Menu

EMERGING TRENDS IN CYBERCRIME

Publications, Research paper

ABSTRACT

This report provides a concise summary of the paper’s main arguments, highlighting the rapid evolution of cybercrime, driven by unprecedented financial costs and accelerating attack sophistication. It introduces the key emerging trends, including the proliferation of AI-powered attacks, the escalation of identity-based and malware-free intrusions, deepening supply chain vulnerabilities, the persistent threat of ransomware and data extortion, and the increasing targeting of cloud environments and edge devices. The abstract concludes by emphasizing the necessity for adaptive, proactive, and intelligence-driven defense strategies to counter these evolving threats. The immediate implication for modern cybersecurity is the conveying of urgency and complexity, setting the stage for a report that not only describes threats but also underscores the strategic imperative for defense.

1. INTRODUCTION: Overview of the Escalating Cyber Threat Landscape

The global financial impact of cybercrime is projected to reach an astounding $10.5 trillion annually by 2025, representing a 50% increase since 2024, with forecasts indicating a rise to $23 trillion by 2027—a staggering 175% increase from 2022 figures. This exponential growth underscores the significant and expanding financial risk posed by cyber threats to global economies. This magnitude of financial impact suggests that cybercrime is no longer merely a technical nuisance but has evolved into a systemic economic and national security challenge, capable of destabilizing industries and national infrastructures.  

The frequency of cyberattacks is escalating, with an average of one attack occurring every 39 seconds. Furthermore, global cyberattacks surged by 30% in Q2 2024 compared to Q2 2023, marking the highest quarter-over-quarter jump in two years. A substantial 72% of organizations reported a rise in cyber risk, indicating that attacks are becoming increasingly targeted and difficult to defend against. This points to a growing resilience gap, with 70% of security professionals believing this gap is widening, leaving critical sectors and smaller organizations particularly vulnerable. The increasing difficulty in defense, despite ongoing security investments, highlights a fundamental asymmetry in the cyber arms race. This necessitates a critical re-evaluation of traditional security paradigms and a proactive, rather than reactive, approach to cybersecurity.  

2. PURPOSE AND SCOPE

This research paper aims to provide a comprehensive analysis of the key emerging trends in cybercrime observed from 2023 to 2025. It offers a data-driven perspective on their characteristics, impact across various sectors, and the underlying shifts in adversary tactics. Additionally, the paper discusses strategic defensive measures necessary to counter these dynamic threats. The presentation of these statistics in a structured format enhances readability, allows for quick reference, and lends significant empirical weight to the arguments about the evolving threat landscape. It visually reinforces the urgency and economic impact, setting a strong context for the subsequent detailed analysis of individual trends.

3. KEY EMERGING CYBERCIME TRENDS (2023-2025)

3.1. The Proliferation of AI-Powered Attacks

Generative Artificial Intelligence (GenAI) has rapidly become a central component in the cyber threat landscape, with its impact rippling through cybersecurity operations. Threat actors are leveraging AI as an “intern or assistant,” utilizing it to build malicious websites, generate sophisticated malicious code, and craft highly convincing phishing emails. This significantly enhances their capability to execute a higher volume of attacks in less time. The data clearly illustrates AI’s profound impact on the efficiency, effectiveness, scale, and sophistication of cyberattacks. This implies a substantial reduction in the “cost” of launching complex and widespread attacks for criminals, effectively democratizing access to advanced cybercrime capabilities.  

The effectiveness of AI-powered phishing is evident in statistics: AI-generated phishing emails tricked 54% of individuals, a stark contrast to only 12% for human-written ones. AI’s ability to produce technically perfect prose in virtually all major world languages removes traditional “red flags” like grammatical errors, making these attacks much harder to detect for the average user. The 54% success rate of AI-generated phishing is a direct, quantifiable measure of its enhanced effectiveness, signaling a new era of highly persuasive social engineering.  

