Your Password Is the New Perimeter: Cybercriminals Are Logging In, Not Breaking In

ZURICH, Switzerland – March 30, 2026 – The digital keys to the corporate kingdom are no longer protected by towering firewalls but by the strength of a simple password. A landmark cybersecurity report released today reveals a fundamental shift in the cybercrime landscape, where attackers are increasingly bypassing complex hacking in favor of a simpler, more effective method: logging in with stolen credentials.

The 2H 2025 Threat Intelligence Report from cybersecurity firm Ontinue paints a stark picture of a world where identity has become the primary battleground. Drawing on telemetry and investigations from its security operations, the report concludes that traditional notions of "breaking in" are becoming obsolete. Instead, a booming underground economy for stolen corporate identities allows adversaries to walk through the front door undetected.

"Attackers aren't trying to break through defenses anymore, they're logging in with stolen credentials," stated Balazs Greksza, Director of Advanced Threat Operations at Ontinue, in the report's release. "Once attackers obtain valid identities, they can bypass traditional security controls and move through environments as legitimate users, often without triggering the alarms organizations rely on."

The Identity Crisis: A Thriving Market for Stolen Credentials

The trend identified by Ontinue is not an isolated observation but a reality echoed across the cybersecurity industry. Verizon's 2025 Data Breach Investigations Report (DBIR) found that stolen credentials were the single most common entry point in breaches, accounting for 22% of all incidents. This data confirms that exploiting legitimate access is now a more prevalent tactic than exploiting software vulnerabilities or using traditional malware.

Fueling this identity-driven threat is a sophisticated ecosystem of "infostealer" malware. These malicious programs, such as the LummaC2 family highlighted in the report, are designed to harvest browser passwords, session cookies, and authentication tokens from infected computers. The Ontinue report notes a staggering 72% surge in marketplace listings for credentials stolen by LummaC2, demonstrating the rapid growth and industrialization of this illicit trade.

These stolen credentials are then packaged and sold on dark web marketplaces, where other cybercriminals can purchase ready-made access to corporate networks for as little as a few hundred dollars to several thousand, depending on the level of privilege. This creates a specialized economy where some groups focus on infection and credential harvesting, while others, including ransomware gangs, purchase that access to launch their own campaigns. This division of labor allows for greater efficiency and scale in the cybercrime world.

The Ransomware Paradox: More Attacks, Fewer Payouts

While identity theft dominates initial access, ransomware remains a devastating final act. The report documents over 7,000 ransomware incidents globally in 2025, perpetrated by approximately 129 active groups. However, in a seemingly paradoxical trend, the total value of traceable ransom payments fell to $820 million, down from $892 million in 2024.

This decline in payments, corroborated by blockchain analysis firm Chainalysis, does not signal a weakening of the ransomware threat. Instead, it reflects a complex and evolving landscape. According to data from other security firms like Coveware, the percentage of victims paying ransoms has hit an all-time low, dropping to just 23% in late 2025. This refusal to pay is attributed to several factors, including more robust backup and recovery strategies, increased disruption of ransomware gangs by law enforcement, and a growing awareness that paying a ransom does not guarantee data will be returned or deleted.

Despite fewer payments, attackers are escalating their pressure tactics. Modern ransomware campaigns frequently involve "quadruple extortion," where criminals not only encrypt data but also steal it for public release, launch Distributed Denial-of-Service (DDoS) attacks to cripple operations, and directly harass employees, customers, and business partners to coerce payment.

The AI Arms Race: Generative AI Enters the Cybercrime Arena

A more nascent but rapidly emerging threat detailed in the report is the use of generative AI by malicious actors. Ontinue researchers observed early but clear evidence of Large Language Models (LLMs) being used to assist in the development of malware. Analysis of malicious code revealed patterns consistent with AI-assisted generation, including verbose comments, duplicated functions, and polished user interfaces that masked insecure underlying code.

This trend is lowering the technical barrier for entry into cybercrime. Specialized dark web tools like WormGPT and FraudGPT are already being marketed to help less-skilled criminals generate malicious code and craft highly convincing phishing emails. Industry experts confirm that AI-generated malware is now operational. By some estimates, over half of all spam emails are now AI-written, eliminating the grammatical errors and awkward phrasing that once served as tell-tale signs of a phishing attempt.

The implications are profound, suggesting a future where AI-powered malware could adapt its own code to evade detection or automate the process of finding and exploiting vulnerabilities, creating a significant new challenge for defenders.

Expanding Battlefields: Supply Chains and Cloud Services Under Fire

The focus on identity also extends to the interconnected web of modern business: software supply chains and Software-as-a-Service (SaaS) platforms. Attackers are increasingly targeting these trusted third-party relationships to gain indirect access to their ultimate targets. Recent industry data supports this, with one report from Obsidian Security documenting a 300% year-over-year increase in SaaS-related breaches.

By compromising a single software vendor or a widely used cloud application, an attacker can potentially breach hundreds or thousands of organizations at once. These attacks often exploit the complex web of integrations and permissions between cloud services, using stolen access tokens from one application to pivot into others. This tactic effectively bypasses perimeter defenses by originating from a trusted source.

The scale of automation available to attackers was further demonstrated by the report's documentation of record-breaking infrastructure attacks. DDoS campaigns peaked at an unprecedented 31.4 Terabits per second (Tbps), powered by botnets of over 500,000 compromised devices, showcasing the immense power adversaries can wield to disrupt global operations.

As the lines between internal and external networks blur, the security paradigm must shift accordingly. "The reality organizations face today is that attackers are moving faster, leveraging stolen identities and automation to bypass traditional defenses," said Craig Jones, Chief Security Officer at Ontinue. "Cyber resilience is no longer just about preventing breaches, it's about proactive risk reduction, environment hardening, by detecting threats quickly, responding decisively, and maintaining operational continuity when incidents occur."