-
A cyber thief is brandishing more than 41 million global telecom data on dark web forums, which contains phone users all over the United States and other countries.
-
The seller tags the data “filtered, active, and confirmed,” making it a hot cake for targeted fraud, smishing campaigns, as well as social engineering attacks.
-
Underground monitoring and investigations reveal that threat actors use sophisticated tools like infostealers, phishing kits, and AI-supported platforms to pull major dirty stunts.
A threat actor is listing over 41 million telecom records covering the United States, Singapore, and many European nations. As such, this is one of the biggest telecom-related events to appear in underground markets this year.
Threat Actor Brandishes 41 Million Telecom Records All Over Multiple Regions
The seller packages the dataset across three formats CSV, JSON, and SQL. Around 26.5 million numbers in the data belong to U.S users. 6.8 million belong to Singapore users. The others belong to European nations such as Germany, France, the Netherlands, Belgium, the Czech Republic, and Austria.
The threat actor describes the data as “scrubbed, live, and deployment-ready” for fraud pipelines. The seller also claims the dataset “bypassed security measures that are location-based.” According to analysts, this claim is unverified and likely a means to drive buyer interest.
Criminals Weaponize Phone Data for Smishing and Targeted Fraud
Criminals use telecom data to attempt OTP interception. They target the one-time passcodes that banks and applications send to verify identity. They also deploy large-scale SMS phishing to get recipients into giving away sensitive credentials or opening malicious links.
Cyber thieves can use social engineering campaigns, impersonating service providers at scale to pull sensitive data from unsuspecting users.
According to analysts, the criminals use marketing operations to slice the data by region and deploy it across automated SMS platforms, flooding millions of inboxes with commercial fraud.
This rapid weaponization of stolen data is enabled by the speed of infostealer operations, research shows that stolen data can appear on dark web markets within 48 hours, giving criminals fresh, up-to-date information for their fraud campaigns while victims remain unaware their data has been compromised.
Infostealer, Phishing Kits, and AI-Support Platforms to Facilitate Threat Actors
Active threat actor interviews and underground monitoring produced a clear answer to one question: what tools do criminals actually use? Infostealers, phishing kits, AI-platforms, and so on.
For infostealers, Lumma Stealer holds the top spot. Threat actors deploy it to harvest people’s credentials on a large scale. Since its development is continuous, Lumma Stealer keeps getting ahead of most endpoint defenses. Another one is RedLine Stealer. It’s cheap, widely available, and the most used for initial access operations.
Following next is Raccoon Stealer. This infostealer is favored by entry-level operators because of its straightforward deployment. StealC is climbing fast, drawing serious attention with modular capabilities and strong evasion.
These infostealers feed directly into log markets (Russian Market among the most active) where stolen credentials become the primary currency of the underground economy. Phishing-as-a-Service platforms then weaponize what those markets supply.
EvilProxy, Tycoon 2FA, and GhostFrame deliver fully assembled phishing operations with built-in MFA bypass. W3LL Panel works as a full-fledge fraud platform that actively powers real-world campaigns with little to no technical prowess from the operator.
Legitimate remote access tools also appear on the list as active weapons. Threat actors abuse TeamViewer, AnyDesk, ConnectWise ScreenConnect, and Splashtop as stealthy backdoors inside compromised networks.
RustDesk is gaining traction specifically because its self-hosting capability makes network-level blocking significantly harder for defenders. Telegram ties the entire operation together, functioning simultaneously as a criminal marketplace, command-and-control hub, and recruitment channel.
The threat landscape has shifted from isolated hacking tools to a fully self-sustaining underground economy. The pipeline runs in one reinforcing direction: infostealers harvest credentials, log markets turn them into currency, phishing kits deploy them against new targets, and ransomware operators take advantage of the downstream output.
The 41 million cellular records currently listed on dark web forums are not an isolated event. They are raw material for the exact infrastructure that underground monitoring keeps exposing, piece by piece.
