The threat landscape in 2025 was characterized by a surge in compromised credentials, extortion and vulnerability exploitation, according to a new report from KELA.
The threat intelligence firm tracked nearly 2.9 billion compromised credentials last year globally, it said in its latest report, The State of Cybercrime 2026: Emerging Threats & Predictions.
These included usernames, passwords, session tokens, cookies found in URL, login and password (ULP) lists, breached email repositories and cybercrime marketplaces. At least 347 million were originally obtained by infostealers found on around 3.9 million infected machines.
The numbers were boosted by a massive increase in macOS infostealer infections which surged from under 1000 in 2024 to over 70,000 in 2025.
Read more on infostealers: New ‘Storm’ Infostealer Remotely Decrypts Stolen Credentials
Although the credentials themselves may or may not have been valid, the figures reflect “the sheer scale and persistence of the threat,” according to KELA.
Elsewhere, KELA found:
- A 45% annual increase in ransomware victims to 7549 – although it’s not clear how many of these paid their extorter. Attacks were claimed by 147 active groups, including 80 new entities
- 238 vulnerabilities added to CISA’s KEV Catalog in 2025, up 29% from 185 in 2024. Markets now favor “fully weaponized mass-exploitation scripts and exclusive exploits over basic PoC code,” the report noted
- 250 new hacktivist groups and a 400% increase in DDoS to 3500 attacks in 2025, as geopolitical tensions increased
- The weaponization of the software supply chain, through OAuth compromise and open source worms in developer ecosystems
AI Dominates the Kill Chain
KELA also noted the growing use of AI to power various stages of attacks.
“Cybercriminals and APT groups have moved from using AI merely as a supportive tool in attacks to making it an essential component in the complexity, enhancement, and escalation of those attacks,” it warned.
Specifically, attacks have moved on from basic jailbreaking of LLMs to vibe hacking for autonomous execution of entire workflows, the report claimed. AI-assisted malware and prompt injection attacks designed to hijack agents are also increasingly common, KELA said.
“We’re seeing a fundamental pivot in adversary behavior with the shift from AI-assisted tools to fully autonomous, agentic malicious workflows, where over 80% of operations require minimal human oversight,” said David Carmiel, CEO of KELA.
“Attackers no longer need to break in through a backdoor, they can quickly find the key and walk through the front using stolen credentials. Organizations relying on stale intelligence and legacy defenses instead of AI-powered solutions are leaving the door wide open to attacks.”
