The Threat Hunter team monitors more than 20,000 open-source intelligence (OSINT) channels associated with fraud and cybercrime communities, as well as over 500,000 tools used in malicious operations. Our system automatically identifies and tracks channels frequently used by fraud networks and aggregates intelligence from these sources. Over time, this has enabled us to build a large-scale database of high-risk phone numbers and related activity patterns, providing enterprises with broad coverage and high-precision phone number risk profiling.

Ⅰ. High-Risk Phone Number Overview — February

In February 2026, Threat Hunter captured over 3.67 million active high-risk mobile numbers from fraud tools, phone-number trading marketplaces, and other cybercrime services. Among these, more than 1.99 million phone numbers were newly observed for the first time, accounting for 54.18% of the total.

This month, high-risk mobile numbers detected were primarily used in the social media, software services, e-commerce, and retail sectors.

Geographically, the majority of these numbers were distributed in Mainland China, the United States, and Saudi Arabia.

Ⅱ. Trends in High-Risk Phone Numbers — February

Trend 1: Social platforms become the primary target as software services decline

Threat Hunter's analysis of high-risk phone number usage across industries in February shows a clear concentration in a few sectors. Social media accounted for 32.65% of detected malicious phone number activity, ranking first, followed by software services at 14.29% and e-commerce and retail together at 12.24%.

A highlight this month is that the distribution of high-risk phone number usage shifted noticeably. The social media industry experienced a significant increase, overtaking other industries to become the most active target for fraud networks. While the share of the software services sector declined, it remains one of the most frequently targeted industries.

Various social apps in the social media industry have become key tools exploited by fraud networks, as they can be used for batch registration and account warm-up, traffic diversion for scams, and guiding illegal activities with massive mobile numbers. Fraudsters carry out various illegal activities through these social accounts.

Fraudsters' networks sell various types of social media accounts.

Trend 2: New supply sources drive a rebound in U.S. landline numbers

Since February 2026, the number of newly observed U.S. landline SIM cards has shifted from a decline to growth, showing a rebound trend.

Through ongoing monitoring of fraudsters communication groups and tracking newly emerging SMS-receiving channels, Threat Hunter identified new supply sources for U.S. landline numbers.

These channels provide a large number of numbers scheduled for recycling by carriers, typically with a validity period of less than 30 days, offering fraudsters’ networks more malicious number resources for conducting illegal activities. Threat Hunter will continue to track the evolution of this trend.

Characteristics of numbers with a validity period of less than 30 days:

1. Capable of receiving SMS = can pass verification codes = supports bulk registration / account unblocking

2. Extremely short lifecycle makes them ideal for disposable use

3. Extremely low cost, widely available, and easy to obtain in batches

For fraud networks, the shorter the remaining lifespan of a number, the lower its cost, making these numbers well suited for one-time abuse scenarios such as temporary registrations or short-term fraud operations.

Enterprises are advised to monitor whether their platforms are receiving large volumes of phone numbers with unusually short validity periods. Risk detection strategies should incorporate additional signals such as IP intelligence, user behavior patterns and device fingerprinting. If such numbers appear in bulk, organizations should consider blocking them proactively.

In Threat Hunter's risk classification system, these short-lifecycle disposable numbers are labeled as Risk9, and corresponding alerts are provided to enterprise clients for risk awareness.

Ⅲ. Product Capability Improvements — February

Threat Hunter's profiling operation team has continuously expanded its global coverage, further strengthening coverage in regions including Saudi Arabia, Colombia, South Africa, and France. As of February 2026, the coverage scale of risk mobile numbers has increased significantly compared with 2025.

Compared with other regions, the number of traditional SMS verification mobile numbers in Saudi Arabia has continued to rise sharply. Based on recent analysis of fraud network behavior trends, Saudi Arabia is one of the important source regions for risk materials.

Threat Hunter will continue to track and monitor abnormal dynamics and material circulation in this region, and dynamically assess its potential impact on relevant industries.

Ⅳ. Risks of High-Risk Phone Number Abuse and Prevention Recommendations

If enterprises fail to prevent fraud networks from registering accounts using high-risk phone numbers, several risks may emerge.

These accounts can then be used to launch marketing fraud attacks, generate invalid data, and disrupt normal business operations, resulting in the direct loss of marketing budgets.

At the platform level, a surge in fake accounts can degrade ecosystem quality, reducing content trust and ultimately driving legitimate users away.

In addition, fake accounts registered by fraudsters are often used for fraud and phishing attacks, posing a serious threat to users' property and privacy security. Enterprises may also face fines, lawsuits, or regulatory rectification requirements for violating data protection and anti-fraud regulations.

As fraud networks continuously evolve their tools, infrastructure, and attack resources, malicious activity has become increasingly difficult to detect, significantly raising the complexity of risk monitoring and prevention.

To address the growing abuse of high-risk phone numbers, Threat Hunter provides a "Identity Intelligence-Mobile" service to help enterprises identify and preblock malicious numbers, enabling a shift from "passive response" to "proactive prevention" against fraud network attacks.

Explore your organization’s risk profile with a complimentary assessment snapshot.

For media inquiries, please contact marketing@threathunter.com.