Vishing (voice phishing) attacks have seen a dramatic increase of 442% between the first and second half of 2024, as adversaries become increasingly adept at manipulating users into divulging credentials or approving fraudulent Multi-Factor Authentication (MFA) requests. This surge is directly linked to the increased accessibility of deepfake technology, which can clone voices with minimal audio input (e.g., an hour of YouTube footage and an $11 subscription), making phone-based scams exceptionally convincing. Such tactics have already led to successful impersonations of CEOs to facilitate gift card or wire transfer fraud. The dramatic increase in vishing strongly correlates with the improved accessibility and realism of deepfake technology, demonstrating a clear causal link between technological advancement and specific attack vector proliferation.  

AI is increasingly integrated into various forms of financial crime, phishing, Distributed Denial of Service (DDoS) attacks, and malware generation. Notably, DDoS attacks experienced a massive 550% spike in 2024, partially attributed to the use of AI and escalating global tensions. Research indicates that adversarial AI now automates over 80% of modern ransomware operations, autonomously handling complex attack chains from reconnaissance and exploitation to lateral movement and ransom negotiation with minimal human intervention. These AI systems can dynamically adapt their tactics in real-time, identify and prioritize high-value targets, assess the financial posture of victims, and even conduct tailored ransom communications. The accessibility of AI tools significantly lowers the technical barrier to entry for cybercrime, enabling individuals or low-level criminal outfits with limited traditional hacking skills to create convincing phishing campaigns or craft malicious code with minimal effort. The finding that “AI powers 80% of ransomware” points towards an increasingly autonomous and adaptive threat landscape, necessitating that defenders match this pace.  

A critical emerging trend is that cybercriminals are not merely using AI as a tool for attacks but are also actively exploiting vulnerabilities within AI systems themselves. This includes tactics such as jailbreaking AI models, removing their inherent guardrails, abusing commercial AI models, and developing bespoke criminal Large Language Models (LLMs). The fact that AI systems themselves are becoming targets introduces a complex feedback loop where AI is simultaneously a weapon, a target, and a defensive tool, making the future of cybersecurity intrinsically intertwined with AI’s development and security.  

3.2. The Escalation of Identity-Based and Malware-Free Intrusions

Identity-based attacks are now recognized as among the most effective initial entry methods, with “hands-on keyboard, human-driven intrusions” soaring in 2024 and critically hinging on identity compromise. A significant shift from traditional malware-centric techniques is observed: in 2024, 30% of all intrusions commenced with the use of valid account credentials. Stolen credentials have risen to become the second most common initial infection vector, accounting for 16% of Mandiant’s investigations. Attackers are increasingly purchasing or phishing credentials and leveraging them to blend seamlessly into normal network traffic, thereby evading detection and deploying “living-off-the-land” (LOTL) techniques. The decline in malware-centric attacks and the corresponding rise of stolen credentials and Living-Off-The-Land tactics is a direct, observable consequence of the improved effectiveness of Endpoint Detection and Response (EDR) solutions. Attackers are demonstrating adaptive behavior by seeking the path of least resistance.  

The dark web hosts millions of valid enterprise credentials, contributing to the rise of “doppelgänger users”—attackers who assume legitimate digital identities. This trend is expected to intensify. The thriving “access-as-a-service” market further facilitates this, offering turnkey phishing kits capable of intercepting MFA codes. The emergence of the “access-as-a-service” market is a critical enabler, allowing less sophisticated actors to leverage the initial compromise efforts of specialized groups. This commoditization of initial access has a profound implication: organizations, even those with robust technical defenses against traditional malware, remain highly vulnerable to human-centric attacks.  

Poorly configured MFA implementations, particularly those relying on SMS or push notifications, are frequently exploited through help desk fraud, where cybercriminals impersonate legitimate employees to request password or MFA resets. Vishing attacks are also increasingly employed to manipulate users into approving fraudulent MFA requests. Adversary-in-the-Middle (AiTM) phishing platforms have become sophisticated proxies that intercept and capture credentials and session cookies during the authentication process, effectively bypassing MFA protections.  

