A newly discovered criminal toolkit is enabling fraudsters to run sophisticated, large-scale phone scams almost entirely on autopilot.

The platform, known as ATHR, combines fake emails with AI-generated phone calls to trick victims into handing over login credentials for some of the world’s most widely used services, including Google, Microsoft, and major cryptocurrency exchanges.

According to researchers, the commoditized platform, which combines AI voice agents, credential harvesting tools, phishing email templates, and browser-based call handling into a single service, is being marketed on cybercrime forums for $4,000 upfront, plus 10% of any profits generated.

Abnormal Security’s Aaron Orchard, Callie Baron, and Piotr Wojtyla, who tracked and detailed the new platform in a blog, said that instead of relying on typical malicious links or infected attachments, this telephone-oriented attack delivery – known as TOAD – takes a different route...