AI Security Wire

Published

- 2 min read

PhantomSynth: The Threat Actor Industrialising AI-Generated Spear Phishing

PhantomSynth spear phishing LLM abuse BEC social engineering
img of PhantomSynth: The Threat Actor Industrialising AI-Generated Spear Phishing

Overview

PhantomSynth is a financially motivated threat actor first observed in Q3 2025, distinguished by its systematic industrialisation of large language models for generating hyper-personalised spear phishing content at scale. The group operates primarily against financial services, professional services, and technology firms in North America and Western Europe.

AttributeDetail
MotivationFinancial — BEC fraud, credential theft, wire transfer fraud
First observedQ3 2025
Primary targetsFinancial services, legal, technology, M&A advisors
GeographyNorth America, Western Europe
AI toolingLLM APIs (jailbroken or uncensored models), voice cloning
Distinguishing traitPer-target personalisation at scale via automated OSINT + LLM pipeline

Modus Operandi

Stage 1 — OSINT Harvesting

PhantomSynth operates an automated OSINT pipeline that aggregates target data from LinkedIn, company websites, regulatory filings, press releases, and social media. Per-target dossiers are constructed covering:

  • Reporting relationships and org structure
  • Recent projects, deals, or announcements
  • Writing style samples (from public posts, filings, interviews)
  • Known colleagues, clients, and counterparties

Stage 2 — LLM-Powered Content Generation

Collected dossiers are fed into an LLM pipeline configured to generate spear phishing emails that mirror the impersonated sender’s writing style, reference real recent events, and contain plausible context-aware requests. The quality consistently bypasses both automated detection and human scepticism.

Stage 3 — Voice Cloning

For high-value targets, PhantomSynth supplements email lures with AI-generated voice calls using audio cloned from earnings calls and conference recordings, adding a “call to verify” element that legitimises the fraudulent email request.

Stage 4 — Cash-Out

Successful campaigns result in wire transfer fraud (median loss $1.2M per incident), credential theft, or sale of harvested credentials on criminal markets.

Indicators of Compromise

Email infrastructure:

  • Lookalike domains registered within 30 days of campaign launch
  • DKIM/DMARC pass on spoofed domains due to fresh domain registration

Content indicators:

  • Unusually high personalisation for volume
  • References to real recent events
  • Clean prose with no spelling errors

Voice call indicators:

  • Spoofed caller ID matching known executive numbers
  • Slight audio artefacts at sentence boundaries
  • Calls timed immediately before or after email delivery

Defence

  1. Enforce p=reject DMARC on your domain
  2. Out-of-band verification for any financial request received by email
  3. Reduce executive OSINT exposure — limit publicly available voice recordings
  4. Monitor for lookalike domains via DomainTools or Recorded Future
  5. Security awareness training specifically covering AI-generated spear phishing