The IOCTA 2026 report released by Europol offers a detailed look at how cybercrime is evolving across Europe, with criminals increasingly using artificial intelligence, encryption, and cryptocurrencies to scale their operations. The latest edition of the Internet Organised Crime Threat Assessment outlines key trends shaping the threat landscape and calls for stronger coordination among law enforcement agencies. According to the IOCTA 2026 report, cybercrime is becoming more complex and interconnected, driven by rapid technological advancements. The findings highlight how criminals are adapting quickly, making it harder for authorities to detect, track, and disrupt their activities.

IOCTA 2026 Report Maps Evolving Cyber Threat Landscape

The IOCTA 2026 report serves as a roadmap for understanding emerging cyber threats, covering areas such as online fraud, ransomware attacks, and child exploitation networks. Edvardas Šileris, Head of the European Cybercrime Centre at Europol, emphasized that the report is intended to help law enforcement agencies respond effectively to these evolving risks. He noted that as cybercriminals continue to exploit new technologies, strengthening capabilities and improving collaboration will be essential to protect citizens and critical infrastructure.

Dark Web Fragmentation and Cryptocurrencies Fuel Crime

A key finding in the IOCTA 2026 report is the continued role of the dark web as a central hub for cybercriminal activity. Despite ongoing crackdowns, marketplaces and forums remain active, with criminals frequently shifting platforms to avoid detection. The report highlights how fragmentation and specialization across these platforms make investigations more difficult. Encrypted messaging services and anonymized networks are increasingly connecting surface and dark web environments, reducing the visibility of criminal operations. Cryptocurrencies also play a significant role, according to the IOCTA 2026 report. Privacy-focused coins and offshore exchanges are widely used to launder ransomware payments, making financial tracking more challenging. The report also points to a growing trend of younger individuals becoming involved in cryptocurrency-related activities, sometimes without understanding the legal risks.

AI-Driven Fraud Expands Across Europe

The IOCTA 2026 report identifies artificial intelligence as a major driver of online fraud. Cybercriminals are using generative AI tools to create highly targeted phishing campaigns and social engineering attacks. These tools allow attackers to:

• Personalize fraudulent messages at scale
• Mimic legitimate communication styles
• Automate large-scale scam operations

The report also highlights the use of caller ID spoofing and SIM farms, which enable attackers to send thousands of messages or calls simultaneously. This combination of AI and automation is increasing both the reach and success rate of fraud campaigns.

Ransomware and Data Extortion Remain Key Threats

Ransomware continues to be a dominant threat, as outlined in the IOCTA 2026 report. A large number of active ransomware groups were observed throughout 2025, with many adopting data extortion tactics. Instead of relying solely on encryption, attackers are increasingly threatening to release stolen data to pressure victims into paying. This shift has made cyberattacks more damaging, particularly for public institutions and large organizations. The report also notes growing links between state-sponsored actors and criminal groups, with some cybercriminals acting as proxies in broader geopolitical strategies. Emerging hacking coalitions are adding another layer of complexity to the threat landscape.

Rise in Online Child Exploitation and Criminal Networks

The IOCTA 2026 report highlights a concerning increase in online child sexual exploitation cases. The financial trade of child abuse material is growing, and the use of synthetic content is creating new challenges for investigators. Encrypted messaging platforms are widely used by offenders, making it harder for authorities to monitor and intervene. The report also points to the emergence of organized online communities that engage in multiple forms of criminal activity. These networks combine cybercrime with violent offenses, creating a complex and dangerous ecosystem that extends beyond digital spaces.

Need for Stronger Law Enforcement Collaboration

The findings of the IOCTA 2026 report reinforce the need for improved coordination between governments, law enforcement agencies, and industry stakeholders. As cyber threats become more advanced, isolated efforts are no longer sufficient. The report provides actionable insights and recommendations aimed at strengthening investigative capabilities and improving response strategies. It also stresses the importance of innovation in tackling new forms of cybercrime.

The 2026 threat landscape continued to intensify in March, with ransomware attacks, expanding data breach activity, and a growing underground market for compromised access shaping the global cybersecurity environment. According to analysis from CRIL (Cyble Research & Intelligence Labs), organizations worldwide faced a highly active and coordinated threat ecosystem throughout the month.  CRIL’s findings point to a cybercriminal landscape driven by financial extortion, credential theft, and operational disruption. Attackers consistently targeted industries that rely heavily on uptime or store large volumes of sensitive data, reinforcing the urgency for stronger defensive strategies. 

