Last month, Microsoft celebrated the arrests of the developers behind RaccoonO365, a prolific phishing operation that compromised thousands of Microsoft 365 accounts. For defenders on the front lines, the celebration was short-lived: more sophisticated threats like Sneaky2FA have already adapted to fill the vacuum in the underground market.
"This is the reality of the modern threat landscape," says Travis Simcox, a Tampa Bay-based Cyber Threat Hunter and the creator of Behind The Surface. "We often treat cybercrime groups as static figures, but they operate like agile businesses. When one tool is taken down, three more advanced ones replace it."
Behind The Surface, a new YouTube channel launching this month, tracks this rapid evolution through bi-weekly episodes that blend intelligence from underground communities with accessible storytelling. Each Saturday installment dissects live phishing kits, cloaking systems, and automated attack tools currently circulating in cybercrime markets.
Simcox is joined by Detective Lock, a campy, trench-coat-wearing padlock mascot who brings noir humor to the investigation. "My goal is to lean into a style that's fun and accessible," Simcox explains. "But the technical analysis stays very real. We don't do theoretical scenarios; we look at live tools being sold in underground communities right now, and watch them being used in real attacks."
The channel's debut season examines why traditional security advice is failing. While the public is still taught to "check the URL," one episode demonstrates Browser-in-the-Browser attacks, where hackers paint fake login windows that look nearly identical to legitimate sites—then shows viewers how to detect the subtle differences that reveal the deception.
Another investigation exposes Traffic Cloaking mechanics, revealing how attackers use commercial tools to fingerprint visitors. If the visitor is a security bot or researcher, the site displays a harmless page; if it's a real victim, it serves a weaponized phishing kit. The episode traces the decision tree that determines what each visitor sees.
The series documents the shift from poorly written spam emails to AI-powered social engineering. An upcoming episode uncovers a new AI tool that prominent phishing operators are using to automate millions of attacks per week, complete with demonstrations from developers of the code. Another breaks down how attackers use automated systems to bypass Multi-Factor Authentication, spoofing official phone numbers and deploying AI voices to trick victims into revealing their passcodes.
Future episodes will cover the ClickFix family of attacks, a tactic where victims are manipulated into copying and pasting malicious code to "fix" fake browser errors. Rather than simply describing the technique, the series captures the attack chain from initial compromise through credential theft.
"The adversary is constantly upgrading their tech stack," Simcox warns. "If we don't update our understanding, we are fighting a modern war with outdated maps."
Behind The Surface offers a window into that rapidly-changing playbook, with episodes available every other Saturday at youtube.com/@behind_the_surface and analysis blog at behindthesurface.net.