A significant surge in phishing emails delivering infostealer malware is actively fueling credential theft. There was an 84% year-on-year increase in weekly infostealer distributions via phishing from 2023 to 2024, with early 2025 data showing a staggering 180% uptick. Infostealers are favored for their stealth; they siphon passwords, session tokens, and other sensitive credentials directly from victims’ browsers and applications, often before traditional EDR solutions can effectively react. For instance, Lumma Stealer specifically targets cryptocurrency wallets, browser session cookies, and 2FA extensions. A striking 79% of detections in 2024 were malware-free, a significant increase from 40% in 2019, indicating a clear preference among threat actors for using stolen credentials and direct operating system-native commands to bypass traditional endpoint defenses. Malware-free activities, including phishing, social engineering, and leveraging trusted relationships, constituted 75% of detected identity attacks in 2023. This necessitates a fundamental shift in security focus, prioritizing identity hygiene, user behavior analytics, and robust access management as much as, if not more than, traditional endpoint protection.  

3.3. Deepening Supply Chain Vulnerabilities

A significant 82% of organizations rely on third-party vendors, with each connection inherently expanding the potential attack surface for cybercriminals. Targeted intrusion actors consistently exploit these trusted relationships to gain initial access, driven by the high return on investment (ROI) where a single compromised organization can lead to hundreds or even thousands of subsequent targets. This exploitation encompasses compromising the software supply chain by injecting malicious tooling into trusted software and leveraging access granted to IT service providers. The pervasive reliance on third-party vendors creates an inherent “trust paradox” in cybersecurity: while necessary for business operations, these relationships introduce significant, often unmanaged, risk. The high ROI for attackers means that supply chain attacks are not merely opportunistic but represent a strategically valuable and efficient method for broad compromise.  

Examples include China-nexus adversaries consistently exploiting trusted relationships through supply chain compromises, and North Korean adversaries distributing malware via trojanized software like CyberLink media player. The “trusted relationship” exploitation is a fundamental vulnerability in modern interconnected business environments. If an attacker can compromise a single vendor, they gain potential access to numerous clients, making this attack vector incredibly efficient and appealing. This is a direct consequence of globalized and interconnected business ecosystems.  

Compromised network edge devices, such as firewalls, Virtual Private Network (VPN) appliances, and other access devices, accounted for a quarter of initial compromises in confirmed cases, and their actual contribution is likely much higher. These vulnerabilities often stem from misconfigurations, weak credential policies, or outdated/vulnerable software and firmware—a phenomenon referred to as “digital detritus”. The increasing adoption of automated machinery and IoT devices, particularly in sectors like agriculture and construction, introduces new vulnerabilities by significantly expanding the attack surface. Edge gateway devices were identified as the most common initial access point for attackers to infiltrate networks undetected in 2023. Vulnerabilities in specific devices, such as Hikvision cameras (CVE-2021-36260), show notably high detection rates, underscoring the critical need for comprehensive employee cybersecurity education regarding the security of personal and home devices that might connect to enterprise networks. The prevalence of compromised edge devices and IoT/OT vulnerabilities highlights that the traditional network perimeter is rapidly dissolving. Every connected device, including those in home networks, now serves as a potential entry point for enterprise compromise, necessitating a more expansive view of an organization’s security boundary. This blurring of lines implies that organizations must extend their security perimeter and governance to encompass their entire digital ecosystem, including their third-party partners and remote worker environments, requiring a collaborative and holistic security approach.  

3.4. The Persistent Threat of Ransomware and Data Extortion

Ransomware remains a primary existential cyber threat, motivating over 72% of cybersecurity attacks in 2023. The number of victims named on Big Game Hunting (BGH) dedicated leak sites (DLSs) increased significantly by 76% from 2022 to 2023, indicating a growing emphasis on data exfiltration as a primary extortion tactic. Data-theft extortion is increasingly seen as an attractive and often easier monetization route for threat actors. The persistence of ransomware as a dominant threat, despite ongoing law enforcement efforts, and its evolution towards sophisticated data extortion tactics indicate a highly adaptable, resilient, and financially driven criminal enterprise.  

