Picture this: It’s 3am, you’re sitting in front of your computer, bloodshot-eyed, trying to parse the HTML of that enticing bank page you’re trying to clone. You’ve been at it for hours, manually copying source code, downloading resources, fixing broken links. But no matter how hard you try, the thing just won’t load. The fonts are all wonky, the images are returning 403 errors, and the CSS is still a bit wonky.
Finally, after what feels like an eternity of debugging, it’s ready. The phishing page looks pretty good – not perfect, but it’ll fool most boomers. You upload it to your bulletproof hosting, fire up your mail cannon, and start swearing.
And then – BAM!
Within hours, your domain will be banned, your hosting provider will block your site, and all that work will quickly go down the drain. Your beautiful phishing page will die. Your dreams of easy money will be ruined. Your time will be wasted.
Sound familiar? Yeah, I thought so.
The thing is, as detection tools become more sophisticated, your approach needs to be more sophisticated. The days of copying HTML code and praying to the fraud gods are over. Today, we’re diving into a new generation of phishing — one that gives you maximum extensibility and obfuscation right out of the box. Phishers that can adapt on the fly, have features that weren’t available before, and automatically hide from those pesky security scanners.
Welcome to the future. Let’s go.
How Traditional Phishing Works
Before we get into the cool new stuff, let’s recap how most of you are currently creating phishing pages:
The Old School Method:
What's the problem? The process is tedious, error-prone, and the results are often ugly.
Double Trouble: Extensibility and Obfuscation
There are a lot of problems with traditional phishing marketing, but there are two main ones:
Problem #1: Obfuscation (or lack thereof)
Here's a fun fact: Right now, as you read this, thousands of bots are scanning the web looking for phishing pages. These digital bloodhounds sniff out HTML code that matches known patterns: a PayPal logo here, a "Login" button there, boom, you're flagged.
Why is it so easy for them? Server-side rendering. When someone (or something) visits your phishing page, your server delivers them the full HTML. Every element, every line, every suspicious form field — it’s all in plain text for bots to parse. It’s like trying to hide drugs in a clear plastic bag.
Security companies have huge databases of HTML fingerprints from legitimate sites. When your fake Bank of America page produces HTML that’s 95% identical to the original, their algorithms light up like a Christmas tree. Your domain gets blacklisted, and your domain registrar and host are automatically notified.
Problem #2: Extensibility (the real killer)
This is where traditional phishing really shows its age. Let’s say you want to take phishing to the next level and make it asynchronous. What does that mean? Instead of just collecting data and sending messages, you need to:
Sounds cool, right? Good luck implementing this with your static HTML.
You will need:
Meet the Next-Gen Phishing
Now this is where it gets interesting. What if I told you there was a way to automatically generate a fully extensible codebase from any website? Code that is initially hidden from scanners, allowing you to easily add complex features and making your phishers virtually undetectable to traditional scanning methods?
Meet Orchids.app, an AI tool that doesn’t just COPY websites, it REPAIRS them as a React codebase. Now look, there are a ton of AI cloning and code generation metrics tools out there, but I’ve had far more success with Orchids than any of the others. While other tools give you half-baked copies that break the moment you touch them, Orchids actually understands what it’s looking at.
What Orchids.app actually does
Instead of giving you an HTML file with broken resources, Orchids.app uses AI to:
You get a fully functional React project that looks almost exactly like the original, but has been completely rebuilt from scratch. It's like an AI developer is rebuilding the site for you, only this developer doesn't ask questions and works for free.
Extend it and add features (your phisher is now AI-ready)
This is where it gets REALLY hot. Remember that OTP grabbing scenario that was impossible with traditional methods? With the React codebase, that becomes trivial.
But here's the kicker: it makes your phisher completely AI-ready. You can now add as many features as your criminal mind can dream up, customize everything down to the pixel, and extend the functionality ad infinitum. Something that was completely impossible with those ancient, stolen scams you were messing around with.
Why? Because stolen scraps are digital garbage — littered with code artifacts, hardcoded references to the original domain, convoluted JavaScript you can’t understand or change, and CSS that breaks the moment you breathe on it the wrong way. Try adding an OTP page to a stolen PayPal scrap and watch it fall apart faster than your alibis.
