End of The Year 2025 Cyber Analysis

We reviewed threat data from across 2025 to understand how cyber activity changed over the year and our findings show a clear trend. Threat actors improved their techniques and expanded their reach across industries and regions.

You can download the End of The Year 2025 Report to access the full analysis.

New Highs for Credential Theft

Credential theft continued to grow throughout 2025. A total of 388 million credentials were stolen from the ten most affected platforms. Facebook accounted for 93 million records, followed by Google with 67 million and Roblox with 66 million.

Gaming platforms were hit especially hard. Roblox, Twitch, and Epic Games together accounted for around 100 million accounts. These platforms attract younger users, many of whom can reuse passwords and apply limited security controls. Threat actors clearly exploited this.

Geography adds more context to this trend. India recorded 2.7 million stealer log incidents, followed by Brazil with 1.9 million and Indonesia with 1.3 million. The United States ranked fourth at 1.2 million cases. We detected that countries with fast digital growth are seeing higher exposure.

The Dark Web as a Marketplace

Dark Web activity in 2025 centered on commercial exchange. Sales accounted for 59% of observed activity, while 33% involved sharing stolen data and Hack announcements are around 5%.

There is a similar pattern in other threat reports we published this year. This shows how established underground markets have become. Access, data, and tools are traded regularly, often with clear pricing and service models.

The United States appeared in nearly 20% of all forum discussions, making it the most referenced country. Public Administration led sector discussions at 13%, followed by Information and Finance at around 10% each.

Ransomware Activity Spread Across Groups

Ransomware operations were distributed across many actors in 2025. Akira led with 8.4% of incidents, followed by Qilin at 7.3% and Cl0p at 5.8%. No group controlled a large share of the landscape.

This spread requires a different approach than a more focused threat landscape. Organizations now face a wide range of tools, methods, and timelines rather than a couple of dominant threat actors, which makes it harder to track all the threats.

Targeting patterns remained consistent. The United States saw 41% of all ransomware attacks, while the United Kingdom followed with 18%. Australia, Japan, and Canada completed the top five. English-speaking countries together accounted for more than 60% of reported cases.

What Do These Numbers Mean?

These developments form a connected chain. Credentials are stolen through malware. That access is sold on Dark Web forums. Ransomware groups purchase it and use it to launch attacks.

This process creates various risks for organizations on multiple fronts. Employees are targeted first through personal or work accounts. Compromised credentials then become gateways to larger incidents.

The 388 million stolen credentials represent more than isolated breaches. They serve as entry points that enable broader and more damaging attacks.

What the Full Report Covers

The 2025 End of Year Report expands on these findings, including:

• Stealer log distribution
• Dark Web activity
• Ransomware threats
• Global phishing activity
• And a summary of the threat landscape in 2025

Download the End of The Year 2025 Report to access the full analysis.