Illicit Enterprise: An Anatomy of the Modern Underground Phishing Marketplace

The underground phishing marketplace has shed its ad‑hoc, Craigslist‑like origins and now operates as a full‑stack criminal platform. Vendors sell ready‑made kits, developers provide custom code, and service providers deliver traffic, call‑center support, and even multi‑factor authentication bypass tools. Intel 471’s 2026 Phishing Outlook, based on analysis of nearly 200 offers, shows that phishing‑as‑a‑service (PhaaS) is the backbone of this ecosystem, allowing actors with minimal technical skill to launch sophisticated campaigns at scale.

Recruitment has emerged as the largest market segment, representing 31 % of all activity. Forums function as hiring boards where traffic providers—accounting for 57 % of recruitment listings—sell bulk visitor streams, while coders and social‑engineering callers fill niche roles. The rise of AI‑driven content generation further lowers barriers, automating lure wording, language localization, and prompt refinement. Despite this specialization, the ecosystem remains fragmented: 170 distinct handles posted an average of one to two listings each, underscoring a highly competitive but decentralized supply chain.

For defenders, the shift demands a proactive, intelligence‑led posture. Continuous monitoring of domain abuse, look‑alike sites, and credential‑stealing infrastructure can cut the window of opportunity for attackers. Understanding the PhaaS value chain—who provides traffic, kits, or post‑click services—enables prioritization of high‑risk indicators such as combolist activity or anomalous profit‑sharing payments. As the market expands through 2026, organizations that treat underground forums as a business‑risk intelligence source will be better positioned to disrupt the low‑cost, high‑yield entry point that fuels modern phishing.