Ransomware Attacks Dominate the 2026 Threat Landscape 

One of the most defining aspects of the March 2026 threat landscape was the scale of ransomware attacks. CRIL recorded 702 ransomware incidents globally, underscoring the continued dominance of ransomware as a primary attack vector.  Among the most active threat groups were Qilin, Akira, The Gentlemen, Dragonforce, and INC Ransom. Collectively, these actors were responsible for over 56% of all observed ransomware activity, reflecting their operational maturity and extensive affiliate networks.  Industries most affected by ransomware attacks included: 

• Construction  
• Professional Services  
• Manufacturing  
• Healthcare  
• Energy & Utilities  

Attackers frequently employed double-extortion tactics, combining data theft with system disruption to increase pressure on victims. Geographically, the United States remained the primary target, influenced in part by ongoing geopolitical tensions, including those involving Iran. 

Rise of Access Brokers in the CRIL Threat Analysis 

Another notable trend in the 2026 threat landscape, as identified by CRIL, was the continued growth of the compromised access market. During March, 20 separate incidents involving the sale of unauthorized network access were tracked across cybercrime forums.  The most targeted sectors for access sales were: 

• Professional Services (25%)  
• Retail (20%)  
• IT & ITES  
• Manufacturing  

A small group of threat actors, vexin, holyduxy, and algoyim, dominated this space, accounting for more than 55% of observed listings. These access brokers play a critical upstream role, enabling ransomware attacks, espionage campaigns, and financial fraud operations. 

Data Breaches and Leak Markets Stay Active 

CRIL also documented 54 significant data breach and leak incidents in March, further highlighting the scale of data exposure risks in the current 2026 threat landscape.  The most targeted sectors for data breaches included: 

• Government & Law Enforcement  
• Retail  
• Technology  

Several incidents stood out: 

• A threat actor known as “nightly” claimed to have stolen over 5TB of data from Hospitality Holdings, including biometric data, CCTV footage, and financial records. 
• Another actor, XP95, advertised 3.8TB of allegedly stolen South African government data for sale.  
• A separate breach exposed more than 95,000 travel-related records, including passport and payment information.  

Exploitation of Critical Vulnerabilities Accelerates 

The 2026 threat landscape also saw increased exploitation of critical vulnerabilities, particularly those listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog.  Key vulnerabilities targeted included: 

• CVE-2026-20131 (Cisco Secure Firewall Management Center)  
• CVE-2025-53521 (F5 BIG-IP APM)  
• CVE-2026-20963 (Microsoft SharePoint Server)  
• CVE-2026-33017 (Langflow AI)  
• CVE-2021-22681 (Rockwell Automation ICS)  

CRIL observed attackers exploiting both newly disclosed zero-day vulnerabilities and older, unpatched flaws. This trend reflects persistent gaps in patch management and exposure mitigation across organizations. 

Emerging Threat Developments in March 2026 

Beyond ransomware attacks and data breaches, CRIL identified several strategic developments shaping the 2026 threat landscape: 

• AI-Driven Attacks: Threat actors reportedly leveraged an open-source framework called CyberStrikeAI to target Fortinet FortiGate devices across 55 countries, compromising more than 600 systems. 
• Supply Chain Risks: North Korean-linked actors were associated with 26 malicious npm packages distributing remote access trojans (RATs) via infrastructure hosted on Pastebin and Vercel. 
• Geopolitical Cyber Activity: Iran-linked cyber operations are expected to increase, with potential ransomware attacks and hacktivist campaigns targeting organizations in the Middle East. 

The FBI Internet Crime Report 2025 shows just how expensive cybercrime has become. In 2025, the FBI’s Internet Crime Complaint Center (IC3) received over one million complaints, with reported losses touching $20.8 billion, the highest ever recorded. That figure is not just a statistic. It reflects everyday incidents, individuals losing life savings to investment scams, businesses wiring money to fraudulent accounts, and organizations dealing with disruptions from ransomware attacks. What used to be isolated cases are now happening at scale. The FBI Internet Crime Report 2025 also shows how the nature of cybercrime is changing. Fraud is no longer limited to suspicious emails or obvious scams. Criminals are using social platforms, messaging apps, and now even artificial intelligence to make their operations look legitimate. In many cases, victims don’t realize they are being targeted until the money is already gone. At the same time, the report highlights that law enforcement is trying to keep pace. Operations targeting crypto scams and international fraud networks are making an impact, but the overall trend shows that cybercrime is expanding faster than it is being contained.

