activated, threat actors rely on exposed personal data to build credibility. Publicly available phone numbers, addresses, executive bios, and family details all make impersonation easier and more convincing.

ZeroFox’s PII removal capabilities reduce this attack surface by continuously identifying and removing sensitive data from data broker sites, forums, and public sources. While this does not eliminate risk entirely, it deprives attackers of the raw material they use to personalize lures and establish trust.

In economic terms, it raises acquisition costs. When personalization becomes harder, conversion rates drop.

Turning Intelligence Into Adversary Disruption

Modern campaigns depend on speed. Phishing sites rotate quickly. Impersonation accounts appear and disappear. Hosting shifts across jurisdictions. ZeroFox’s adversary disruption capabilities are designed to move at the same pace as the threat, translating intelligence directly into action.

Rather than waiting for downstream impact, ZeroFox helps organizations:

• Identify and dismantle phishing infrastructure across domains, hosting providers, and platforms
• Disrupt impersonation campaigns targeting brands, executives, employees, and customers
• Correlate activity across surface, deep, and dark web sources to expose reuse and coordination

The result is not just removal, but interruption. When attackers are forced to rebuild repeatedly, campaigns slow, errors increase, and profitability declines.

Takedowns as Strategy, Not Cleanup

Takedowns are often viewed as hygiene. Necessary, but reactive. In an industrialized threat environment, they become strategic when executed at scale and with context.

Next-generation takedowns focus on:

• Speed, minimizing the operational window for attackers
• Coverage, spanning domains, social platforms, mobile apps, and hosted content
• Intelligence feedback loops, using takedown data to map campaigns and identify upstream providers

When takedowns are tied to intelligence, they stop being isolated actions and start becoming a form of pressure applied across the supply chain of social engineering.

Applying Pressure at Scale with the Global Disruption Network

Social engineering thrives on distribution. Domains, accounts, apps, and content are scattered across platforms and jurisdictions to evade enforcement. The Global Disruption Network exists to counter that fragmentation.

By combining established relationships with registrars, hosting providers, social platforms, and infrastructure operators, ZeroFox enables coordinated takedowns that go beyond single assets. The Global Disruption Network blocks in-flight attacks at scale while takedowns process, so if the takedown request takes days to process, the malicious content isn’t accessible during that time. Instead of chasing one domain at a time, organizations can dismantle entire clusters of malicious infrastructure in parallel.

This coordinated approach matters because speed is everything. The shorter the lifespan of malicious assets, the less value they generate. When campaigns are disrupted early, downstream fraud, account takeover, and ransomware access are often prevented entirely.

Shifting the Economics of Social Engineering

The underground economy of social engineering persists because it is profitable. Every credential harvested, every impersonation that succeeds, and every subscription renewed reinforces the model. Disruption, well, disrupts that cycle.

When campaigns are interrupted early, infrastructure is dismantled faster than it can be rebuilt, and impersonations are removed before trust is established, attackers are forced to absorb costs rather than generate returns. This is how defenders regain leverage.

By combining visibility across the external attack surface with coordinated disruption capabilities, organizations can move from reacting to individual scams toward actively degrading the systems that produce them.

In a world where trust has become a commodity, the most effective defense is not just detection. It is making deception expensive. 

Continue learning about modern social engineering the Detective’s Field Guide to Social Engineering. Or, get started bolstering your intelligence and disruption capabilities with a demo of the ZeroFox Platform.