Research Findings on the Fate of Data Stolen in Phishing Attacks
Recent research conducted by Kaspersky has shed light on the entire lifecycle of data stolen during phishing attacks, exposing a complex “shadow market conveyor belt” where victim information is quickly commodified.
The analysis follows the digital trail from the initial click on a fraudulent link to the eventual sale of credentials on dark web markets, highlighting the role of automated tools in the industrialization of identity theft.
A report by Kaspersky reveals a significant shift in how threat actors extract data. Unlike traditional methods, which involved PHP scripts forwarding credentials to an attacker’s email, cybercriminals are now adopting more advanced techniques due to delivery delays and provider blocks.
Telegram bots and “Platform as a Service” (PaaS) administration panels have become increasingly popular among cybercriminals. Telegram bots enable real-time data exfiltration, sending stolen credentials directly to the attacker’s device the moment a victim submits their information.
More sophisticated operations utilize commercial phishing frameworks, such as BulletProofLink, which provide a centralized dashboard for attackers to view real-time statistics, filter stolen data by country, and automatically verify the validity of credit card details or login credentials.
What Attackers Are Stealing
An analysis of attacks conducted between January and September 2025 shows that immediate financial theft is often secondary to long-term access. The research found that 88.5% of phishing attacks targeted credentials for online accounts, while personal data, such as names and addresses, accounted for 9.5%, and direct bank card theft comprised only 2% of incidents.
Once harvested, the stolen data enters a four-stage ecosystem: consolidation into bulk “dumps,” verification by dark market analysts, sale on specialized forums, and finally, usage in targeted attacks. Analysts often combine new leaks with historical data to create comprehensive “digital dossiers” on victims.
The value of a compromised account varies significantly based on the account type, balance, and the presence of two-factor authentication (2FA). Banking and crypto accounts command the highest premiums, while social media logins are sold for mere dollars to be used in social engineering campaigns.
Average Market Prices for Stolen Accounts (2025)
Account Category Price Range Average Price
| Account Category | Price Range | Average Price |
|---|---|---|
| Banking | $70 – $2,000 | $350.00 |
| Crypto Platforms | $60 – $400 | $105.00 |
| E-government Portals | $15 – $2,000 | $82.50 |
| Online Stores | $10 – $50 | $20.00 |
| Personal Documents | $0.50 – $125 | $15.00 |
| Social Media | $0.40 – $279 | $3.00 |
| Messaging Apps | $0.06 – $150 | $2.50 |
The Long-Term Threat
Moreover, stolen biometric data and document scans are increasingly being used to facilitate identity theft and deepfake creation, posing a significant long-term threat.
The research warns that the danger does not end with the initial sale. High-value targets, such as executives or IT administrators, are often singled out for “whaling” attacks, which can have devastating consequences.
By leveraging historical data, such as an old password or a compromised email from a previous employer, attackers can craft compelling phishing emails to infiltrate a target’s current organization.
To mitigate these risks, experts recommend immediate password changes across all services if a breach is suspected, the widespread implementation of multi-factor authentication, and the use of specialized services to monitor personal data exposure in known breaches.