Across three independent threat feeds, we are tracking a coordinated effort to impersonate your brand and harvest live customer credentials. This is the most impersonation activity we see against any Belgian bank in our sample set — by an order of magnitude.
Five findings, in order of how much they should worry you. Every one is backed by defanged, independently verifiable evidence later in this brief.
One of the 428 assets is not like the others. Most phishing reuses a hijacked website or a free host — cheap, disposable, gone in days. This one is different: a credential-harvesting page running on a fixed IP address stood up specifically to target your customers. It serves a pixel-accurate copy of your online-banking login, captures whatever a customer types, and relays it onward in real time. It is purpose-built infrastructure, and it scores 88 out of 100 on our risk model — the highest in this set.
The clone is one piece of a chain. Here is how a single customer goes from an unremarkable text message to a drained account — and where the window to intervene actually is.
The decisive interval is stages 01–02: once the lure is sent and the clone is live, intervention means removing the asset. Every hour it stays up is exposure. This is why time-to-takedown, not just detection, is the metric that matters.
Confirmed live assets, highest-risk first. The full IOC set — all 428 — is available to your SOC on request, in STIX 2.1 / MISP / CSV.
| Malicious asset | Type | Source / kit | Risk | Observed |
|---|---|---|---|---|
| 203.0.113.70/origin/onlinebanking/home1.php dedicated IP infrastructure · credential capture | IP / URL | phishdb | 88 | 5 Jun 2026 |
| be-retail01-login[.]example/internetbanking fake online-banking login | URL | phishdb | 81 | 5 Jun 2026 |
| app-be-retail01[.]example / be-retail01-app-login[.]example mobile app clones ×2 (shared kit) | URL ×2 | krogza | 79 | 5 Jun 2026 |
| sms-be-retail01[.]invalid smishing lure infrastructure | domain | phishdb | 72 | 5 Jun 2026 |
| + 424 further assets impersonating the brand | phishdb 312 · krogza 98 · phishdestroy 18 — full IOC set available on request | full | ||
These are not 428 unrelated incidents. A shared kit fingerprint — the same reused code and assets — links the high-severity clones back to a single operator running infrastructure at scale. Treating each domain as a one-off misses the point: take down one storefront and the operator opens another.
of high-severity clones trace to one fingerprint.
attacker-owned host clusters, not hijacked sites.
live domains from the same operator.
The same passive method, applied identically across the Belgian banking sector, puts the scale in context. Being the market leader and being the primary target turn out to be the same thing.
Most threat intelligence is a screenshot and a claim. Ours is a record. Every finding in this brief carries its full chain of custody — captured from an EU source, SHA-256 hashed, and (where required) sealed with a qualified RFC 3161 timestamp. That is the difference between “we saw it” and evidence an auditor, insurer or court will accept.
ICT third-party & incident evidence, ready for the resilience file.
threat context that survives reporting and supervisory review.
qualified timestamps give findings evidentiary weight.
This brief is a single point in time. It cannot show you the look-alike registered tomorrow, the credential set leaked next week, or the takedown that should already be in flight. Continuous monitoring is what turns a striking snapshot into a closed exposure window.
This brief is a passive-OSINT snapshot. On a call I’ll walk through each indicator, show the evidence behind the risk scores, and explain how PhishNet keeps the brand monitored — EU-sovereign, self-hosted, no data leaving the EU.