Ransomware-as-a-Service (RaaS) models are proliferating, with 67 active RaaS groups identified in H1 2022. RaaS continues to democratize attack capabilities, making sophisticated ransomware operations accessible to a broader range of cybercriminals. A critical finding is that 60% of ransomware victims experienced a data breach, and 85% were threatened with publication or resale of their data. This underscores that traditional backups alone are insufficient for mitigation, as the threat extends beyond data encryption to data exposure and reputational damage. The “democratization” enabled by RaaS means that even less sophisticated actors can launch devastating attacks, increasing the overall volume and diversity of threats. Crucially, the fact that backups alone are insufficient due to the threat of data theft fundamentally alters the recovery strategy from a purely technical restoration challenge to a more complex issue involving data governance, reputational management, and potential regulatory fines.  

Akira ransomware-as-a-service emerged as a leading threat in 2024, filling the void left by LockBit. It accounted for 17% of Sophos detections in August 2024, with its affiliates also deploying other variants like Fog and Megazord. RansomHub also became a significant leader, encrypting and exfiltrating data from at least 210 victims between February and August 2024. Initial access for ransomware attacks frequently involves exploiting vulnerabilities in VPNs (e.g., lack of MFA, misconfigured gateways), Remote Desktop Protocol (RDP), and the abuse of externally facing Microsoft SQL Servers. Unpatched vulnerabilities, even those publicly known for weeks or months, are rapidly weaponized and exploited by attackers. Ransomware’s continued prevalence despite its long history underscores its profitability and the adaptability of its operators. The shift towards data theft and double extortion is a direct countermeasure to organizations improving their backup and recovery strategies, demonstrating criminal innovation and a continuous cat-and-mouse game.  

The average ransom payment reached $2.73 million in 2024, nearly $1 million higher than in 2023. While only 4% of FBI IC3 ransomware complaints in 2023 involved actual financial loss from the ransom payment itself, the majority of costs stem from other damages, such as recovery efforts, downtime, and reputational harm. Operationally, nearly half of ransomware victims required 1-6 days to recover, and three-quarters took up to two weeks. Such attacks can lead to significant business system and operational impacts for 52% of affected organizations.  

3.5. Targeting of Cloud Environments and Edge Devices

Intrusions specifically targeting cloud environments have surged by 75% within the last year, with “cloud-conscious” cases increasing by 110%. Overall, cloud-based attacks grew by 26% in 2024, signaling a concentrated focus by hackers on these increasingly prevalent systems. The rapid increase in cloud intrusions signifies a strategic shift by attackers to follow data and operational processes into the cloud.  

The primary method for gaining access to cloud systems is through stolen usernames and passwords, which were responsible for 35% of all cloud-related incidents in H1 2024. Risky cloud app access continues to be a top detected event, likely exacerbated by ongoing transitions to cloud environments and a lack of adequate user education regarding cloud security best practices. Adversaries are specifically targeting cloud-based stores of centralized authority, such as single sign-on (SSO) portals, to achieve broad access across an organization’s cloud infrastructure. The primary attack vector being stolen credentials directly links this trend back to the broader issue of identity-based attacks, indicating that cloud security is often undermined by compromised user access rather than inherent weaknesses in cloud platform security itself. This highlights a critical user-centric vulnerability in cloud adoption. As organizations increasingly migrate to the cloud, it is a logical and inevitable progression for attackers to follow the data and resources.  

