Unveiling the Underground Phishing Ecosystem: A 12-Year Longitudinal Study of Deep and Dark Web Forums

Phishing is a threat in which attackers masquerade as legitimate entities to steal sensitive data. While understanding the phishing ecosystem is critical for developing effective countermeasures, prior research has largely studied phishing through post-attack data, with limited examination of the attacker's perspective and how phishing campaigns are built. Critically, the Deep and Dark Web (D2Web) serves as the primary marketplace and knowledge-sharing platform where attackers acquire phishing tools (e.g., phishing kits), exchange techniques, and trade compromised credentials. Analyzing D2Web forums therefore provides unique visibility into the supply chain of phishing attacks pre-deployment, enabling proactive understanding of emerging threats and attack methodologies. This study addresses this gap through a comprehensive analysis of 394,034 posts (343,334 unique) collected from 13 D2Web forums spanning 2013 to 2025, from which 70,055 phishing-related posts are identified. We employ a LLM-based approach to efficiently extract key information, including phishing attack components (e.g., credentials, phishing pages, SMTP servers), targeted services (e.g., PayPal, Netflix), and component authors. This extracted data is mapped to a seven-stage attack scenario framework derived from empirical case studies. Our analysis reveals longitudinal trends in component availability, target service distribution, post type evolution, and the most active contributors annually, while characterizing pricing dynamics across different attack components. The results provide the first attacker-centric, macro-level longitudinal analysis of the phishing ecosystem, offering insights into how phishing infrastructure and markets have evolved over more than a decade. These findings contribute to a deeper understanding of the phishing supply chain and inform more effective detection and prevention strategies.