KitWatch is Karen IT's curated repository of phishing kits collected in the wild — real attack infrastructure, preserved and made accessible to security researchers, CERTs, and anti-phishing teams for defensive research and threat intelligence.
A phishing kit is a ready-to-deploy package that lets cybercriminals stand up a convincing fake website in minutes. Understanding them is the first step to detecting and disrupting the campaigns built on them.
HTML pages that mimic legitimate sites, PHP scripts that capture and exfiltrate stolen credentials, images and assets copied from real brands, and configuration files specifying where to send harvested data.
A kit requires no technical skill to deploy. Anyone can upload it to a compromised server and begin harvesting credentials within minutes. This is why phishing scales — the barrier to entry is almost zero.
Kits are sold on criminal forums, shared freely in Telegram channels, and reused across hundreds of campaigns. The same kit may be deployed by dozens of different actors simultaneously across unrelated infrastructure.
Analyzing a phishing kit exposes the attacker's exfiltration infrastructure, the brands they're targeting, evasion techniques they use to avoid detection, and code patterns that link multiple campaigns to the same actor.
Phishing kits are the infrastructure behind the majority of credential-stealing attacks. A repository of real, wild-caught kits gives the security community something they rarely have — the attacker's actual tools.
Real kit samples enable researchers to develop YARA rules and detection signatures based on actual code patterns, rather than hypothetical scenarios. Rules constructed from real kits are effective in detecting real deployments.
Phishing kits contain unique code signatures, commenting styles, and infrastructure references that link seemingly unrelated campaigns to the same actor. Kit analysis is one of the most effective attribution methods available.
Every kit is built to impersonate a specific target. Analyzing the repository reveals which brands and sectors are being targeted most heavily — and which attack techniques are currently being used against them.
Modern phishing kits contain sophisticated evasion techniques — Cloudflare bypass, bot detection, IP geofencing, and security scanner blocking. Understanding these techniques is essential to improving detection tools.
Kit configuration files reveal exfiltration endpoints — email addresses, Telegram bots, and backend servers. These indicators can be used to map and disrupt the attacker's full operational infrastructure.
Real phishing kits are the most effective training material for security analysts learning to recognize, investigate, and respond to phishing campaigns. No simulation comes close to the real thing.
Every kit in KitWatch is documented, classified, and contextualized — not simply archived. Members receive structured intelligence, not raw zip files.
Every kit in the repository was collected from active phishing infrastructure — not constructed or modified. What you analyze is what the attacker actually deployed.
Each kit is classified by targeted brand, attack type, evasion techniques present, exfiltration method, and observed deployment date — enabling rapid filtering and analysis.
Screenshots of the kit as deployed — showing the fake login page, any multi-step flows, and the visual impersonation technique used — captured at the time of collection.
The hosting infrastructure, domain, registrar, and IP data associated with the kit at the time of collection — enabling correlation with other incidents and campaigns.
File hashes and structural fingerprints for every kit — enabling rapid identification of the same kit deployed on new infrastructure, even when the domain and hosting change.
KitWatch is not a static archive. New kits are added as they are identified through Karen IT's CTI platform, URLAbuse detection systems, and KSRC case intake.
Phishing kits are live attack tools. KitWatch exists to advance defensive research — not to lower the barrier to launching attacks. Every access request is reviewed individually.
Researchers studying phishing techniques, attacker infrastructure, and campaign attribution — at academic institutions, security companies, or independently with a demonstrated track record.
National and sectoral computer emergency response teams that handle phishing incidents and need access to kit samples to support investigations and improve detection capabilities.
Security teams at organizations that are frequent phishing targets — financial institutions, payment providers, technology companies — and need kit samples to develop and test detection.
Security product companies developing anti-phishing detection, email security, or web filtering products that need real kit samples to test and improve their detection engines.
Domain registrars and registries that receive phishing abuse reports and need kit analysis to support suspension decisions and identify patterns of infrastructure abuse.
Universities and research institutions conducting peer-reviewed cybersecurity research on phishing, social engineering, or attacker infrastructure — with appropriate ethical oversight.
We review every request. The process is thorough but not complicated.
Complete the access request form on ksrc.karenit.net/kitwatch. Describe your organization, role, and intended use of the repository.
The KSRC team reviews your request against our eligibility criteria. We may follow up with questions about your intended research use.
Approved requestors sign a usage agreement confirming that access is for defensive research only and that kits will not be deployed or redistributed.
You receive access credentials and onboarding information. New kits are added regularly — you'll have access to the full repository and all future additions.
KitWatch gives defenders access to the actual tools attackers are using. If your work involves detecting, disrupting, or researching phishing campaigns — this repository was built for you.