From Bots to Inboxes: How Phishing Infrastructure Is Shifting in 2025

Key Data 

While Telegram enjoys record levels of legitimate use, the messaging platform is falling out of favor with cybercriminals. Netcraft’s latest data shows a notable pivot: phishing attacks are moving away from once-popular encrypted channels and back toward traditional technologies like email. As platforms crack down and threat actors adapt, the battleground for credential theft continues to shift. 

Telegram’s Popularity Soars but Not with Cybercriminals 

Between May and June 2025, the number of websites using Telegram integrations tripled, fueled by its rise as a global communications platform. Most of these integrations are innocuous: contact forms and chatbot support on small personal sites. 

But Netcraft’s threat intelligence tells a different story underneath the surface. Even as public adoption of Telegram grew, the number of phishing sites using Telegram to transmit stolen data dropped sharply. For cybercriminals, Telegram is no longer the safe haven it once was. 

Figure 1. Netcraft is observing a decline in Telegram chats used to receive stolen credentials.

Telegram “Not Safe” – Crackdown Drives Criminals Elsewhere 

In September of last year, Telegram CEO Pavel Durov was arrested and later released, an event that marked a shift in Telegram’s posture toward law enforcement. Since then, the platform has increased cooperation with authorities, including disclosing the identities of users behind illegal content such as malware and phishing infrastructure. 

As a result, many cybercriminal communities have begun branding Telegram as “not safe.” Netcraft observed a sharp decline in its use for credential exfiltration, mirroring Discord’s earlier trajectory when it began mass-deleting malicious servers, sometimes nearly 1,000 a month. 

The criminal exodus from Telegram has sparked a search for alternatives. Some attackers are experimenting with platforms like Signal, which offers strong end-to-end encryption that makes platform-level moderation impossible. But for many, the path of least resistance is more familiar. 

Email Makes a Comeback for Credential Theft 

In a surprising turn, cybercriminals are returning to email as a channel for harvesting stolen credentials. Netcraft data shows a 25% increase in the use of email for credential delivery in a single month — right as Telegram’s usage plummeted. 

This resurgence is partly due to the federated nature of email, which makes takedowns harder. Each address or SMTP relay must be reported individually, unlike centralized platforms like Discord or Telegram. 

And it’s also about convenience. Creating a throwaway email address remains quick, anonymous, and virtually free. In one phishing campaign Netcraft tracked attackers using both Telegram and email in parallel to receive stolen cryptocurrency wallet keys, never storing them on the phishing server itself, which was hosted for free using Cloudflare Pages. 

Phishing Evolves: No More Servers Needed 

Today’s phishing operations often skip traditional infrastructure entirely. By leveraging features in modern web browsers, attackers can have a victim’s browser send credentials directly to them, without ever touching an attacked-controlled backend system. 

Telegram bot tokens were once a favorite delivery method. Netcraft observed more than 500 distinct tokens used in credential theft kits in a single month. These tokens can be re-used across victims and even by different attackers, drastically increasing their longevity and impact. 

Now, as Telegram grows riskier, we’re seeing criminals experiment with API-based email platforms as a fallback. Services like EmailJS, a JavaScript library and service that enables sending emails directly from client-side applications using a public shared backend, are being used to harvest login details and 2FA codes directly from victims, bypassing the need for any hosting infrastructure altogether.

Figure 2. A fraudulent website that sends WalletConnect cryptocurrency credentials to a fraudster via Telegram and email simultaneously. 

Businesses in the Crosshairs 

These lightweight, cost-effective attacks aren’t just targeting individuals. In one campaign uncovered by Netcraft, 100+ short-lived domains are in use to phish social media business account credentials. Victims received urgent-looking emails claiming their accounts had been suspended. 

After clicking through, users were prompted to enter their email, password, and 2FA code, all of which were sent to the attacker via emails. Scammers use stolen business accounts to run fraudulent ad campaigns, abusing trusted brand names to deceive consumers into giving up payment details, and it is likely this is happening here. 

Figure 3a. Part of a fraudulent email urging the recipient to visit a phishing site. 

Figure 3b. A fake Meta webpage, phishing for advertising account details which are sent to the attacker by email.

Why This Matters: The Role of Human-Driven Intelligence

As criminals migrate between platforms such as Telegram, Discord, Signal and email, the challenges of detection and takedown shift with them. Encrypted or federated platforms leave fewer breadcrumbs, increasing the need for human-driven intelligence to supplement automated monitoring.

Netcraft’s partnerships with domain registrars, email providers, and cloud platforms allow us to act quickly, even in federated environments. We block more than 200,000 phishing sites each month and rapidly shut down email infrastructure used in credential theft—often within minutes of detection.

What You Can Do

For individuals and organizations alike, vigilance is always critical. We recommend:

• Passkeys where supported (they resist phishing by design).

• Two-factor authentication for all logins.

• The Netcraft App and Extension for real-time phishing alerts and protection.

Phishing infrastructure is undergoing a quiet but significant transformation. Messaging platforms once seen as safe havens are no longer reliable tools for attackers. Instead, legacy technologies like email are being repurposed in modern, low-cost phishing operations.

Netcraft continues to track these shifts, block emerging threats, and help organizations respond faster to evolving attack infrastructure.