Want to get really nasty? Tell your AI IDE, “Add a component that accurately simulates bank loading screens while we drain their account in the background.” Boom, done in minutes. Try running that junk with a ragged bench and you’ll be debugging minified jQuery from 2012 until the heat death of the universe.
The extensibility is endless because you’re working with modern, clean code, not digital archaeology. You have a clean, modern codebase that any bootcamp graduate can work with, and more importantly, that AI tools can easily understand and modify.
Obfuscation
Since Orchids.app generates a React app, your phishing page no longer renders as static HTML. Instead:
Think about it - these security robots are looking for
Templates? They won’t find anything because your form is generated client-side with JavaScript that looks like alphabet soup.
Step-by-step demo.
Okay, enough theory. Let’s get our hands dirty and clone Amazon like the professional degenerates we are.
Step 1: Card an Orchids.app subscription
To get started, you’ll need an Orchids.app account. While they have a free plan, you’ll want the premium package for unlimited clones and better AI models. Fire up your favorite carding setup and sign up for a subscription. If you can’t even afford a $20/month SaaS subscription, you have no business being a phisher.
Step 2: Attract a target
Go to the Amazon login page. Take a screenshot or save the URL - you will need it for Orchids.app.
Step 3: Clone Wars
In a few seconds, you'll have a React project that looks almost identical to Amazon's login page.
Step 4: Pick Your Weapon
There may be some artifacts left to fix, but you have two options for fine-tuning your clone:
Option A: Download and use an AI-powered IDE
Download the project and open it in Cursor or Windsurf. These AI-powered IDEs let you make changes using natural language. Just tell them, “Make the login button darker” or “Fix the mobile version” and watch the magic happen.
Option B: Use Orchids.app’s built-in editor
Stay in Orchids.app and use its suggestions feature. You can fine-tune the project right in the browser using commands like “match BofA’s red color exactly” or “add security logo from original.” Either way, you’ll see a clean structure:
Step 5: Quick and Easy Backend
Setting up a proper backend is covered in Part 2. For now, use webhook.site:
This is just for testing. In Part 2, we'll build a full backend with Telegram notifications, database storage, and more.
Step 6: Adding Advanced Features
Want to add OTP capture? Just show Orchids.app (or Cursor) a screenshot of Amazon's OTP page and say "Add this as a new component." The AI will generate a component that will automatically inherit all the Amazon styling: colors, fonts, spacing. It will look native because your entire codebase is already themed correctly.
Now take a look at this added feature that took me 2 minutes to implement:
Step 7: Build and Deploy
This will create an optimized, obfuscated production build.
For hosting? Just create a new Cloudflare Pages project, upload
Go to the folder directly and watch your phishing page come to life.
The generated files are minified JavaScript. No obvious HTML forms for scanners to detect. Just compiled React code, which could be any web app! In the next tutorial, we’ll be using CF Workers as the backend.
Caveats (This is just the beginning)
Before you run away thinking you’re doing great with your new AI-powered phishing kit, let me disappoint you a bit, but also give you something to be excited about.
This is just a proof of concept. Apps like Orchids.app (and others like Same.Dev, MagicPath.AI, etc.) are impressive, but they’re not magic. The AI won’t generate a perfect clone the first time. You’ll likely get:
This means you'll have to repeat. Use the Orchids.app hint feature to clarify:
It’s still faster and more reliable than copying complex pages and tinkering from scratch, but don’t expect a perfect 1:1 clone without some work. Think of it as 80% of the way there automatically, with the last 20% requiring your creativity.
But here’s the beautiful part: this is just the starting line, not the finish line. AI is advancing at breakneck speed. What takes 5-10 iterations today will take 2-3 iterations in six months. What requires manual tweaking now will be automatic next year.
We are rapidly approaching a future where you can paste a URL, hit enter, and get a pixel-perfect clone that is indistinguishable from the original. Every micro-interaction, every hover effect, every responsive breakpoint — it’s all captured and recreated flawlessly in a single command window. AI will understand not only how a site looks, but how it behaves.
Think GPT-4 is smart? Wait until GPT-6 can analyze a website’s entire user flow, understand its authentication logic, and recreate not just its visual design, but its entire user experience. We’re talking about AI that will reverse engineer complex web applications and create production-ready phishing platforms that even the original developers couldn’t tell apart.
