The majority of phishing attacks are now driven by the resale value of stolen digital accounts, with cybercriminals increasingly treating login credentials and personal data as commodities in a growing underground economy, according to new research by Kaspersky.
An analysis of phishing and scam campaigns observed between January and September 2025 shows that nearly 90% of attacks were aimed at stealing credentials for online accounts, which are later bundled, verified, and sold on illicit marketplaces. Smaller shares of campaigns targeted personal identity data or bank card information, reflecting a shift toward long-term exploitation rather than one-time financial theft.
Why stolen credentials are more valuable than card data
Kaspersky found that 88.5% of phishing campaigns focused on account logins, while 9.5% targeted personal details such as names, addresses, and dates of birth. Only 2% of attacks sought bank card information, which analysts say is often less profitable due to rapid cancellation and fraud monitoring by financial institutions.
By contrast, access to online accounts—ranging from email and social media to cryptocurrency platforms and banking portals—can be reused repeatedly or combined with other data to enable broader fraud schemes.
How phishing data is collected and sold
According to the report, phishing victims are typically redirected to fake websites that imitate legitimate services, where they unknowingly submit credentials. Stolen information is transmitted via email, messaging platforms such as Telegram, or attacker-controlled dashboards before entering resale channels.
Data collected from multiple campaigns is often merged into large datasets and sold in bulk. In some cases, complete data dumps are offered for as little as $50, allowing buyers to test which accounts remain active and exploitable.
What stolen data is worth in 2025
Kaspersky Digital Footprint Intelligence estimates that average prices in 2025 ranged from $0.90 for access to global internet portals, around $105 for cryptocurrency platform accounts, and up to $350 for online banking access. Personal documents such as passports or national ID cards were sold for an average of $15, with prices varying based on account age, balances, linked payment methods, and security protections.
As datasets are refined and enriched, attackers can assemble detailed digital profiles that may later support targeted attacks on corporate executives, finance staff, IT administrators, or individuals with valuable assets.
Long-term risks for individuals and organizations
Cybersecurity researchers warn that stolen credentials often remain in circulation for years. Even outdated logins can become dangerous when combined with new breach data or publicly available information, enabling account takeovers, identity theft, blackmail, or financial fraud.
Kaspersky noted that phishing remains one of the most widespread cyber threats, particularly for users who do not employ security software or multi-factor authentication.
Reducing exposure to phishing attacks
To limit risk, users are advised to avoid clicking on links or attachments from unknown sources, verify senders carefully, and check website addresses before entering login or financial information. Enabling multi-factor authentication and regularly reviewing account login activity can also reduce the impact of compromised credentials.