Cyber-Enabled Fraud Remains the Biggest Driver

A large share of these losses comes from cyber-enabled fraud, which alone accounts for nearly 85% of the total financial damage, or about $17.7 billion. Investment fraud continues to cause the most damage. In 2025, it led to $8.6 billion in losses, followed by business email compromise (BEC) and tech support scams. Within this, cryptocurrency investment fraud stands out. Losses linked to crypto scams reached $7.2 billion, making it the biggest single category. [caption id="attachment_111088" align="aligncenter" width="577"] Image Source: FBI Report[/caption] These scams are no longer basic phishing attempts. Attackers spend time building trust, approaching victims through social media, messaging apps, or even dating platforms. Once trust is established, victims are guided toward fake investment platforms that show fabricated profits. By the time withdrawals are attempted, the money is gone.

AI-Enabled Scams Are Growing Fast

The FBI Internet Crime Report 2025 includes a separate section on AI-enabled scams for the first time, and the early numbers are already concerning.

• More than 22,000 complaints linked to AI
• Around $893 million in losses

AI is making scams more convincing. Fake profiles, cloned voices, and realistic conversations can now be created quickly and at scale. This allows attackers to run highly targeted campaigns without much effort. The challenge is that these scams often look legitimate, making it harder for individuals and even businesses to identify red flags in time.

Ransomware Continues to Target Critical Sectors

Ransomware remains a steady threat, especially for critical infrastructure.

• Over 3,600 complaints reported in 2025
• Losses crossed $32 million

The actual impact is likely much higher. Many organizations do not report full losses, especially indirect costs like downtime or recovery expenses. The report also notes 63 new ransomware variants identified during the year, showing how quickly these attacks continue to evolve. Sectors such as healthcare, manufacturing, and government facilities remain frequent targets, where even short disruptions can have serious consequences.

FBI Operations Are Preventing Some Losses

The report also highlights efforts by law enforcement to limit the damage. One example is Operation Level Up, focused on cryptocurrency investment scams. Since its launch in 2024, the initiative has helped reduce potential losses by more than $500 million. In many cases, victims did not realize they were being scammed until they were contacted. This reflects a larger issue, many cyber fraud cases go unnoticed until significant financial damage has already occurred.

Cybercrime Is Becoming More Structured

The report also points to broader trends. Cybercriminal groups are operating more like organized businesses. At the same time, state-linked actors are becoming more active, targeting infrastructure and sensitive data. One example highlighted is the DPRK IT worker scam, where individuals posing as remote IT workers gain access to company systems and use that access for data theft or further attacks. These developments show that cybercrime is no longer limited to isolated incidents. It is part of a larger, global ecosystem.

A Growing Gap Between Threats and Preparedness

The FBI Internet Crime Report 2025 shows a clear pattern—cybercrime is scaling faster than awareness and response.

• Fraud tactics are becoming more personal and long-term
• AI is helping attackers improve success rates
• Cryptocurrency is making transactions harder to trace

While recovery efforts and law enforcement actions are improving, most interventions still happen after the damage is done.

Final Take on FBI Internet Crime Report 2025

The FBI Internet Crime Report 2025 highlights a shift in how cybercrime operates today. The scale—over $20 billion in losses—is significant, but the methods behind these numbers are just as important. From cyber-enabled fraud to AI-enabled scams and cryptocurrency investment fraud, attackers are using a mix of technology and human psychology to succeed. For individuals and organizations, the risk is no longer occasional—it is constant, and it is evolving.

The global surge in energy sector ransomware attacks intensified throughout 2025, exposing deep vulnerabilities in critical infrastructure. As organizations prepare for what’s coming next, the lessons are becoming harder to ignore. The systems that power homes, fuel industries, and sustain modern life are under siege, not by isolated hackers, but by highly organized ransomware groups operating at scale.  In 2025 alone, the energy and utilities sector recorded 187 confirmed ransomware attacks. These were not mere attempts, but successful breaches involving system encryption, data theft, and ransom demands.  