This guide represents the first wave of truly intelligent phishing tools. By the time most newbies figure out how to use Orchids.app properly, the next generation of AI will make today’s tools look like cave paintings.
Stay ahead of the curve, because this technology gap will only widen. Early adopters will feast while the dinosaurs still struggle with broken copies of HTML.
Conclusion
Phishing is evolving, whether you like it or not. Old methods are becoming obsolete.
This is your call to action. The tools are out there, the methods are proven, and the only thing standing between you and next-level phishing is your willingness to learn the basics of React.
Most people will continue to use their broken HTML codes. But for those willing to evolve and embrace new technologies, the rewards will be there.
Remember: in this game, you either innovate or get caught.
Be careful, keep learning, and for heaven’s sake, use a VPN.
(c) Telegram: d0ctrine
P.S. — Part 2 will cover advanced techniques like automated personalization, bypassing specific fraud protection systems, and scaling your operation. If the feds haven't knocked down my door by then.
Finally, after what feels like an eternity of debugging, it’s ready. The phishing page looks pretty good – not perfect, but it’ll fool most boomers. You upload it to your bulletproof hosting, fire up your mail cannon, and start swearing.
And then – BAM!
Within hours, your domain will be banned, your hosting provider will block your site, and all that work will quickly go down the drain. Your beautiful phishing page will die. Your dreams of easy money will be ruined. Your time will be wasted.
Sound familiar? Yeah, I thought so.
The thing is, as detection tools become more sophisticated, your approach needs to be more sophisticated. The days of copying HTML code and praying to the fraud gods are over. Today, we’re diving into a new generation of phishing — one that gives you maximum extensibility and obfuscation right out of the box. Phishers that can adapt on the fly, have features that weren’t available before, and automatically hide from those pesky security scanners.
Welcome to the future. Let’s go.
How Traditional Phishing Works
Before we get into the cool new stuff, let’s recap how most of you are currently creating phishing pages:
The Old School Method:
- Target selection: You choose an attractive target - usually a bank, payment processor or email provider. Something where credentials = money.
- Cloning a page: Using tools like HTTrack, Save Page WE, Singlefile, or just the keyboard shortcut Ctrl+S, you download the landing page of the target page. This gives you the HTML, CSS, and maybe some JavaScript if you're lucky.
- Resource Scrambling: Now comes the nasty part – fixing all that crap. Images that won’t load, fonts that point to the original domain, JavaScript that’s calling mommy home. You spend hours replacing URLs, downloading resources, and essentially performing digital surgery on that Frankenstein’s monster that is the web page.
- Backend setup: You write some PHP script (probably copied from a 2015 HackForums post) that collects credentials and either emails them to you or writes them to a text file, like it's 2005.
- Deployment: Upload to any crappy free hosting or hacked WordPress site you can find, set up your domain (probably something like "amaz0n-security.tk") and pray it lasts long enough to catch some fish.
- Distribution: spam emails, SMS, personal messages on social networks - any way to deliver your link to the victim.
What's the problem? The process is tedious, error-prone, and the results are often ugly.
Double Trouble: Extensibility and Obfuscation
There are a lot of problems with traditional phishing marketing, but there are two main ones:
Problem #1: Obfuscation (or lack thereof)
Here's a fun fact: Right now, as you read this, thousands of bots are scanning the web looking for phishing pages. These digital bloodhounds sniff out HTML code that matches known patterns: a PayPal logo here, a "Login" button there, boom, you're flagged.
Why is it so easy for them? Server-side rendering. When someone (or something) visits your phishing page, your server delivers them the full HTML. Every element, every line, every suspicious form field — it’s all in plain text for bots to parse. It’s like trying to hide drugs in a clear plastic bag.
Security companies have huge databases of HTML fingerprints from legitimate sites. When your fake Bank of America page produces HTML that’s 95% identical to the original, their algorithms light up like a Christmas tree. Your domain gets blacklisted, and your domain registrar and host are automatically notified.
