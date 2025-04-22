Large-scale credential theft escalates

Cybercriminals continue to pivot to stealthier tactics, with lower-profile credential theft spiking, while ransomware attacks on enterprises declined, according to IBM’s newly-released 2025 X-Force Threat Intelligence Index.

IBM X-Force observed an 84% increase in emails delivering infostealers in 2024 compared to the prior year, a method threat actors relied heavily on to scale identity attacks.

The 2025 report tracks new and existing trends and attack patterns – pulling from incident response engagements, dark web and other threat intelligence sources.

Some key findings in the 2025 report include:

Critical infrastructure organisations accounted for 70% of all attacks that IBM X-Force responded to last year, with more than one quarter of these attacks caused by vulnerability exploitation.

More cybercriminals opted to steal data (18%) than encrypt it (11%) as advanced detection technologies and increased law enforcement efforts pressure cybercriminals to adopt faster exit paths.

Nearly one in three incidents observed in 2024 resulted in credential theft, as attackers invest in multiple pathways to quickly access, exfiltrate and monetise login information.

“Cybercriminals are most often breaking in without breaking anything – capitalising on identity gaps overflowing from complex hybrid cloud environments that offer attackers multiple access points,” says Mark Hughes, global managing partner of cybersecurity services at IBM.

“Businesses need to shift away from an ad-hoc prevention mindset and focus on proactive measures such as modernizing authentication management, plugging multi-factor authentication holes and conducting real-time threat hunting to uncover hidden threats before they expose sensitive data.”

Reliance on legacy technology and slow patching cycles prove to be an enduring challenge for critical infrastructure organisations as cybercriminals exploited vulnerabilities in more than one-quarter of incidents that IBM X-Force responded to in this sector last year.

In reviewing the common vulnerabilities and exposures (CVEs) most mentioned on dark web forums, IBM X-Force found that four out of the top ten have been linked to sophisticated threat actor groups, including nation-state adversaries, escalating the risk of disruption, espionage and financial extortion.

Exploit codes for these CVEs were openly traded on numerous forums — fueling a growing market for attacks against power grids, health networks and industrial systems.

This sharing of information between financially motivated and nation-state adversaries highlights the increasing need for dark web monitoring to help inform patch management strategies and detect potential threats before they are exploited.

In 2024, IBM X-Force observed an uptick in phishing emails delivering infostealers and early data for 2025 reveals an even greater increase of 180% compared to 2023. This upward trend fueling follow-on account takeovers may be attributed to attackers leveraging AI to create phishing emails at scale.

Credential phishing and infostealers have made identity attacks cheap, scalable and highly profitable for threat actors. Infostealers enable the quick exfiltration of data, reducing their time on target and leaving little forensic residue behind.

In 2024, the top five infostealers alone had more than eight million advertisements on the dark web and each listing can contain hundreds of credentials. Threat actors are also selling adversary-in-the-middle (AITM) phishing kits and custom AITM attack services on the dark web to circumvent multi-factor authentication (MFA).

The rampant availability of compromised credentials and MFA bypass methods indicates a high-demand economy for unauthorized access that shows no signs of slowing down.

While ransomware made up the largest share of malware cases in 2024 at 28%, IBM X-Force observed a reduction in ransomware incidents overall compared to the prior year, with identity attacks surging to fill the void.

International takedown efforts are pushing ransomware actors to restructure high-risk models towards more distributed, lower-risk operations. For example, IBM X-Force observed previously well-established malware families including ITG23 (aka Wizard Spider, Trickbot Group) and ITG26 (QakBot, Pikabot) to either completely shut down operations or turn to other malware, including the use of new and short-lived families, as cybercrime groups attempt to find replacements for the botnets that were taken down last year.

Additional findings from the 2025 report include: