Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareUsed by 1 actor

CoinBait

CoinBait is an AI-assisted phishing kit (tracked by Google Threat Intelligence Group in November 2025) designed for credential harvesting. It masquerades as a major cryptocurrency exchange to steal victims’ login details. Google’s analysis indicates CoinBait’s development was accelerated using AI code generation tools and that a sample was built using Lovable AI, implemented as a complex React website. The kit includes detailed/verbose analytics-style logging (noted as a potential indicator of LLM-assisted code, including messages prefixed with “Analytics:”) and is described as tracking and stealing data. CoinBait operators were observed hiding infrastructure behind Cloudflare and other trusted services to reduce detection. Google assessed with high confidence that a portion of CoinBait activity overlaps with UNC5356, a financially motivated threat cluster (noted as known for SMS and phone phishing).

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
CryptoChameleon

In November 2025, GTIG found COINBAIT, a phishing kit built with help from AI. It pretends to be a major crypto exchange to steal login details.

via security affairssecurityaffairs.com
MITRE ATT&CK

Techniques & procedures

4 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1566PhishingEvidence2

"used the model for ... phishing lure generation"

Credential Access

2 techniques
T1056.004Credential API HookingEvidence1

"AI-generated phishing kit codenamed COINBAIT ... masquerades as a cryptocurrency exchange for credential harvesting."

T1555Credentials from Password StoresEvidence1

"UNC6418... seeking sensitive account credentials and email addresses"; "CoinBait... masquerades as a major cryptocurrency exchange for credential harvesting."

Collection

1 technique
T1056.004Credential API HookingEvidence1

"AI-generated phishing kit codenamed COINBAIT ... masquerades as a cryptocurrency exchange for credential harvesting."

Command and Control

1 technique
T1090ProxyEvidence1

“The attackers hid their systems behind Cloudflare and trusted services to avoid detection.”

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
sentinelone blogNews
Feb 13, 2026
The Good, the Bad and the Ugly in Cybersecurity - Week 7

A phishing kit referenced as being enhanced with AI-assisted capabilities (via Google Gemini) to support malicious campaigns; specific functionality beyond phishing is not described in the content.

Read more
security affairsNews
Feb 13, 2026
Google: state-backed hackers exploit Gemini AI for cyber recon and attacks

AI-assisted phishing kit impersonating a major cryptocurrency exchange to steal credentials; implemented as a complex React site with analytics-style logging for tracking/exfiltration, and infrastructure obfuscated behind Cloudflare and other trusted services.

Read more
bank info securityNews
Feb 13, 2026
State Hackers Turn Google AI Into Attack Acceleration Tool

Phishing kit that impersonates a cryptocurrency exchange to harvest credentials; assessed to have been built/accelerated using AI code generation tools (Lovable AI mentioned).

Read more
the hacker newsNews
Feb 12, 2026
Google Reports State-Backed Hackers Using Gemini AI for Recon and Attack Support

AI-generated phishing kit that impersonates a cryptocurrency exchange to harvest credentials; some activity attributed to financially motivated cluster UNC5356.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping4

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.