ByteDance Live Panel: An Advanced Phishing-as-a-Service Kit with Real-Time Monitoring

Phishing kits have come a long way from static templates and basic credential harvesters.

Traditionally, these kits were simple packages containing collections of fake login pages and basic scripts that attackers had to deploy and manage themselves. In recent years, however, that do-it-yourself approach has given way to phishing-as-a-service (PhaaS) platforms.

These solutions offer far more than just files to download: they provide attackers with phishing page templates, centralized dashboards, and deployment tools—all with minimal setup required.

One recently discovered example, known as ByteDance Live Panel, illustrates just how far this model has progressed. In this post, we take a closer look at how this kit operates, what capabilities it offers, and why it represents an evolution in phishing tactics.

In late March 2025, researchers at Abnormal AI observed ByteDance Live Panel being advertised on a popular cybercriminal forum. Its developers position the kit as an easy way for would-be attackers to deploy unlimited phishing pages from a central dashboard. It was even marketed with a free trial for members of a notorious carding forum—an unusual tactic likely aimed at attracting a wide user base among fraudsters.

From one web-based interface, an attacker can spin up fake login pages or payment forms for different brands, monitor targets in real time, and harvest a treasure trove of sensitive data.

This centralized control panel puts a remarkable amount of power at an attacker’s fingertips. It’s a one-stop control center that a single fraudster (or a team) can use to launch what essentially amounts to a full-scale phishing operation with multiple campaigns running simultaneously.

What sets this PhaaS kit apart is its real-time feedback loop that allows attackers to observe target activity as it happens and adjust their tactics in the moment. This live interaction is also what gives the kit its name. ByteDance Live Panel blurs the line between traditional phishing pages and fully interactive scam sessions, marking a significant step forward in the evolution of phishing-as-a-service.

Once our team looked beyond the forum post and into the ByteDance Panel itself, we found a remarkably feature-rich toolkit. This isn’t a simple phishing kit; it is, in effect, an entire platform for interactive, targeted phishing.

Below, we break down the most important technical capabilities of this kit to show how it enables more convincing, scalable, and harder-to-detect attacks.

One of the kit’s most powerful capabilities is its support for real-time session monitoring. As soon as a user lands on a phishing page and begins entering information, their inputs can be viewed live on the attacker’s dashboard.

This allows the threat actor to capture credentials, payment details, and other sensitive data the moment they are entered—and even follow the target’s activity as they move through different stages of the attack flow, such as progressing from a login page to a one-time password (OTP) prompt.

ByteDance Live Panel is designed to bypass two-factor authentication and payment verification mechanisms, including 3D Secure (3DS). It can intercept OTPs sent to the user, such as those delivered via text message for bank logins or online purchases requiring 3DS verification.

The phishing pages mimic legitimate verification prompts, tricking users into providing their codes. By capturing the 3DS code in real time, the attacker can silently complete fraudulent transactions or logins that would otherwise require confirmation from the target’s device.

The kit doesn’t stop at harvesting usernames and passwords; it also captures complete payment card details, including the card number, expiration date, and CVV. But then it goes even further, collecting any secondary information needed to bypass fraud detection systems.

For example, if a phishing page is disguised as a payment form, the panel will not only save the card details but also prompt the user for any additional verification data, such as an OTP or answers to security questions.

The operators behind ByteDance Live Panel understand that a convincing phishing page is key to a successful attack. The kit supports custom domain integration, allowing attackers to register look-alike domain names for their phishing pages—for example, my-upps-secure[.]com instead of ups[.]com—to deceive targets.

It also includes built-in SSL certificate support, enabling every phishing page to display the HTTPS padlock icon. By automating certificate issuance—likely through services like Let’s Encrypt—the kit ensures even novice attackers can easily turn on encryption, making their fake sites appear more legitimate and avoiding browser “not secure” warnings.

One especially interesting advertised feature is BIN targeting. The Bank Identification Number (BIN) is the first six to eight digits of a credit card number and identifies the issuing bank and card type. The ByteDance Live Panel likely uses BIN targeting to customize the phishing experience to each user.

If the BIN corresponds to a specific bank or region, the kit can display that bank’s branding or route the target through a particular phishing flow. For example, an attacker can serve a Bank of America-style 3DS page to a BoA cardholder. This level of personalization helps make the scam appear more legitimate, increasing trust and lowering suspicion.

ByteDance Live Panel also comes pre-loaded with templates impersonating a variety of well-known companies and services. We observed references to pages mimicking UPS, PayPal, DHL, Interac, and Shopify, among others. These ready-made templates allow attackers to quickly launch a range of phishing scenarios. Examples include:

1. Package Delivery Scams: Fake UPS or DHL pages that ask the target to pay a small “delivery fee” or verify their address, enabling the collection of credit card details and login credentials.
2. Payment Service Login Theft: Bogus PayPal login screens that capture usernames and passwords, which the attacker can then use or sell.
3. Ecommerce and Banking: Phony Shopify store login pages or fake Interac money transfer sites that deceive users into entering banking credentials or email account passwords.

By providing a library of brand-specific phishing pages, ByteDance Live Panel makes it easy for attackers to tailor their lures to different targets without designing a page from scratch. An attacker could switch from a postal-service scam one day to a PayPal credential phish the next—all within the same toolkit.

ByteDance Live Panel exemplifies the next generation of phishing-as-a-service, combining real-time interactivity, dynamic targeting, and built-in tools that make even advanced attacks easy to execute.

Traditional security solutions that rely on static indicators or known malicious domains are ill-equipped to detect these adaptive, fast-moving campaigns. Defending against threats like ByteDance requires an AI-native approach—one that understands user behavior, detects subtle anomalies, and stops evolving attacks before they reach the inbox.

See for yourself how Abnormal AI provides comprehensive email protection against attacks that exploit human behavior. Schedule a demo today.