Problem #2: Extensibility (the real killer)
This is where traditional phishing really shows its age. Let’s say you want to take phishing to the next level and make it asynchronous. What does that mean? Instead of just collecting data and sending messages, you need to:
- Capture your panel username/password;
- Check them in real time on a real site;
- When a one-time password (OTP) is triggered, dynamically display the OTP request page;
- Capture a one-time password while the victim is still on your site;
- Make a profit with full access to your account;
Sounds cool, right? Good luck implementing this with your static HTML.
You will need:
- Reverse engineer the authentication process on the site;
- Extract and understand their JavaScript;
- Rebuild their styles for your new OTP page;
- Make sure it all works without a hitch.
Meet the Next-Gen Phishing
Now this is where it gets interesting. What if I told you there was a way to automatically generate a fully extensible codebase from any website? Code that is initially hidden from scanners, allowing you to easily add complex features and making your phishers virtually undetectable to traditional scanning methods?
Meet Orchids.app, an AI tool that doesn’t just COPY websites, it REPAIRS them as a React codebase. Now look, there are a ton of AI cloning and code generation metrics tools out there, but I’ve had far more success with Orchids than any of the others. While other tools give you half-baked copies that break the moment you touch them, Orchids actually understands what it’s looking at.
What Orchids.app actually does
Instead of giving you an HTML file with broken resources, Orchids.app uses AI to:
- Visually analyze the target site
- Understand the structure and components
- Rebuild it from scratch as a modern React app
- Create clean, organized code with Tailwind CSS and Shadcn UI
You get a fully functional React project that looks almost exactly like the original, but has been completely rebuilt from scratch. It's like an AI developer is rebuilding the site for you, only this developer doesn't ask questions and works for free.
Extend it and add features (your phisher is now AI-ready)
This is where it gets REALLY hot. Remember that OTP grabbing scenario that was impossible with traditional methods? With the React codebase, that becomes trivial.
But here's the kicker: it makes your phisher completely AI-ready. You can now add as many features as your criminal mind can dream up, customize everything down to the pixel, and extend the functionality ad infinitum. Something that was completely impossible with those ancient, stolen scams you were messing around with.
Why? Because stolen scraps are digital garbage — littered with code artifacts, hardcoded references to the original domain, convoluted JavaScript you can’t understand or change, and CSS that breaks the moment you breathe on it the wrong way. Try adding an OTP page to a stolen PayPal scrap and watch it fall apart faster than your alibis.
Want to get really nasty? Tell your AI IDE, “Add a component that accurately simulates bank loading screens while we drain their account in the background.” Boom, done in minutes. Try running that junk with a ragged bench and you’ll be debugging minified jQuery from 2012 until the heat death of the universe.
The extensibility is endless because you’re working with modern, clean code, not digital archaeology. You have a clean, modern codebase that any bootcamp graduate can work with, and more importantly, that AI tools can easily understand and modify.
Obfuscation
Since Orchids.app generates a React app, your phishing page no longer renders as static HTML. Instead:
- Client-side rendering: The browser receives JavaScript that dynamically renders the page. Crawlers see JavaScript, not recognizable HTML structure.
- Component-based architecture: Your login form isn't just HTML. It's generated by React components at runtime.
- Build-time obfuscation: You can use Vite plugins for additional obfuscation during build. Minification, tree shaking, and even custom obfuscation are all available.
Think about it - these security robots are looking for
Code:
<form action="login">Templates? They won’t find anything because your form is generated client-side with JavaScript that looks like alphabet soup.
Step-by-step demo.
Okay, enough theory. Let’s get our hands dirty and clone Amazon like the professional degenerates we are.
Step 1: Card an Orchids.app subscription
To get started, you’ll need an Orchids.app account. While they have a free plan, you’ll want the premium package for unlimited clones and better AI models. Fire up your favorite carding setup and sign up for a subscription. If you can’t even afford a $20/month SaaS subscription, you have no business being a phisher.
Step 2: Attract a target
Go to the Amazon login page. Take a screenshot or save the URL - you will need it for Orchids.app.
Step 3: Clone Wars
- Head to
Code:orchids.app - Paste Amazon URL or upload your screenshot
- Watch AI Work Its Magic
In a few seconds, you'll have a React project that looks almost identical to Amazon's login page.
