phishing
Imagine: a user lands on a scam site, decides to make a purchase, and enters their bank card details, name, and address. Guess what happens next? If you think the attackers simply grab the cash and disappear — think again. Unfortunately, it’s much more complicated. In reality, the information enters a massive shadow-market pipeline, where victims’ data circulates for years, changing hands and being reused in new attacks.
At Kaspersky, we’ve studied the journey data takes after a phishing attack: who gets it, how it’s sorted, resold, and used on the shadow market. In this article, we map the route of stolen data, and explain how to protect yourself if you’ve already encountered phishing, or if you want to avoid it in the future. You can read the detailed report complete with technical insights on Securelist.
Harvesting data
Phishing sites are carefully disguised to look legitimate — sometimes the visual design, user interface, and even the domain name are almost indistinguishable from the real thing. To steal data, attackers typically employ HTML forms prompting users to enter their login credentials, payment card details, or other sensitive information.
As soon as the user hits Sign In or Pay, the information is instantly dispatched to the cybercrooks. Some malicious campaigns don’t harvest data directly through a phishing site but instead abuse legitimate services like Google Forms to hide the final destination server.
A fake DHL website. The user is asked to enter the login and password for their real DHL account
The stolen data is typically transmitted in one of three ways — or a combination of them:
- Email. This method is less common today due to possible delays or bans.
- Telegram bots. The attackers receive the information instantly. Most of these bots are disposable, which makes them hard to track.
- Admin panels. Cybercriminals can use specialized software to harvest and sort data, view statistics, and even automatically verify the stolen information.
What kind of data are phishers after?
The range of data sought by cybercriminals is quite extensive.
- Personal data: phone numbers, full names, email, registration and residential addresses. This information can be used to craft targeted attacks. People often fall for scams precisely because the attackers possess a large amount of personal information — addressing them by name, knowing where they live, and which services they use.
- Documents: data and scans of social security cards, driver licenses, insurance and tax IDs, and so on. Criminals use these for identity theft, applying for loans, and verifying identity when logging into banks or e-government portals.
- Credentials: logins, passwords, and one-time 2FA codes.
- Biometrics: face scans, fingerprints, and voice samples used to generate deepfakes or bypass two-factor authentication.
- Payment details: bank card and cryptocurrency wallet details.
- And much more.
According to our research, the vast majority (88.5%) of phishing attacks conducted from January through September 2025 targeted online account credentials, and 9.5% were attempts to obtain users’ personal data, such as names, addresses, and dates. Finally, 2% of phishing attacks were focused on stealing bank card details.
Distribution of attacks by type of data being targeted, January–September 2025
What happens to the stolen data next?
Not all stolen data is directly used by the attackers to transfer money to their own accounts. In fact, the data is seldom used instantly; more commonly, it finds its way onto the shadow market, reaching analysts and data brokers. A typical journey looks something like this.
1. Bulk sale of data
Raw data sets are bundled into massive archives and offered in bulk on dark web forums. These dumps often contain junk or outdated information, which is why they’re relatively cheap — starting at around US$50.
2. Data sorting and verification
These archives are purchased by hackers who act as analysts. They categorize datasets and verify the validity of the data by checking if the login credentials work for the specified services, if they are reused on other sites, and if they match any data from past breaches. For targeted attacks, cybercriminals compile a digital dossier. It stores information gathered from both recent and older attacks — essentially a spreadsheet of data ready to be used in hacks.
3. Resale of verified data
The sorted datasets are offered for sale again, now at a higher price — and not only on the dark web but also on the more familiar Telegram.
An ad for a Telegram sale of social media account credentials
According to Kaspersky Digital Footprint Intelligence, account prices are driven by a large number of factors: account age, 2FA authentication, linked bank cards, and service userbase. It’s no surprise that the most expensive and in-demand commodity on this market is access to bank accounts and crypto wallets.
| Category | Price, US$ | Average price, US$ |
| Crypto platforms | 60–400 | 105 |
| Banks | 70–2000 | 350 |
| E-government portals | 15–2000 | 82.5 |
| Social media | 0.4–279 | 3 |
| Messaging apps | 0.065–150 | 2.5 |
| Online stores | 10–50 | 20 |
| Games and gaming platforms | 1–50 | 6 |
| Global internet portals | 0.2–2 | 0.9 |
| Personal documents | 0.5–125 | 15 |
Average account prices in January–September 2025
4. Repeat attacks
Once a cybercriminal purchases a victim’s digital dossier, they can plan their next attack. They might use open-source intelligence to find out where the person works, and then craft a convincing email impersonating their boss. Alternatively, they could hack a social media profile, extract compromising photos, and demand a ransom for their return. However, rest assured that nearly all threatening or extortion emails are just a scare tactic by scammers.
Cybercriminals also use compromised accounts to send further phishing emails and malicious links to the victim’s contacts. So, if you receive a message asking you to vote for a niece in a contest, lend money, or click on a suspicious link, you have every reason to be wary.
What to do if your data has been stolen
- First, recall what information you entered on the phishing site. If you provided payment card details, call your bank immediately and have the cards blocked. If you entered a login and password that you use for other accounts, change those passwords right away. A password manager can help you create and store strong, unique passwords.
- Enable two-factor authentication (2FA) wherever possible. For more details on what 2FA is and how to use it, read our guide. When choosing a 2FA method, it’s best to avoid SMS, as one-time codes sent via a text can be intercepted. Ideally, use an authenticator app, such as Kaspersky Password Manager, to generate one-time codes.
- Check the active sessions (the list of logged-in devices) in your important accounts. If you see a device or IP address you don’t recognize, terminate that session immediately. Then change your password and set up two-factor authentication.
How to guard against phishing
- Don’t click on links in emails or messages without first scanning them with a security solution.
- If you receive a suspicious email, always check the sender’s address to see if you’ve had any contact with that person before. If someone claims to represent a government authority or company, be sure to compare the domain the email was sent from with the domain of the organization’s official website. No official correspondence should ever come from a free email service.
- Use an authenticator app for two-factor authentication.
- Create hack-resistant passwords. Our research shows that hackers can crack almost 60% of all passwords in the world in less than an hour. Alternatively, consider switching to passkeys, which offer much stronger account protection, but keep in mind that they come with their own caveats.
- Remember: using the same password for multiple services is a critical mistake. This is exactly what malicious actors exploit. Even if you’ve never fallen for a phishing scam, your passwords and data can still end up in data breaches, as cyberattackers target not just individuals but entire companies. This year, the Identity Theft Resource Center has already recorded over two thousand data breaches. To minimize the risks, create a unique and strong password for every account. You don’t have to — and actually can’t — memorize them all. It’s better to use a password manager, which generates and securely stores complex passwords, syncs them across all your devices, auto-fills them on websites and in apps, and alerts you if any of your credentials appear in a known data breach.
More on phishing and scams:
Tips