The volume of new software vulnerabilities is substantial, with over 6,000 added to the NIST database in H1 2024 alone. A concerning 26% of attacks against critical infrastructure (CI) in 2024 exploited known vulnerabilities in internet-accessible applications, often because CI organizations lag significantly in deploying patches or continue to rely on outdated technology stacks. A critical finding is that 60% of the top 10 most-discussed Common Vulnerabilities and Exposures (CVEs) on dark web forums had weaponized exploits publicly available within two weeks of their disclosure. This rapid weaponization provides attackers with a substantial head start over defenders. Obsolete or unpatched network edge devices, including firewalls and VPNs, serve as easily identifiable beacons for cybercriminals, representing a major and frequently exploited source of initial network compromise. The rapid weaponization of CVEs combined with the persistent issue of slow patching creates a continuous and exploitable “patch gap” for attackers. This operational gap in many organizations provides a persistent window of opportunity, demanding a more agile, automated, and prioritized approach to vulnerability management. The consistent data on the rapid weaponization of CVEs and the lagging patch management by organizations creates a critical “race condition” that attackers are consistently winning. This necessitates a more proactive, automated, and risk-based approach to patching and configuration management, prioritizing internet-facing and critical systems.  

4. STRATEGIC DEFENSIVE MEASURES AND FUTURE OUTLOOK

4.1. Leveraging AI for Enhanced Defense

Artificial intelligence is recognized as a critical tool for cybersecurity, with 45% of organizations already implementing AI/ML in their systems and an additional 35% planning to do so. The application of AI in defense can be broadly categorized into reactive and proactive approaches.  

Reactive AI primarily focuses on addressing threats after they have been detected, aiming to minimize impact, analyze attack methodologies, and adapt over time. This forms the backbone of traditional cybersecurity systems, such as firewalls and antivirus software. When an attack occurs, reactive AI analyzes the event, mitigates its impact, and suggests steps for recovery. However, its limitations include inherent response lag, increased system downtime, and resource-intensive recovery processes, as detection often occurs after the breach, allowing attackers to exploit vulnerabilities.  

Proactive AI, conversely, utilizes predictive analytics, behavioral analysis, and real-time monitoring to identify potential threats and vulnerabilities in advance. Its strengths include threat prediction, real-time monitoring of systems for anomalies, and improved cost efficiency by preventing breaches. Proactive AI can also automate complex tasks, such as identifying zero-day vulnerabilities, without human intervention. This approach requires advanced monitoring hardware and behavioral analysis tools to detect unusual network usage patterns, data access requests, or login attempts indicative of AI-powered activity. Given the machine speed of AI attacks, immediate alarms should be raised by unusual volume or activity rate spikes, leveraging anomaly detection tools that establish baselines of normal behavior.  

The most robust cybersecurity strategy combines both proactive and reactive AI approaches, creating a comprehensive defense system. For instance, proactive AI can scan emails for malicious links and suspicious patterns for phishing detection, while reactive AI identifies new phishing tactics post-attack and updates filters. Similarly, for ransomware protection, proactive AI monitors unusual file access or encryption activities, and reactive AI isolates affected systems and restores data from backups. In network security, proactive AI maps potential vulnerabilities, and reactive AI neutralizes threats that bypass initial defenses.  

Beyond these applications, AI can be leveraged to protect AI systems themselves from adversarial attacks, which aim to mislead or misclassify AI models. Defense mechanisms include adversarial training, which improves AI accuracy by training models on misclassified usage to recognize and fight back against attacks. Other techniques include defensive distillation, which reduces model sensitivity to input perturbations, and image feature compression, which filters potential threats before data is fed into the model. Ensembling different models’ outputs can also make it harder for adversarial attackers. However, these defenses face limitations such as high computational costs and susceptibility to advanced attacks.  

Despite the advancements, organizations must recognize that AI systems will slowly test defenses before a mass attack, necessitating incremental, iterative testing of defenses. Employing decoy systems can draw out and expose AI attackers without risking tangible assets, allowing defenders to learn their tactics. Systematically examining authentication logs for impossible travel patterns or concurrent access from two geolocations is also crucial, as AI environments may attempt to bypass geospatial blocking through distributed networks.  

