KELA’s State of Cybercrime 2026 Report Reveals 2.86 Billion Stolen Credentials and the Rise of Autonomous AI Attacks

Cybercrime is no longer just scaling, it is evolving at a structural level. According to The State of Cybercrime 2026: Emerging Threats & Predictions by KELA, attackers are shifting from traditional intrusion methods toward identity abuse, AI-driven automation, and large-scale exploitation of trust-based systems.

The report paints a stark picture of 2025 as a turning point. Cybercriminals are no longer breaking into networks, they are logging in, often using stolen credentials, AI agents, and trusted third-party systems to bypass defenses entirely.

A Record-Breaking Year for Cybercrime

The scale of cybercrime in 2025 reached unprecedented levels. KELA tracked 2.86 billion compromised credentials across the global ecosystem, spanning infostealer malware, breach databases, and underground marketplaces.

These credentials have become the primary entry point for attackers. Instead of exploiting vulnerabilities, threat actors increasingly rely on legitimate access, effectively rendering perimeter-based security models obsolete.

At the same time, ransomware surged dramatically. The report identified 7,549 ransomware victims in 2025, representing a 45% increase year-over-year, with more than 53% of victims located in the United States.

This growth is fueled by a maturing cybercrime economy. There were 147 active ransomware groups, including roughly 80 new entrants, highlighting how low the barrier to entry has become.

The Infostealer Epidemic Driving Everything

At the core of this surge is the rise of infostealer malware, now considered the backbone of modern cybercrime.

KELA observed approximately 3.9 million infected machines globally in 2025, generating 347.5 million credentials directly from malware infections alone.

The broader ecosystem amplifies this dramatically, with billions of credentials circulating across cybercrime markets. These are then resold to ransomware groups, initial access brokers, and nation-state actors.

The data reveals a critical shift in targeting. Over 75% of compromised credentials are tied to high-value services such as business cloud platforms (19.6%), CMS systems (18.7%), email services (15.3%), and authentication systems (12.9%).

This concentration highlights a clear strategy: attackers are prioritizing platforms that enable lateral movement and full organizational compromise.

macOS No Longer Safe: A 7,000% Spike

One of the most striking findings is the collapse of long-held assumptions around platform security.

macOS infections surged from fewer than 1,000 cases in 2024 to more than 70,000 in 2025, representing a 7,000% increase.

This explosion is driven by the commercialization of malware-as-a-service, particularly tools like Atomic Stealer, which make it easy for even low-skilled attackers to target Apple devices at scale.

The implication is clear: no platform is inherently safe anymore. Attackers follow value, and Apple ecosystems are now firmly in their crosshairs.

AI Becomes the New Attack Surface

The most significant shift outlined in the report is the deep integration of AI into the cyberattack lifecycle.

KELA identifies a transition from AI-assisted attacks to fully autonomous, agent-driven operations, where 80% to 90% of tasks can be executed with minimal human involvement.

A key concept emerging from this shift is “vibe hacking.” Rather than breaking AI systems, attackers manipulate them by framing malicious actions as legitimate tasks. This allows AI agents to unknowingly execute harmful operations without triggering safeguards.

The report also highlights real-world cases where AI systems were compromised through prompt injection and indirect manipulation. In one instance, autonomous AI agents conducted reconnaissance, developed exploit code, and executed attacks across multiple targets with limited human oversight.

This marks a fundamental change. AI is no longer just a tool for attackers, it is both a weapon and a target.

Ransomware Evolves Into Industrial-Scale Extortion

Ransomware is no longer a single tactic but a full-scale business model.

Most attacks now rely on double extortion, combining data theft with encryption. However, extortion-only attacks are also rising, where attackers skip encryption entirely and focus on stealing and monetizing sensitive data.

The ecosystem is highly competitive. The top group, Qilin, claimed over 1,100 victims, followed by Akira with 761 victims and Clop with 523 victims.

These groups increasingly rely on stolen credentials rather than technical exploits, often purchasing access from underground brokers to accelerate attacks.

The economic impact is staggering. A single breach at Jaguar Land Rover resulted in $2.5 billion in economic damage, including production shutdowns and supply chain disruption affecting thousands of businesses.

Hacktivism and Geopolitics Intensify Cyber Threats

Cybercrime is increasingly intertwined with global conflict.

Hacktivist activity surged 400% year-over-year, with over 3,500 DDoS attacks claimed and more than 250 new groups emerging in 2025.

These groups are no longer limited to website defacements. They are targeting critical infrastructure, operational technology, and industrial systems, creating real-world consequences.

At the same time, nation-state actors are using cyber operations as a core tool of geopolitical strategy. Campaigns tied to Russia-Ukraine, Israel-Iran, US-China tensions, and North Korea demonstrate how cyberwarfare now spans espionage, disruption, and financial operations.

Supply Chain Attacks and the Collapse of Trust

Another defining trend is the rise of supply chain attacks.

Rather than targeting individual organizations, attackers compromise vendors, SaaS platforms, and shared infrastructure to gain access to thousands of downstream victims.

In one case, a SaaS-to-SaaS attack allowed attackers to pivot into Salesforce environments across multiple companies using stolen OAuth tokens, bypassing traditional security controls entirely.

This reflects a broader shift. The “trust by default” model is becoming a liability, as attackers exploit the relationships between systems rather than the systems themselves.

Zero-Day Exploitation and the End of the Patching Window

The report also highlights the industrialization of vulnerability exploitation.

In 2025, 238 vulnerabilities were added to CISA’s Known Exploited Vulnerabilities catalog, up from 185 the previous year.

Attackers are now monetizing exploits faster than ever, often within days or even hours of disclosure. Underground markets increasingly sell fully weaponized exploit kits rather than simple proof-of-concept code, lowering the barrier for mass exploitation.

A New Cybersecurity Reality

The findings in KELA’s State of Cybercrime 2026: Emerging Threats & Predictions report make one thing clear: cybersecurity is entering a new era.

Identity is now the primary attack surface. AI is both a tool and a vulnerability. Trust relationships between systems are being weaponized. And the speed of attacks is accelerating beyond the limits of traditional defense models.

Organizations that continue to rely on legacy security approaches are increasingly exposed. The shift toward identity-first security, zero-trust architectures, and AI-aware defenses is no longer optional.

For a deeper breakdown of threat actors, attack methodologies, and strategic recommendations, the full report, The State of Cybercrime 2026: Emerging Threats & Predictions by KELA, provides a comprehensive view of how the cybercrime landscape is evolving and where it is heading next.