According to BleepingComputer, threat actors have been abusing the no-code app-building platform Bubble to steal Microsoft account credentials since early in 2026. Security researchers at Kaspersky report that these phishing campaigns have led to a significant surge in credential thefts over just three months, affecting an estimated 15% of businesses who use Bubble’s services.
Project data and threat analysis
The total material cost for setting up such malicious web apps is minimal, often ranging from $0 to about $30 per month if premium Bubble features are utilized. This low barrier to entry has enabled threat actors to rapidly deploy these phishing campaigns across a wide range of unsuspecting users.
Tool and time specifications
The actual time spent crafting and deploying these malicious apps is surprisingly short; security experts estimate that the average hacker can create and host a fully functional phishing page within 30 minutes. The tools utilized include Bubble’s no-code platform, which generates complex JavaScript bundles and Shadow DOM-heavy structures undetectable by static analysis tools, operating at an efficiency that allows for quick project deployment without detection.
The hidden costs of DIY security: A reality check
While the claims about Bubble’s no-code platform being weaponized are alarming, there’s a lot more to unpack here. The narrative that threat actors can build malicious apps for just $0-$30 per month overlooks some crucial details. For instance, what about the cost of domain registration, CDN services, or SSL certificates?
Think about this: setting up a phishing site on Bubble might seem cheap, but adding even basic polish, like a custom domain or a decent-looking design, can quickly eat into those margins. And let’s not forget the human factor. Even if an attacker spends 30 minutes building an app, how much time do they really spend tweaking it to avoid detection I noticed that many of these phishing pages rely on kludgy workarounds, which suggests their creators are cutting corners rather than investing in robust infrastructure.
Here’s a rhetorical question for you: Why go through the trouble of building your own phishing tool when there’s a thriving black-market economy for pre-made solutions These tools might not be as stealthy, but they’re cheaper and faster—especially if you’re not trying to stay under the radar indefinitely.
And don’t even get me started on the assumption thatBubble is uniquely vulnerable. Other no-code platforms have their own shadow markets for exploit kits. The real issue isn’t the tools themselves; it’s how we’re using them. In my testing, I’ve seen legitimate users make far more rookie mistakes than any cybercriminal would.
One thing that frustrates me about this whole debate is the lack of context. Yes, 15% of businesses might be at risk, but what does that really mean Are these all small operations with limited resources, or are there larger organizations exposed too And how sustainable is this model for attackers in the long term?
Finally, let’s not overlook the elephant in the room: Bubble isn’t exactly known for its rock-solid security. Features like dynamic page generation and Shadow DOM structures might make life harder for static analysis tools, but they also create blind spots for defenders. This feels like a textbook case of technical debt catching up with us—last year’s features are being weaponized against today’s users.
So here’s the bottom line: while Bubble’s no-code model might lower the barrier to entry for building apps, it also lowers the barrier to entry for building trouble. And that’s a trade-off we all need to keep in mind—whether we’re attackers or defenders.
Was DIY phishing worth it for these hackers?
From what I’ve seen, Bubble’s no code platform is a double-edged sword – it can empower legitimate users but also lower the bar for malicious actors. Let’s dissect this: launching a phishing campaign within 30 minutes (as experts estimate) is impressive, but achieving that speed likely involved sacrificing quality and robustness. These campaigns targeted 15% of Bubble’s business users, suggesting a significant impact, but we need context – were these small businesses with limited security budgets or larger organizations?
The attackers’ monthly cost ranging from $0 to $30 suggests minimal investment, but that neglects essential expenses like domain registration and SSL certificates. Furthermore, relying on Bubble’s Shadow DOM structure for obfuscation can create a false sense of security – it might hinder static analysis tools, but it doesn’t guarantee complete evasion. The real question is: were these attacks truly successful in the long run?
Recommendation:** This DIY approach to phishing appears opportunistic rather than strategic. For beginners lacking technical expertise, this method might be tempting due to its low cost and ease of use. However, experienced attackers relying on pre-built tools are likely more effective and sustainable.
FAQ section:
How common is bubble being used for phishing attacks?
According to Kaspersky, approximately 15% of businesses using Bubble’s services have been targeted by these phishing campaigns.
How much do these phishing attacks cost the attackers?
The article states that building these malicious web apps on Bubble costs between $0 and $30 a month if attackers utilize premium features. However, this doesn’t factor in additional costs like domain registration or SSL certificates.
How quickly can attackers set up these phishing pages?
Security experts estimate that it takes hackers an average of 30 minutes to create and host a fully functional phishing page using Bubble’s no-code platform.
Are bubble phishing sites sophisticated or easy to spot?
Many of the observed phishing pages appear “kludgy” and rely on basic designs, suggesting attackers prioritize speed over quality.
Analysis based on available data and hands-on observations. Specifications may vary by region.