Fake Midjourney / Runway ML AI image and video generation subscription suspended, fast GPU hours depleted, Gen-3 video credits expired, or image generation access blocked due to billing failure phishing

Phishing emails impersonating Midjourney or Runway ML claiming the AI image or video generation subscription has been suspended, fast GPU hours have been depleted, Gen-3 video credits have expired, or image generation access has been blocked due to a billing failure — directing victims to update payment through a credential-harvesting portal. A novel attack category exploiting the rapid commercialization of AI creative tools. Key facts: (1) Midjourney serves 16M+ registered users with subscription plans at $10 (Basic), $30 (Standard), $60 (Pro), and $120/month (Mega) — all paid via credit card through the Midjourney website, not Discord; the subscription covers fast GPU time (immediate generation), relaxed GPU time (queued generation), and image storage; a 'subscription suspended' email creates immediate creative production disruption because professional designers and studios depend on Midjourney for client deliverable workflows; (2) Runway ML serves professional video creators, filmmakers, and studios at $15 (Standard 625 credits), $35 (Pro 2250 credits), and $95/month (Unlimited) for Gen-3 Alpha video generation — a Runway 'credits expired, subscription no longer active' email is particularly credible because Runway genuinely tracks credits and sends low-credit warnings; attackers mimic this legitimate notification format; (3) The target profile is ideal for phishing: Midjourney and Runway users tend to be creative professionals and studios who are less security-conscious than developers; they are deeply dependent on continuous access for client project deadlines; and they authenticate via email/Google OAuth rather than complex enterprise SSO, making credential capture simpler; (4) Midjourney credentials enable lateral access: Midjourney accounts often use Google Sign-In, so a phishing page that captures Google credentials for 'Midjourney billing verification' actually harvests full Google account credentials including Gmail, Google Drive, and Google Workspace; (5) The subscription suspension narrative has high plausibility: Midjourney sends legitimate payment failure emails because many users pay via cards that expire or are reissued, and failed charges do genuinely suspend fast GPU access — the attack vector matches a real notification users have seen before. Warning signs: sender not midjourney.com; genuine Midjourney billing at midjourney.com/account; Runway billing at app.runwayml.com.