Cybercriminals continue to incorporate artificial intelligence (AI) into their operations to increase efficiency and scale.
NCC Group’s analysis of Kitana, an adversary-in-the-middle (AiTM) fraud platform, demonstrates how AI-assisted development and real-time operator control are enabling more sophisticated credential theft and payment fraud.
Rather than relying on traditional malware or web skimming techniques, Kitana combines reverse proxy infrastructure, phishing, and live attacker interaction to compromise online transactions.
Key Takeaways of Kitana
- Kitana is an AI-assisted adversary-in-the-middle (AiTM) fraud platform that intercepts online sessions using attacker-controlled proxy domains instead of traditional malware.
- The platform combines phishing, reverse proxy infrastructure, and real-time operator control to steal credentials, payment information, and authentication codes during active user sessions.
- NCC Group found evidence of AI-assisted development, including code patterns consistent with large language model-generated output, alongside insecure coding practices such as hardcoded credentials and exposed API keys.
- Kitana represents a growing trend toward operator-driven fraud platforms that automate attacks while allowing criminals to interact with victims in real time to maximize successful payment fraud.
- Organizations should monitor typosquatted domains, certificate transparency logs, and suspicious authentication activity while educating users to verify website domains and unexpected login or payment prompts.
What Is Kitana?
Discovered by NCC Group in Apr. 2026, Kitana is a modular AiTM fraud platform designed to intercept online sessions by routing victims through attacker-controlled proxy domains.
Unlike Magecart-style attacks that compromise merchant websites directly, Kitana mirrors legitimate websites in real time while allowing operators to monitor and manipulate victim interactions.
Researchers observed infrastructure targeting hospitality organizations in Canada and the United States, along with e-commerce sites in Chile and Saudi Arabia.
Although the campaign focused on specific industries, the platform’s architecture suggests it can be adapted to target a broader range of online services.
How the Platform Works
Victims are directed to typosquatted domains through malicious advertisements and phishing campaigns.
A Node.js reverse proxy mirrors the legitimate website, while a Python FastAPI backend manages session orchestration and captures authentication data.
Before delivering malicious content, Kitana evaluates visitors using IP reputation, geolocation, browser characteristics, and device fingerprinting.
Suspicious visitors, including researchers and automated scanners, are redirected to benign AI-generated decoy pages, helping the platform evade detection.
During payment transactions, Kitana replaces the legitimate payment software development kit (SDK) with a cloned version that captures payment card information and personal data.
Operators can then trigger realistic authentication prompts, including 3D Secure (3DS) requests, to collect one-time passcodes, credentials, and additional payment details during the same session.
AI-Assisted Development Accelerates Fraud
NCC Group identified several indicators that portions of Kitana were likely developed using AI-assisted coding tools.
Documentation, configuration files, and code structure followed highly consistent patterns commonly associated with large language model-generated code.
At the same time, researchers discovered hardcoded credentials and exposed API keys throughout the source code, suggesting development prioritized speed over secure engineering practices.
While these findings do not prove autonomous AI decision-making, they demonstrate how AI-assisted development can reduce the time and technical expertise required to build sophisticated fraud platforms.
A Growing Threat to E-Commerce
Kitana reflects a broader shift toward operator-driven cybercrime platforms that combine automation with real-time human decision-making.
Instead of collecting stolen data for later use, attackers actively control authentication workflows while victims remain connected, increasing the likelihood of successful account compromise and payment fraud.
The platform also incorporates BIN-level intelligence that allows operators to prioritize payment cards less likely to trigger additional authentication challenges, further improving the efficiency of fraudulent transactions.
Bottom Line
Kitana demonstrates how AI-assisted development is lowering the barrier to creating advanced fraud platforms capable of supporting large-scale credential theft and payment fraud.
Organizations should strengthen defenses by monitoring typosquatted domains, tracking certificate transparency logs, and improving threat intelligence visibility into malicious infrastructure.
Customer education around verifying website domains and unexpected authentication prompts also remains an important defense against AiTM attacks.