Credential Theft Surges as Attackers Shift from Breaking In to Logging In
Event summary
- Ontinue's 2H 2025 Threat Intelligence Report reveals a 72% surge in stolen credential listings tied to LummaC2, with over 7,000 ransomware attacks reported globally in 2025.
- Identity-based attacks, including AiTM phishing and password spraying, have become the most common pathway into cloud environments.
- Infostealer malware like LummaC2 is fueling a growing underground market for corporate access, with stolen credentials commanding thousands of dollars per account.
- Ransomware payments declined modestly to $820M in 2025, but the number of attacks continued to rise, with over 120 active ransomware groups.
- Early evidence suggests threat actors are using generative AI to accelerate malware development, lowering the technical barrier for creating malicious tools.
The big picture
The shift from traditional malware-driven intrusions to identity-based attacks highlights the evolving tactics of cybercriminals. As infostealers like LummaC2 fuel a lucrative underground market for stolen credentials, organizations must prioritize proactive risk reduction and environment hardening. The emerging use of generative AI in malware development further complicates the cybersecurity landscape, requiring advanced threat detection and response capabilities to stay ahead of attackers.
What we're watching
- Credential Theft Economy
- How the underground market for stolen credentials will evolve and whether organizations can adapt their security measures to counter this growing threat.
- AI-Assisted Malware
- The pace at which generative AI will be adopted by threat actors and its potential impact on the sophistication and frequency of cyberattacks.
- Ransomware Evolution
- Whether the shift towards identity-based attacks will lead to more sophisticated ransomware campaigns and how managed security providers will respond.
Related topics