New research from Kaspersky has mapped the complete lifecycle of data stolen during phishing attacks, revealing a sophisticated “shadow market conveyor belt” where victim information is instantly commoditized.
The analysis traces the digital trail from the initial click on a fraudulent link to the eventual sale of credentials on dark web markets, highlighting how automated tools have industrialized identity theft.
The report identifies a significant evolution in how threat actors extract data. While traditional methods involved PHP scripts forwarding credentials to an attacker’s email, this approach is declining due to delivery delays and provider blocks.
Instead, cybercriminals are increasingly adopting Telegram bots and “Platform as a Service” (PaaS) administration panels.
Telegram bots allow for real-time data exfiltration, sending stolen credentials directly to the attacker’s device the moment a victim hits “submit.”
More advanced operations use commercial phishing frameworks such as BulletProofLink. These administrative panels provide a centralized dashboard where attackers can view real-time statistics, filter stolen data by country, and automatically verify the validity of credit card details or login credentials.
What Attackers Are Stealing
An analysis of attacks conducted between January and September 2025 reveals that immediate financial theft is often secondary to long-term access.
The research found that 88.5% of phishing attacks targeted credentials for online accounts. In contrast, personal data (such as names and addresses) accounted for 9.5%, while direct bank card theft comprised only 2% of incidents.
Once harvested, data enters a four-stage ecosystem: consolidation into bulk “dumps,” verification by dark market analysts, sale on specialized forums, and finally, usage in targeted attacks.
Analysts often combine new leaks with historical data to create comprehensive “digital dossiers” on victims.
The value of a compromised account varies significantly based on the account type, balance, and the presence of two-factor authentication (2FA).
Banking and crypto accounts command the highest premiums, while social media logins are sold for mere dollars to be used in social engineering campaigns.
Average Market Prices for Stolen Accounts (2025)
Account CategoryPrice RangeAverage Price
| Account Category | Price Range | Average Price |
|---|---|---|
| Banking | $70 – $2,000 | $350.00 |
| Crypto Platforms | $60 – $400 | $105.00 |
| E-government Portals | $15 – $2,000 | $82.50 |
| Online Stores | $10 – $50 | $20.00 |
| Personal Documents | $0.50 – $125 | $15.00 |
| Social Media | $0.40 – $279 | $3.00 |
| Messaging Apps | $0.06 – $150 | $2.50 |
The Long-Term Threat
Furthermore, stolen biometric data and document scans are increasingly being used to facilitate identity theft and deepfake creation.
The research warns that the danger does not end with the initial sale. High-value targets, such as executives or IT administrators, are often singled out for “whaling” attacks.
By leveraging historical data such as an old password or a compromised email from a previous employer attackers can craft compelling phishing emails to infiltrate a target’s current organization.
To mitigate these risks, experts recommend immediate password changes across all services if a breach is suspected, the widespread implementation of multi-factor authentication, and the use of specialized services to monitor personal data exposure in known breaches.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.