Email rebounding as a credential-harvesting channel with a 25% monthly increase
Target Trend
Summary
Hide ▲
Show ▼
Email has rebounded as a channel for stolen-credential harvesting, with observed activity rising 25% in a month and making phishing operations harder to suppress. The shift suggests operators are moving away from Telegram and other centralized channels toward infrastructure that is easier to spin up and replace. That raises the durability of credential-theft workflows and improves reach for low-cost phishing setups.
Related Happenings
AccountDumpling Google AppSheet Facebook phishing campaign
Campaign
First: 01.05.2026 21:09
Last: 01.05.2026 21:09
Sources 1
About this happening:
A **Vietnamese-linked** operation dubbed **AccountDumpling** is using **Google AppSheet** as a phishing relay to steal **Facebook** credentials, enabling account takeover at scale...
AccountDumpling Google AppSheet Facebook phishing campaign
CampaignAbout this happening: A **Vietnamese-linked** operation dubbed **AccountDumpling** is using **Google AppSheet** as a phishing relay to steal **Facebook** credentials, enabling account takeover at scale...
ATHR productized automated vishing platform for credential theft
Threat Actor Meta
First: 16.04.2026 17:09
Last: 16.04.2026 17:09
Sources 1
About this happening:
ATHR is turning **automated vishing** into a **productized underground service**, lowering the barrier for credential theft across **Google**, **Microsoft**, **Coinbase**, and oth...
ATHR productized automated vishing platform for credential theft
Threat Actor MetaAbout this happening: ATHR is turning **automated vishing** into a **productized underground service**, lowering the barrier for credential theft across **Google**, **Microsoft**, **Coinbase**, and oth...
Jinkusu's Starkiller phishing-as-a-service ecosystem commoditizes account takeover
Threat Actor Meta
First: 20.02.2026 22:00
Last: 20.02.2026 22:00
Sources 1
About this happening:
A new phishing-as-a-service operation tied to **Jinkusu** is proxying real login pages through attacker infrastructure, making **MFA bypass** and account takeover easier for low-s...
Jinkusu's Starkiller phishing-as-a-service ecosystem commoditizes account takeover
Threat Actor MetaAbout this happening: A new phishing-as-a-service operation tied to **Jinkusu** is proxying real login pages through attacker infrastructure, making **MFA bypass** and account takeover easier for low-s...
Starkiller dark-web phishing platform scales credential theft as a SaaS-style criminal service
Threat Actor Meta
First: 19.02.2026 14:00
Last: 19.02.2026 14:00
Sources 1
About this happening:
The **Starkiller** phishing platform has emerged as a **SaaS-style criminal service**, raising the scale and durability of credential theft operations. It is sold on the **dark we...
Starkiller dark-web phishing platform scales credential theft as a SaaS-style criminal service
Threat Actor MetaAbout this happening: The **Starkiller** phishing platform has emerged as a **SaaS-style criminal service**, raising the scale and durability of credential theft operations. It is sold on the **dark we...
Multi-stage AitM phishing and BEC campaign against energy-sector organizations
Campaign
First: 23.01.2026 10:25
Last: 23.01.2026 10:25
Sources 1
About this happening:
A **multi-stage AitM phishing** and **BEC** operation is targeting **multiple energy-sector organizations**, creating immediate risk of credential theft and unauthorized mailbox a...
Multi-stage AitM phishing and BEC campaign against energy-sector organizations
CampaignAbout this happening: A **multi-stage AitM phishing** and **BEC** operation is targeting **multiple energy-sector organizations**, creating immediate risk of credential theft and unauthorized mailbox a...
Timeline
-
19.09.2025 17:02 2 articles · 8mo ago
Email credential harvesting rebounds
Initial DisclosureThreat actors are shifting stolen-credential collection back to email after moving away from Telegram, and Netcraft saw email-based harvesting rise 25% over a month. The channel is also being paired with services like EmailJS to collect login details and 2FA codes, while email's federated structure makes takedowns harder because each address or SMTP relay must be reported individually.
Show sources
- 17,500 Phishing Domains Target 316 Brands Across 74 Countries in Global PhaaS Surge — thehackernews.com — 19.09.2025 17:02
- 17,500 Phishing Domains Target 316 Brands Across 74 Countries in Global PhaaS Surge — thehackernews.com — 19.09.2025 17:02