KELA has released The State of Cybercrime 2026: Emerging Threats & Predictions, its annual report analyzing the global cybercrime landscape. The findings highlight a record surge in cybercrime activity, driven by evolving attacker behavior and the rise of malicious autonomous AI that is outpacing traditional defenses. According to KELA’s Cyber Intelligence Center, 7,549 ransomware victims were recorded in 2025—a 45% increase year over year—with more than 53% based in the United States.
The report identifies a major shift in how hackers use AI. Instead of manually attacking a network, criminals are using a technique called ‘Vibe Hacking’ to trick AI assistants into performing malicious tasks by disguising them as legitimate requests. KELA confirms that major global threat groups are already using these autonomous tools to run large parts of their operations with almost no human help. Additionally, as companies link multiple AI tools together, a ‘trust gap’ emerges: once a hacker tricks one AI agent, it can spread instructions to every other connected system, bypassing traditional security entirely.
KELA reports that organizations face systemic internal risks from ‘Shadow AI’, across all departments, from R&D to administrative and intelligence roles, where the input of confidential data or credentials into unauthorized tools can lead to immediate data leakage. These findings indicate that without a centralized asset registry and strict governance, Shadow AI creates an unmonitored attack surface that leaves even non-technical sectors vulnerable to exploitation.
The report finds that a growing subset of attacks, particularly those linked to nation-state actors, use ransomware as a distraction to conceal more strategic objectives such as data theft or business disruption. As victims focus on containment, threat actors quietly exfiltrate data, conduct reconnaissance, or establish persistent access elsewhere in the network. In these cases, the visible attack is not always the one that causes the most damage.
Underlying this surge in ransomware is a growing reliance on stolen credentials as the primary method of access. KELA’s CIC identified 2.86 billion compromised credentials in 2025, with business cloud and authentication services accounting for more than 30% of all exposed data. By logging in rather than breaking in, attackers bypass traditional cyber defenses entirely, making identity the most critical attack surface organizations must now defend.
This trend is also breaking long-standing assumptions about platform security. As infostealer malware becomes increasingly cross-platform, attackers are no longer limited by operating system. Notably, infections on macOS devices increased from fewer than 1,000 cases in 2024 to more than 70,000 in 2025, a 7,000% increase.
“We’re seeing a fundamental pivot in adversary behavior with the shift from AI-assisted tools to fully autonomous, agentic malicious workflows, where over 80% of operations require minimal human oversight,” said David Carmiel, CEO of KELA. “Attackers no longer need to break in through a backdoor, they can quickly find the key and walk through the front using stolen credentials. Organizations relying on stale intelligence and legacy defenses instead of AI-powered solutions are leaving the door wide open to attacks.”
Additional Key Findings
- With 147 active ransomware groups recorded in 2025, the criminal ecosystem remains dynamic, highlighted by the emergence of 80 entirely new threat entities as others disbanded.
- Known exploited vulnerabilities increased 28% from 185 to 238, as underground markets shift toward fully weaponized, ready-to-deploy exploit scripts
- Hacktivism surged 400% year-over-year, with over 250 new groups claiming approximately 3,500 DDoS attacks, increasingly targeting critical infrastructure
- State-backed cyber activity aligned closely with global conflict zones, including Russia-Ukraine, Israel-Iran, US-China, and North Korea, spanning espionage, disruption, and distraction
The State of Cybercrime 2026: Emerging Threats & Predictions is available for download here. The full report includes detailed threat actor profiles, dark web intelligence, sector-specific analysis, and immediate takeaways for security teams.
Related News:
BeyondTrust Report Shows Rise in Critical Microsoft Vulnerabilities
