Cybercrime's AI Shift: Billions of Credentials Stolen in Record Year

TEL AVIV, ISRAEL – April 29, 2026 – The global cybercrime landscape reached an unprecedented scale in 2025, marked by a record 2.86 billion stolen credentials and a fundamental shift towards fully autonomous, AI-driven attacks. A new report from cyber threat intelligence leader KELA reveals that traditional defenses are being outpaced as attackers weaponize artificial intelligence and exploit the digital identities of employees to simply walk through the front door of corporate networks.

The annual report, "The State of Cybercrime 2026: Emerging Threats & Predictions," paints a stark picture of a rapidly evolving threat environment. Researchers from KELA’s Cyber Intelligence Center (CIC) tracked 7,549 ransomware victims last year, a staggering 45% increase from 2024, with more than half of these victims located in the United States. This surge is not just a matter of scale but represents a strategic pivot in how cybercriminals operate.

The Rise of the Autonomous Malicious AI

The most significant evolution identified in the report is the move from human-operated, AI-assisted tools to fully autonomous malicious workflows. Threat actors are now deploying AI agents that can run vast portions of their operations with minimal human intervention, creating a "velocity gap" that legacy security systems struggle to close.

A key technique enabling this shift is what KELA has termed ‘Vibe Hacking.’ Instead of complex code injections, attackers are using sophisticated social engineering-like prompts to trick corporate AI assistants. By disguising malicious commands as legitimate, routine requests, they can manipulate an organization's own AI tools into executing harmful tasks. Because many companies are now linking multiple AI systems together, a 'trust gap' has emerged. Once an attacker deceives a single AI agent, that agent can propagate malicious instructions to every other connected system, effectively bypassing traditional security perimeters entirely.

"We’re seeing a fundamental pivot in adversary behavior with the shift from AI-assisted tools to fully autonomous, agentic malicious workflows, where over 80% of operations require minimal human oversight,” said David Carmiel, CEO of KELA, in the report's announcement. “Attackers no longer need to break in through a backdoor, they can quickly find the key and walk through the front using stolen credentials."

Identity: The New Digital Battlefield

Underpinning this new wave of attacks is a tidal wave of compromised credentials. The report’s finding of 2.86 billion stolen credentials in 2025 underscores a critical vulnerability: identity is now the primary attack surface. By acquiring legitimate login details from sprawling underground markets, attackers can simply authenticate as a valid user, rendering firewalls and intrusion detection systems irrelevant.

This "log in, not break in" approach is fueled by an epidemic of infostealer malware, which infected approximately 3.9 million machines globally last year. These malicious programs quietly harvest saved passwords, session cookies, and other sensitive data from browsers and applications. The report notes that business cloud and authentication services were a prime target, accounting for over 30% of all exposed data.

This trend is also shattering long-held beliefs about platform security. While Windows has historically been the main target, the report documents a jaw-dropping 7,000% increase in infostealer infections on macOS devices, jumping from fewer than 1,000 cases in 2024 to over 70,000 in 2025. This surge, partly driven by the accessibility of "malware-as-a-service" offerings, confirms that no operating system is immune and that attackers are becoming increasingly platform-agnostic.

The Hidden Threat of 'Shadow AI'

While external threats grow more sophisticated, KELA's research also points to a critical and systemic internal risk: 'Shadow AI.' This phenomenon describes the unsanctioned use of third-party AI tools by employees across all departments, from R&D and intelligence analysis to simple administrative roles.

Driven by a desire for efficiency, employees often input sensitive corporate data, confidential documents, or even internal credentials into publicly available AI models without realizing the consequences. This can lead to immediate data leakage, as the information becomes part of the AI's training data or is otherwise stored insecurely by the third-party provider. Without a centralized registry of approved AI assets and strict governance policies, organizations are unknowingly creating a massive, unmonitored attack surface. This leaves even non-technical business units, previously considered low-risk, vulnerable to exploitation and data exfiltration. Experts suggest that mitigating this risk requires a combination of robust AI governance frameworks, such as the NIST AI Risk Management Framework, and comprehensive employee education on data handling.

When Ransomware is Just a Smokescreen

The report also details a strategic evolution in the use of ransomware. For a growing subset of sophisticated attackers, particularly those linked to nation-state actors, the ransomware attack itself is no longer the ultimate goal. Instead, it serves as a loud and disruptive distraction.

As a victim organization scrambles its incident response teams, focuses all resources on containment, and deals with the public fallout of a ransomware event, the attackers use the chaos as cover. In the background, they quietly pursue their true objectives: exfiltrating sensitive intellectual property, conducting long-term espionage, or establishing persistent, hidden access points deep within the network for future operations. In these scenarios, the visible damage from the encrypted files is often far less significant than the strategic losses incurred behind the scenes.

This tactic is frequently observed in attacks aligning with global geopolitical conflicts, including those involving Russia-Ukraine, Israel-Iran, and US-China tensions. The dynamic nature of the criminal ecosystem is further highlighted by the report's tracking of 147 active ransomware groups, including 80 entirely new entities that emerged in 2025. This, combined with a 400% year-over-year surge in hacktivism targeting critical infrastructure, underscores a volatile and unpredictable threat landscape where the most obvious attack is not always the one that causes the most damage.