Acknowledgments: Special thanks to Casey Smith, Tanner
Filip, Matt Kiely, and Aaron Deal for their contributions to this investigation and
write-up.
UPDATE: March 23, 2026
In partnership with our friends at Flare.io and other contacts across the community, Huntress has attributed the Railway attack to the EvilTokens Phishing as a Service (PhaaS) platform. First advertised on the NOIRLEGACY GROUP t...