When Energy Sector Ransomware Disrupts Real Life 

Unlike typical cyber incidents, energy sector ransomware attacks have immediate and widespread consequences. According to the Cyble Energy & Utilities Threat Landscape Report 2025, Halliburton suffered a ransomware attack in August 2025; the company reported losses totaling $35 million. In another case, attackers deploying FrostyGoop malware targeted a municipal energy provider in Ukraine, cutting off heating in Lviv during freezing temperatures.  Several ransomware groups dominated the threat landscape in 2025. RansomHub led with 24 attacks (12.8%), followed by Akira with 20 incidents (10.7%) and Play with 18 attacks (9.6%). Alongside Qilin and Hunters/Lynx, these groups accounted for nearly half of all recorded ransomware activity in the sector.  

Why the Energy Sector Remains Vulnerable 

The continued rise of energy sector ransomware attacks can be traced to structural weaknesses unique to the industry. 

• Legacy Infrastructure: Many facilities still rely on decades-old operational technology (OT), including industrial control systems using outdated protocols like Modbus and DNP3. These systems were designed for reliability, not cybersecurity, leaving them exposed to modern threats. 
• IT-OT Convergence: As companies digitize operations, previously isolated OT environments are now connected to corporate IT networks. This convergence allows attackers to move laterally, from a phishing email on an employee device to critical systems like SCADA controls. 
• Distributed Systems: Energy infrastructure is geographically dispersed, spanning solar farms, substations, pipelines, and wind installations. Each site represents a potential entry point, making comprehensive security management extremely difficult. 

A Multi-Layered Threat Landscape 

Between July 2024 and June 2025, the energy sector faced a broad spectrum of cyber threats: 

• 37 instances of compromised network access being sold on underground forums
• 57 data breaches exposing sensitive operational information
• 187 ransomware attacks involving encryption and data exfiltration
• Over 39,000 hacktivist posts targeting energy infrastructure

Regionally, North America accounted for more than one-third of ransomware incidents, with Asia and Europe also heavily targeted. This distribution confirms that ransomware groups are not geographically selective; they exploit vulnerabilities wherever they find them. 

The Rise of Access Brokers 

A key driver behind the increase in energy sector ransomware attacks is the growing role of initial access brokers. These actors specialize in obtaining and selling network credentials.  During the reporting period, groups like Zerosevengroup, mommy, and Miyako were responsible for approximately 27% of observed access sales targeting the energy sector. The remaining activity was spread across numerous smaller sellers, indicating a low barrier to entry for cybercriminals.  In March 2025, Zerosevengroup reportedly offered admin-level access to a UAE-based power and water company, claiming control over 5,000 network hosts. Other listings included access to an Indonesian power plant subsidiary and a French wastewater treatment system.  

Hacktivism Meets Operational Technology

Beyond financially motivated ransomware groups, hacktivist activity also intensified. Some groups went beyond website defacement and data leaks, claiming direct access to operational systems.  For example, a pro-Russian group known as Sector 16 reportedly demonstrated access to U.S. oil and gas control systems, including shutdown interfaces and valve controls. Similarly, the Golden Falcon Team claimed access to a French wastewater platform, including controls over pH levels and water distribution. 

Persistent Vulnerabilities and Delayed Patching 

Throughout 2025, attackers exploited known vulnerabilities in widely used systems, including: 

• ABB ASPECT systems  
• Siemens SENTRON PAC3200 meters  
• Solar inverter platforms  
• Schneider Electric Jira systems  
• VMware, Ivanti, and Fortinet products  

Despite available patches, the average remediation time exceeded 21 days, while attackers often weaponized vulnerabilities within 72 hours. This gap creates a critical exposure window that ransomware groups repeatedly exploit. 

Strengthening Defenses Against Ransomware Groups 

To counter the growing threat of energy sector ransomware, organizations are adopting several defensive strategies: 

• Network Segmentation: Separating IT and OT environments reduces the risk of attackers moving between systems. Where connections are necessary, strict access controls and monitoring are essential. 
• Monitoring Criminal Markets: Tracking underground forums can help organizations detect whether their credentials are being sold, enabling faster responses before an attack occurs. 
• Faster Patch Management: Reducing patching timelines is critical. While updating OT systems is complex, delays significantly increase risk. 
• Incident Preparedness: Organizations must prepare for worst-case scenarios. This includes maintaining offline backups, isolating compromised systems, and ensuring the ability to operate manually if necessary.