Hook, line, and vault: A technical deep dive into the 1Phish kit

This report analyzes the "1Phish" phishing kit—an actively maintained, multi-stage phishing campaign that evolved between September 2025 and February 2026 to target 1Password users. Across four versions the kit progressed from a simple credential harvester to an MFA-aware, API-driven application that collects emails, secret keys, passwords, one-time codes, and recovery codes, uses advanced browser fingerprinting, bot scoring and cloaking services (HideClick), and exposes multiple malicious domains and IoCs for detection and takedown.