Following the digital trail: what happens to data stolen in a phishing attackIntroductionA typical phishing attack involves a user clicking a fraudulent link and entering their credentials on a scam website. However, the attack is far from over at that point. The moment the confidential information falls into the hands of cybercriminals, it immediately transforms into a commodity and enters the shadow market conveyor belt.In this article, we trace the path of the stolen data, starting from its collection through various tools – such as Telegram bots and advanced administration panels – to the sale of that data and its subsequent reuse in new attacks. We examine how a once leaked username and password become part of a massive digital dossier and why cybercriminals can leverage even old leaks for targeted attacks, sometimes years after the initial data breach.Data harvesting mechanisms in phishing attacksBefore we trace the subsequent fate of the stolen data, we need to understand exactly how it leaves the phishing page and reaches the cybercriminals.By analyzing real-world phishing pages, we have identified the most common methods for data transmission:Send to an email address.Send to a Telegram bot.Upload to an administration panel.It also bears mentioning that attackers may use legitimate services for data harvesting to make their server harder to detect. Examples include online form services like Google Forms, Microsoft Forms, etc. Stolen data repositories can also be set up on GitHub, Discord servers, and other websites. For the purposes of this analysis, however, we will focus on the primary methods of data harvesting.EmailData entered into an HTML form on a phishing page is sent to the cybercriminal’s server via a PHP script, which then forwards it to an email address controlled by the attacker. However, this method is becoming less common due to several limitations of email services, such as delivery delays, the risk of the hosting provider blocking the sending server, and the inconvenience of processing large volumes of data.As an example, let’s look at a phishing kit targeting DHL users.Phishing kit contentsThe index.php file contains the phishing form designed to harvest user data – in this case, an email address and a password.Phishing form imitating the DHL websiteThe data that the victim enters into this form is then sent via a script in the next.php file to the email address specified within the mail.php file.Contents of the PHP scriptsTelegram botsUnlike the previous method, the script used to send stolen data specifies a Telegram API URL with a bot token and the corresponding Chat ID, rather than an email address. In some cases, the link is hard-coded directly into the phishing HTML form. Attackers create a detailed message template that is sent to the bot after a successful attack. Here is what this looks like in the code:Code snippet for data submissionCompared to sending data via email, using Telegram bots provides phishers with enhanced functionality, which is why they are increasingly adopting this method. Data arrives in the bot in real time, with instant notification to the operator. Attackers often use disposable bots, which are harder to track and block. Furthermore, their performance does not depend on the quality of phishing page hosting.Automated administration panelsMore sophisticated cybercriminals use specialized software, including commercial frameworks like BulletProofLink and Caffeine, often as a Platform as a Service (PaaS). These frameworks provide a web interface (dashboard) for managing phishing campaigns.Data harvested from all phishing pages controlled by the attacker is fed into a unified database that can be viewed and managed through their account.Sending data to the administration panelThese admin panels are used for analyzing and processing victim data. The features of a specific panel depend on the available customization options, but most dashboards typically have the following capabilities:Sorting of real-time statistics: the ability to view the number of successful attacks by time and country, along with data filtering optionsAutomatic verification: some systems can automatically check the validity of the stolen data like credit cards and login credentialsData export: the ability to download the data in various formats for future use or saleExample of an administration panelAdmin panels are a vital tool for organized cybercriminals.One campaign often employs several of these data harvesting methods simultaneously.Sending stolen data to both an email address and a Telegram botThe data cybercriminals wantThe data harvested during a phishing attack varies in value and purpose. In the hands of cybercriminals, it becomes a method of profit and a tool for complex, multi-stage attacks.Stolen data can be divided into the following categories, based on its intended purpose:Immediate monetization: the direct sale of large volumes of raw data or the immediate withdrawal of funds from a victim’s bank account or online wallet.Banking details: card number, expiration date, cardholder name, and CVV/CVC.Access to online banking accounts and digital wallets: logins, passwords, and one-time 2FA codes.Accounts with linked banking details: logins and passwords for accounts that contain bank card details, such as online stores, subscription services, or payment systems like Apple Pay or Google Pay.Subsequent attacks for further monetization: using the stolen data to conduct new attacks and generate further profit.Credentials for various online accounts: logins and passwords. Importantly, email addresses or phone numbers, which are often used as logins, can hold value for attackers even without the accompanying passwords.Phone numbers, used for phone scams, including attempts to obtain 2FA codes, and for phishing via messaging apps.Personal data: full name, date of birth, and address, abused in social engineering attacksTargeted attacks, blackmail, identity theft, and deepfakes.Biometric data: voice and facial projections.Scans and numbers of personal documents: passports, driver’s licenses, social security cards, and taxpayer