Just as cyber threats have grown more complex and foreboding, the underground phishing marketplace which makes such attacks possible has profoundly evolved.
No longer a Craigslist-styled hodgepodge of products and services, marketplace forums have emerged as complete criminal ecosystems that function as not only distribution points for resources, but as labor exchanges to recruit and coordinate personnel.
Key Takeaways of the Cybercriminal Phishing Marketplace
- The underground phishing marketplace has evolved into a highly organized criminal ecosystem offering tools, labor, infrastructure, and phishing-as-a-service (PhaaS).
- Recruitment is now the largest phishing market segment, accounting for 31% of observed underground marketplace activity.
- Cybercriminals increasingly rely on outsourcing and specialization, enabling even low-skilled actors to execute advanced phishing campaigns.
- Services such as traffic providers, developers, and social-engineering callers are accelerating the scale and sophistication of phishing operations.
- Security teams must focus on proactive monitoring, phishing infrastructure detection, and understanding PhaaS ecosystems to reduce organizational risk.
“Step right up!” as a traditional carnival barker would say, and ill-intended patrons find offerings in the form of products (kits, tools and manufacturing “build-it-for-you” bids), labor (recruitment and outsourcing) and services (call centers, traffic providers and phishing as a service, or PhaaS).
All of which is empowering the patrons – many of them low-skilled – to execute sophisticated campaigns.
Indeed, the modern underground market enables them to advance from basic credential thefts to multi-factor authentication (MFA) bypasses to full network intrusions.
To examine these developments in-depth, Intel 471’s team analyzed nearly 200 phishing-related offers from multiple underground forums and marketplaces.
This comprehensive analysis serves as the foundation for our most recent report, the 2026 Phishing Outlook, which documents the following trends:
- While highly advanced, the underground phishing marketplace is quite fragmented, with 170 distinct actor handles behind 197 phishing-related offers. Most actors post just one to two listings.
- Taking advantage of the abundance of market/forum offers and opportunities, cyber criminals are launching phishing schemes to move laterally as they wish, in pursuit of full system intrusions. They’re expanding collaboration and outsourcing while industrializing operations through specialization and delegation. In addition, the “full stack” adversary – one who assumes roles as both a developer and active operator – is now increasingly common.
A surging labor forecast
The underground labor and recruitment picture has emerged as most fascinating. So let’s break it down according to the numbers and trends we discovered.
Hot jobs
Recruitment now accounts for the largest category of the phishing market at 31 percent, with forums acting as hiring boards and coordination hubs. Top roles include traffic providers (which account for 57.4 percent of recruitment-based offers), who deliver substantial volumes of visitors to phishing pages; coders/developers (11.5 percent), who build kits, panels and AITM frameworks; and callers (9.8 percent), who step in post-click to dupe victims into social-engineering scams.
Tantalizing tactics
Forum posts typically specify skills, reputation and deposit requirements. Compensation comes in the form of profit-sharing, monthly retainers or fixed pay-per-task. Incentives remain highly performance-driven, with recruits earning commissions for lucrative results.
Swift scaling
With this level of businesslike recruitment, the marketplace will continue to drive offers that are increasingly professional, target-specific and easy to execute on a large scale. Buyers will acquire ready-made personnel and components for traffic, infrastructure, kits, etc. instead of constructing large-scale campaign parts from scratch. And artificial intelligence (AI) tools, of course, will play essential supporting roles, such as rewriting and testing lure content, localizing language usage and refining social-engineering prompts.
Tips for security pros
So how should security teams respond? By continuing to develop comprehensive strategies that incorporate these best practices:
- Proactive identification and monitoring of domain abuse, social media impersonations and broader phishing infrastructure, such as fake login portals and lookalike imposter sites
- Prioritization of high-risk findings to reduce the window in which adversaries can harvest log-ins and hijack accounts
- Understanding the PhaaS ecosystems driving campaigns, and the continuous tracking of infostealers, credential logs and “combolist” activity (compilations of usernames/email addresses and passwords) that frequently fuel fraud or intrusion attempts.
Throughout the history of global society, the marketplace has segued from the street to the strip shopping center to the mega-mall to the now-ubiquitous digital storefront.
So it should come as no surprise that the cyber underground has also evolved with impressive speed, resourcefulness and efficacy.
All of this creates a low-cost, high-yield entry point that simplifies phishing campaign setup, delivery, collection and basic management through an accessible interface.
With lowered technical barriers and accelerated time-to-launch, even entry-level schemers adeptly perform massive and intricate credential theft and exploitation campaigns for minimal expense.
With market expansion expected for 2026 and beyond, security leaders and their teams must watch underground developments like their business-side counterparts watch the competition.
By proactively identifying and monitoring suspicious activity, prioritizing risk and gaining a deep understanding of these criminal exchanges, organizations will send a clear “no sale” message to would-be phishing fraudsters.