CONCLUSION

The cyber threat landscape is undergoing a profound transformation, marked by escalating financial costs and an unprecedented acceleration in attack sophistication. The analysis reveals that cybercrime has evolved beyond a mere technical challenge, becoming a systemic economic and national security imperative. The sheer scale of projected financial losses, reaching trillions of dollars annually, underscores the critical need for a fundamental shift in defensive paradigms.

Key emerging trends from 2023 to 2025 demonstrate a highly adaptive and innovative adversary. The proliferation of AI-powered attacks has significantly enhanced the efficiency, effectiveness, scale, and sophistication of malicious activities, from crafting hyper-realistic phishing campaigns and deepfakes to automating complex ransomware operations. This democratization of advanced cybercrime capabilities has lowered the barrier to entry for a broader spectrum of malicious actors.

Concurrently, there has been a pronounced pivot towards identity-based and malware-free intrusions. Attackers are increasingly exploiting valid accounts, stolen credentials, and sophisticated MFA bypass techniques, often leveraging infostealers and living-off-the-land tactics. This shift signifies a strategic move to exploit human and configuration weaknesses, often as a direct response to improved traditional malware detection.

Deepening supply chain vulnerabilities, exacerbated by pervasive reliance on third-party vendors and the expansion of the attack surface through IoT, OT, and network edge devices, present a significant “trust paradox.” A single compromised entity can lead to widespread disruption, necessitating a more expansive view of an organization’s security boundary to encompass its entire digital ecosystem.

Ransomware remains a persistent and evolving threat, with a growing emphasis on data exfiltration and double extortion tactics. The rise of Ransomware-as-a-Service (RaaS) models further lowers the technical barrier for entry, while the fact that traditional backups alone are insufficient fundamentally alters recovery strategies.

Finally, the increasing targeting of cloud environments and edge devices reflects attackers’ strategic pursuit of data and operational processes into these expanding digital frontiers. The rapid weaponization of newly disclosed vulnerabilities, coupled with persistent slow patching by organizations, creates a continuous and exploitable “patch gap.”

To counter these dynamic threats, a strategic shift from purely reactive to a synergistic proactive and reactive defense posture is imperative. Leveraging AI for defense, through predictive analytics, behavioral analysis, and automated responses, is crucial to match the speed and sophistication of AI-powered attacks. However, this also necessitates securing AI systems themselves from adversarial manipulation. Comprehensive defense strategies must prioritize robust identity and access management, continuous vulnerability management, rigorous third-party risk assessment, and ongoing employee education to foster a proactive security culture. The future of cybersecurity demands continuous adaptation, collaboration across industries and governments, and an unwavering commitment to building resilience against an ever-evolving adversary.

References:

  1. ILI Law Review Summer Issue 2020
  2. Sophos News, “The Sophos Annual Threat Report: Cybercrime on Main Street 2025,” news.sophos.com, April 16, 2025. https://news.sophos.com/en-us/2025/04/16/the-sophos-annual-threat-report-cybercrime-on-main-street-2025/
  3. M. Al Ahdal et al., “Synergistic Effects of AI and Cybercrime Trends,” tandfonline.com, 2023. https://www.tandfonline.com/doi/full/10.1080/23311916.2023.2272358
  4. Safe Security, “Researchers at SAFE & MIT Sloan Find AI Powers As Much As 80% of Modern Ransomware Attacks,” safe.security, 2024. https://safe.security/resources/blog/researchers-at-safe-and-mit-sloan-find-ai-powers-as-much-as-80-of-modern-ransomware-attacks/
  5. Trend Micro, “Trend 2025 Cyber Risk Report,” trendmicro.com, March 25, 2025. https://www.trendmicro.com/vinfo/us/security/news/threat-landscape/trend-2025-cyber-risk-report
  6. CISA, “Cyber Threats and Advisories,” cisa.gov, May 31, 2025. https://www.cisa.gov/topics/cyber-threats-and-advisories
  7. Beyond Identity, “Inside the CrowdStrike 2025 Global Threat Report: Identity Woes and How to Fix Them,” beyondidentity.com, March 4, 2025.

Author

Abhishek Tomar

Amity university Gwalior