The Threat Hunter team monitors more than 20,000 open-source intelligence (OSINT) channels associated with fraud and cybercrime communities, as well as over 500,000 tools used in malicious operations. Our system automatically identifies and tracks channels frequently used by fraud networks and aggregates intelligence from these sources. Over time, this has enabled us to build a large-scale database of high-risk phone numbers and related activity patterns, providing enterprises with broad coverage and high-precision phone number risk profiling.

Ⅰ. High-Risk Phone Number Overview-January

In January 2026, Threat Hunter captured over 5.59 million active high-risk phone numbers from fraud tools, phone-number trading marketplaces, and other cybercrime services. Among these, more than 2.89 million phone numbers were newly observed for the first time, accounting for 51.70% of the total.

This month, high-risk phone numbers detected were primarily used in the software services, social media, e-commerce, and retail sectors.

Geographically, the majority of these numbers were distributed in Mainland China and the United States.

Ⅱ. Trends in High-Risk Phone Numbers-January

Trend 1: Industry Concentration Increases as Software Services Surges to Top Rank

Threat Hunter's analysis of high-risk phone number usage across industries in January shows a clear concentration in a few sectors. The software services industry now leads all sectors, accounting for 28% of observed malicious usage. This is followed by the social media industry at 25%, and the e-commerce and retail together accounted for 17%, ranking third.

A notable change this month is the dramatic shift in distribution: the software services sector experienced substantial growth, overtaking other industries to become the primary target for fraud networks.

Within the software services sector, email services have become a focal point, as they are frequently exploited for the bulk registration of various malicious accounts. When registration attempts trigger platform risk contro, fraudsters often rely on high-risk phone numbers to receive verification codes, allowing them to bypass security checks and continue creating accounts for subsequent fraudulent activity.

Threat Hunter will maintain a close watch on the evolving usage patterns of high-risk phone numbers and the potential risks associated with these activities.

The software services sector refers to technology-driven businesses that provide non-physical products and services—such as software R&D, information retrieval, technical support, digital tools, and specialized technical solutions—to enterprises or individuals. These businesses do not directly manufacture hardware or sell physical goods; instead, their core value lies in technology output and digital empowerment (e.g., email services, browser-based search engines).

Fraud Marketplace Advertisement for Email Accounts

Trend 2: Holiday Season Leads to a Decline in New Hijacked OTP Phone Numbers in Mainland China

Threat Hunter monitoring data reveals a significant contraction in the volume of newly identified hijacked OTP phone numbers within Mainland China this month. This trend is a direct result of the Chinese New Year holiday cycle. As the holiday approached, many fraud groups temporarily shut down their servers and suspended operations, with plans to resume after the holiday.

However, when looking at the overall dataset, hijacked OTP phone numbers remain the most frequently utilized category among fraud networks.

Trend 3: Declining Use of U.S. Landline Numbers May Indicate a Shift in Attacker Strategy

Threat Hunter analyzed newly identified traditional OTP phone number types in the U.S. over the past eight months. It shows that since January 2026, the volume of new landline additions has continued to recede, reaching its lowest level in eight months.

Overall, while landline numbers remain the predominant type of high-risk phone number used by fraudsters, the volume of new additions has shown a significant contraction for two consecutive months. Meanwhile, new additions of wireless numbers have remained within a relatively stable range.

This trend may suggest a potential shift in the types of phone numbers preferred by malicious actors. Threat Hunterwill continue monitoring the evolution of this pattern.

Ⅲ. Risks of High-Risk Phone Number Abuse and Prevention Recommendations

If enterprises fail to prevent fraud networks from registering accounts using high-risk phone numbers, several risks may emerge.

These accounts can then be used to launch marketing fraud attacks, generate invalid data, and disrupt normal business operations, resulting in the direct loss of marketing budgets.

At the platform level, a surge in fake accounts can degrade ecosystem quality, reducing content trust and ultimately driving legitimate users away.

In addition, fake accounts registered by fraudsters are often used for fraud and phishing attacks, posing a serious threat to users' property and privacy security. Enterprises may also face fines, lawsuits, or regulatory rectification requirements for violating data protection and anti-fraud regulations.

As fraud networks continuously evolve their tools, infrastructure, and attack resources, malicious activity has become increasingly difficult to detect, significantly raising the complexity of risk monitoring and prevention.

To address the growing abuse of high-risk phone numbers, Threat Hunter provides a "Identity Intelligence-Mobile" service to help enterprises identify and preblock malicious numbers, enabling a shift from "passive response" to "proactive prevention" against fraud network attacks.

Explore your organization’s risk profile with a complimentary assessment snapshot.

For media inquiries, please contact marketing@threathunter.com.