In its latest report, “The State of Cybercrime 2026: Emerging Threats & Predictions,” KELA, a prominent threat intelligence firm, highlights the evolving landscape of cyber threats as we approach 2025. This year is marked by an alarming spike in compromised credentials, extortion activities, and the exploitation of vulnerabilities. The findings from KELA indicate a significant shift in the methodologies employed by cybercriminals, transforming the tactics used in cyberattacks.
The report reveals that nearly 2.9 billion credentials were compromised globally over the past year. This staggering figure encompasses a wide range of data types, including usernames, passwords, session tokens, cookies found in URLs, and login/password lists. It further includes breached email repositories and information traded on various cybercrime marketplaces. Notably, of these compromised credentials, at least 347 million were originally acquired through infostealers operating from approximately 3.9 million infected machines. This increase underscores a growing threat posed by malware specifically designed to steal user information.
A striking factor contributing to the increased number of compromised credentials is the remarkable rise in macOS infostealer infections. These infections soared from fewer than 1,000 incidents in 2024 to over 70,000 in 2025, highlighting the vulnerability of even what were once considered secure systems. The KELA report emphasizes that while the validity of these credentials remains uncertain, the sheer scale of such breaches points to the persistent and evolving nature of cyber threats.
Beyond credential compromise, KELA’s analysis reveals a 45% annual increase in ransomware victims, bringing the total to 7,549. Although the report does not clarify how many of these victims paid their extorters, it notes that 147 active ransomware groups were involved in attacks, including 80 new entities that emerged in the last year. This uptick in ransomware incidents signifies a growing trend in the use of extortion as a primary means of cyber-attack.
The report also indicates a substantial increase in vulnerabilities, with 238 new entries added to CISA’s KEV Catalog in 2025, marking a 29% rise from the previous year’s 185. This uptick implies a critical shift in the market dynamics where cybercriminals are increasingly favoring fully weaponized mass-exploitation scripts and exclusive exploits over basic proof-of-concept (PoC) code. The ability to leverage these vulnerabilities effectively expands the attack surface for cybercriminals.
Moreover, geopolitical tensions have catalyzed the formation of new hacktivist groups—250 new entities in total—and spurred a remarkable 400% increase in distributed denial-of-service (DDoS) attacks, which soared to 3,500 incidents in 2025. This indicates that political climates significantly influence the landscape of cybercrime, with hacktivism becoming a more common form of protest and expression against perceived injustices.
The report highlights another critical trend—the weaponization of the software supply chain through tactics like OAuth compromise and the introduction of open-source worms within developer ecosystems. This trend represents a new frontier in the complexity of cyber threats where traditional defense mechanisms often struggle to keep pace.
A particularly alarming observation made by KELA is the increasing dominance of artificial intelligence (AI) in cybercrime. The report notes a significant shift in adversary behavior, moving from using AI merely as a supportive tool to making it an integral asset in the execution of attacks. Cybercriminals have progressed from simple jailbreaking of large language models (LLMs) to utilizing AI for the autonomous execution of entire workflows. This evolution indicates a dangerous increase in the sophistication of cyberattacks, where the line between human execution and automated processes has blurred significantly.
David Carmiel, CEO of KELA, articulates this shift succinctly: the tools of cybercriminals have evolved from requiring direct human intervention to functioning with minimal oversight, where over 80% of operations can be executed with little to no human involvement. This dramatic change suggests that attackers can now bypass traditional defenses, such as backdoor entries, opting instead to infiltrate systems directly using stolen credentials.
As organizations grapple with this evolving threat landscape, KELA warns that reliance on outdated intelligence and legacy security measures renders them vulnerable. Emphasizing the need for AI-powered security solutions, KELA suggests that organizations must adapt to these new realities to mitigate risks and safeguard against a future increasingly dominated by sophisticated cyber threats.
In summary, KELA’s report paints a sobering picture of the cyber threat landscape in 2025, characterized by a dizzying array of challenges. Cybercriminals are aggressively adapting their tactics, utilizing advanced technologies and exploiting vulnerabilities in unprecedented ways, making it crucial for organizations to remain vigilant and proactive in their cybersecurity strategies.