
Navigating the Rise of Starkiller and the Future of Session Hijacking with Frank McKenna

Welcome back to Fraudology.
This episode is one every fraud fighter needs to hear. I'm joined by Frank McKenna, Chief Fraud Strategist at PointPredictive and the mind behind Frank on Fraud, and he brought receipts on a phishing platform called Starkiller that emerged right after Tycoon 2FA got taken down.
Here is the part that should worry you. Starkiller is not stealing passwords the old fashioned way. It uses Attacker-in-the-Middle tactics, running headless browsers that mirror a legitimate login session in real time. That means it captures your two factor authentication codes and your session cookies, which lets criminals stay logged in even after you think you logged out.
Here is what Attacker-in-the-Middle fraud means in practice:
· Fraudsters use headless browsers to mirror a real login session as it happens
· Two factor authentication codes are captured, not just bypassed
· Session cookies get stolen, allowing continued access after logout
· Victims interact with the real merchant website, not a fake clone
What you'll hear in this episode:
· How Starkiller emerged in the wake of the Tycoon 2FA takedown
· The mechanics of Attacker-in-the-Middle attacks and why they defeat traditional 2FA
· How account takeover can happen without a new login event at all
· The democratization of fraud through Telegram based phishing kit subscriptions
· Why device intelligence tools struggle to catch this type of attack
You should listen to this episode if you:
· Work in fraud detection, identity, or account security
· Need to understand why 2FA alone is no longer a reliable safeguard
· Want to know how phishing kits are being sold and distributed today
· Are responsible for monitoring account takeover risk on your platform
· Want practical language to explain this threat to leadership
Episode notes & key takeaways
What Starkiller is and why it matters
Starkiller is a phishing-as-a-service platform that surfaced almost immediately after Tycoon 2FA was dismantled, which tells you something important about this industry. Take one tool down, and another one is ready within weeks. Frank walks through how Starkiller works and why it represents a meaningful escalation from earlier phishing kits.
· Starkiller emerged shortly after the Tycoon 2FA takedown
· It is built specifically to defeat two factor authentication
· The platform is sold as a service, not a one time tool
· It reflects the fast replacement cycle of criminal infrastructure
Account takeover without a login event
One of the most unsettling patterns Frank describes is account takeover that does not require a new login at all. A user performs a completely legitimate action, and moments later their payout information has been quietly changed within that same session. This breaks a lot of the assumptions fraud teams have built their detection around.
· Legitimate user sessions can be hijacked mid activity
· Payout or account details can change without triggering a new login alert
· Traditional login based fraud detection misses this pattern entirely
· This pattern is becoming more common across marketplaces
The Democratization of fraud through Telegram
Frank also details how phishing kits are now sold on Telegram using a subscription model that looks a lot like Netflix. For as little as three hundred to five hundred dollars a month, low skill criminals get access to user friendly dashboards that used to require real technical expertise to build.
· Phishing kits are marketed and sold like consumer subscription products
· Monthly pricing puts sophisticated tools within reach of low skill actors
· User friendly dashboards remove the technical barrier to entry
· This lowers the skill floor for launching AITM style attacks
Session hijacking is not a future problem. It is happening right now, and the tools to do it are getting easier to buy every month. This is exactly the kind of threat that requires fraud teams to stop relying solely on login events as their trigger point.
Episode resources & links:
Connect with Frank McKenna | LinkedIn
- Co-Founder of Point Predictive
Connect with Karisse Hendrick | LinkedIn
- Host of the Fraudology Podcast
- Award-Winning Cyberfraud Expert
- Ecommerce Fraud Prevention Consultant
- Startup Advisor, Keynote Speaker, and
- Consultant to Fortune 500 merchants