IDs.Selfies with documents, used for online loan applications and identity verification.Corporate accounts, used for targeted attacks on businesses.We analyzed phishing and scam attacks conducted from January through September 2025 to determine which data was most frequently targeted by cybercriminals. We found that 88.5% of attacks aimed to steal credentials for various online accounts, 9.5% targeted personal data (name, address, and date of birth), and 2% focused on stealing bank card details.Distribution of attacks by target data type, January–September 2025 (download)Selling data on dark web marketsExcept for real-time attacks or those aimed at immediate monetization, stolen data is typically not used instantly. Let’s take a closer look at the route it takes.Sale of data dumpsData is consolidated and put up for sale on dark web markets in the form of dumps: archives that contain millions of records obtained from various phishing attacks and data breaches. A dump can be offered for as little as $50. The primary buyers are often not active scammers but rather dark market analysts, the next link in the supply chain.Sorting and verificationDark market analysts filter the data by type (email accounts, phone numbers, banking details, etc.) and then run automated scripts to verify it. This checks validity and reuse potential, for example, whether a Facebook login and password can be used to sign in to Steam or Gmail. Data stolen from one service several years ago can still be relevant for another service today because people tend to use identical passwords across multiple websites. Verified accounts with an active login and password command a higher price at the point of sale.Analysts also focus on combining user data from different attacks. Thus, an old password from a compromised social media site, a login and password from a phishing form mimicking an e-government portal, and a phone number left on a scam site can all be compiled into a single digital dossier on a specific user.Selling on specialized marketsStolen data is typically sold on dark web forums and via Telegram. The instant messaging app is often used as a storefront to display prices, buyer reviews, and other details.Offers of social media data, as displayed in TelegramThe prices of accounts can vary significantly and depend on many factors, such as account age, balance, linked payment methods (bank cards, online wallets), 2FA authentication, and service popularity. Thus, an online store account may be more expensive if it is linked to an email, has 2FA enabled, and has a long history, with a large number of completed orders. For gaming accounts, such as Steam, expensive game purchases are a factor. Online banking data sells at a premium if the victim has a high account balance and the bank itself has a good reputation.The table below shows prices for various types of accounts found on dark web forums as of 2025*.CategoryPriceAverage priceCrypto platforms$60–$400$105Banks$70–$2000$350E-government portals$15–$2000$82.5Social media$0.4–$279$3Messaging apps$0.065–$150$2.5Online stores$10–$50$20Games and gaming platforms$1–$50$6Global internet portals$0.2–$2$0.9Personal documents$0.5–$125$15*Data provided by Kaspersky Digital Footprint IntelligenceHigh-value target selection and targeted attacksCybercriminals take particular interest in valuable targets. These are users who have access to important information: senior executives, accountants, or IT systems administrators.Let’s break down a possible scenario for a targeted whaling attack. A breach at Company A exposes data associated with a user who was once employed there but now holds an executive position at Company B. The attackers analyze open-source intelligence (OSINT) to determine the user’s current employer (Company B). Next, they craft a sophisticated phishing email to the target, purportedly from the CEO of Company B. To build trust, the email references some facts from the target’s old job – though other scenarios exist too. By disarming the user’s vigilance, cybercriminals gain the ability to compromise Company B for a further attack.Importantly, these targeted attacks are not limited to the corporate sector. Attackers may also be drawn to an individual with a large bank account balance or someone who possesses important personal documents, such as those required for a microloan application.TakeawaysThe journey of stolen data is like a well-oiled conveyor belt, where every piece of information becomes a commodity with a specific price tag. Today, phishing attacks leverage diverse systems for harvesting and analyzing confidential information. Data flows instantly into Telegram bots and attackers’ administration panels, where it is then sorted, verified, and monetized.It is crucial to understand that data, once lost, does not simply vanish. It is accumulated, consolidated, and can be used against the victim months or even years later, transforming into a tool for targeted attacks, blackmail, or identity theft. In the modern cyber-environment, caution, the use of unique passwords, multi-factor authentication, and regular monitoring of your digital footprint are no longer just recommendations – they are a necessity.What to do if you become a victim of phishingIf a bank card you hold has been compromised, call your bank as soon as possible and have the card blocked.If your credentials have been stolen, immediately change the password for the compromised account and any online services where you may have used the same or a similar password. Set a unique password for every account.Enable multi-factor authentication in all accounts that support this.Check the sign-in history for your accounts and terminate any suspicious sessions.If your messaging service or social media account has been compromised, alert your family and friends about potential fraudulent messages sent in your name.Use specialized services to check if your data has been found in known data breaches.Treat any unexpected emails, calls, or offers with extreme vigilance – they may appear credible because attackers are using your compromised data.securelist.com/what-happens-to…