Step 4: Pick Your Weapon
There may be some artifacts left to fix, but you have two options for fine-tuning your clone:
Option A: Download and use an AI-powered IDE
Download the project and open it in Cursor or Windsurf. These AI-powered IDEs let you make changes using natural language. Just tell them, “Make the login button darker” or “Fix the mobile version” and watch the magic happen.
Option B: Use Orchids.app’s built-in editor
Stay in Orchids.app and use its suggestions feature. You can fine-tune the project right in the browser using commands like “match BofA’s red color exactly” or “add security logo from original.” Either way, you’ll see a clean structure:
Step 5: Quick and Easy Backend
Setting up a proper backend is covered in Part 2. For now, use webhook.site:
- Go to webhook.site
- Get your unique URL
- Ask Orchid to replace the form action with this URL.
This is just for testing. In Part 2, we'll build a full backend with Telegram notifications, database storage, and more.
Step 6: Adding Advanced Features
Want to add OTP capture? Just show Orchids.app (or Cursor) a screenshot of Amazon's OTP page and say "Add this as a new component." The AI will generate a component that will automatically inherit all the Amazon styling: colors, fonts, spacing. It will look native because your entire codebase is already themed correctly.
Now take a look at this added feature that took me 2 minutes to implement:
Step 7: Build and Deploy
Code:
npm run buildThis will create an optimized, obfuscated production build.
For hosting? Just create a new Cloudflare Pages project, upload
Code:
distGo to the folder directly and watch your phishing page come to life.
The generated files are minified JavaScript. No obvious HTML forms for scanners to detect. Just compiled React code, which could be any web app! In the next tutorial, we’ll be using CF Workers as the backend.
Caveats (This is just the beginning)
Before you run away thinking you’re doing great with your new AI-powered phishing kit, let me disappoint you a bit, but also give you something to be excited about.
This is just a proof of concept. Apps like Orchids.app (and others like Same.Dev, MagicPath.AI, etc.) are impressive, but they’re not magic. The AI won’t generate a perfect clone the first time. You’ll likely get:
- There are no interactive elements.
- The colors or spacing are slightly wrong
- Incorrect responsive design on some screen sizes
- No hover states or animations
This means you'll have to repeat. Use the Orchids.app hint feature to clarify:
- "Make the login button the same shade of red as the original"
- "Add a hover dropdown menu"
- "Fix the mobile layout so it is vertical"
It’s still faster and more reliable than copying complex pages and tinkering from scratch, but don’t expect a perfect 1:1 clone without some work. Think of it as 80% of the way there automatically, with the last 20% requiring your creativity.
But here’s the beautiful part: this is just the starting line, not the finish line. AI is advancing at breakneck speed. What takes 5-10 iterations today will take 2-3 iterations in six months. What requires manual tweaking now will be automatic next year.
We are rapidly approaching a future where you can paste a URL, hit enter, and get a pixel-perfect clone that is indistinguishable from the original. Every micro-interaction, every hover effect, every responsive breakpoint — it’s all captured and recreated flawlessly in a single command window. AI will understand not only how a site looks, but how it behaves.
Think GPT-4 is smart? Wait until GPT-6 can analyze a website’s entire user flow, understand its authentication logic, and recreate not just its visual design, but its entire user experience. We’re talking about AI that will reverse engineer complex web applications and create production-ready phishing platforms that even the original developers couldn’t tell apart.
This guide represents the first wave of truly intelligent phishing tools. By the time most newbies figure out how to use Orchids.app properly, the next generation of AI will make today’s tools look like cave paintings.
Stay ahead of the curve, because this technology gap will only widen. Early adopters will feast while the dinosaurs still struggle with broken copies of HTML.
Conclusion
Phishing is evolving, whether you like it or not. Old methods are becoming obsolete.
This is your call to action. The tools are out there, the methods are proven, and the only thing standing between you and next-level phishing is your willingness to learn the basics of React.
Most people will continue to use their broken HTML codes. But for those willing to evolve and embrace new technologies, the rewards will be there.
Remember: in this game, you either innovate or get caught.
Be careful, keep learning, and for heaven’s sake, use a VPN.
(c) Telegram: d0ctrine
P.S. — Part 2 will cover advanced techniques like automated personalization, bypassing specific fraud protection systems, and scaling your operation. If the feds haven't knocked down my door by then.
Last edited: