The FBI reported direct losses of $16.6bn from cybercrime in 2024, a 33% increase over 2023. Britain puts its annual losses at more than £27bn. The European Commission reckoned that worldwide costs were €5.5trn ($6.5trn) in 2021. Much cybercrime goes unreported: victims of ransomware attacks may fear reputational damage or fines under data-protection laws.
The criminal underworld has undergone a digital revolution akin to Uber's disruption of the taxi industry. Criminals who once committed crimes themselves have become service providers in a vast underground marketplace. Ransomware developers sell plug-and-play hacking kits that give even unskilled criminals the ability to launch attacks, dramatically lowering barriers to entry. John Wojcik of the United Nations Office on Drugs and Crime has said the service model "is evolving at a rate that we've never previously seen".
Ransomware developers use a variety of business models. Basic code can cost as little as $2,000. Under the ransomware-as-a-service model, a client (or affiliate) gets access to a web portal to customise the ransomware; some groups also provide a communications portal for anonymous negotiation with victims. In exchange the developers take a share of the profits, which market forces have pushed down from around 30-40% a few years ago to roughly 10-20%.
DragonForce, one such platform, uses a double-extortion method: it both steals a copy of the victim's data and encrypts it on the victim's system, demanding two separate ransoms—one to unscramble the data and another to delete the stolen copy. Firms that refuse to pay face the threat that their data will be leaked to other criminals.
Scattered Spider is a fluid network of young hackers who may never meet in person yet can co-ordinate devastating attacks across continents. It is not a traditional, hierarchical mafia. In 2023 the group attacked Caesars Entertainment and MGM Resorts International, two American casino operators, yet the FBI struggled to dismantle the network. In May 2025 Scattered Spider was the chief suspect in cyber-attacks on three British retailers—Marks & Spencer, the Co-op and Harrods—according to Britain's National Crime Agency. The Marks & Spencer disruptions alone were expected to cost some £300m ($405m). The group used DragonForce ransomware in those attacks. Google warned on May 21st 2025 that Scattered Spider was turning its attention to American retailers.
Large retailers are prime targets because they hold troves of customer data: names, email addresses, credit-card details, shopping habits and browsing histories. These data are among cybercrime's most valuable commodities. Underground markets, hosted on messaging apps or the dark web, serve as trading hubs where vendors sell stolen credit-card details, bank records and other confidential information.
Criminals increasingly use information-stealing malware, distributed through phishing emails or malicious ads, that harvests browsing history, saved passwords, chat logs and cryptocurrency-wallet details. RedLine Infostealer has been used to infiltrate major corporations. META Infostealer (unrelated to the company that runs Facebook) is distributed through a decentralised malware-as-a-service model; a lifetime licence cost $900 and a monthly subscription $150 according to a 2022 criminal complaint filed in Texas, though experts reckoned by 2025 that the lifetime licence price had risen to $10,000.
AI has transformed the production of malware and the conduct of phishing attacks. Generative AI allows criminals to write or tailor malware without advanced coding skills. AI also produces convincing, well-written phishing messages in languages that are not the attacker's own. Crime syndicates, including Chinese groups operating out of South-East Asia, use AI to translate scripts for romance scams, fake job offers and fraudulent investments, allowing them to target victims around the world.
Hackers can "jailbreak" existing models like ChatGPT to produce functioning malware, or use purpose-built tools such as XanthoroxAI, which lets cyber-criminals create deepfakes and launch attacks for as little as $150 a month. Targeted "spearphishing" attacks now often involve fake voice and video calls from colleagues to convince employees to download and run malicious software. In July 2025 attacks on Ukraine's security and defence systems used malware that, when it reached a dead end, called on a cloud-based large language model to generate new code to break through—the first known attack of its kind.
Last year AI was involved in one in six data breaches, according to IBM, and drove two in five phishing scams targeting business emails. Deloitte reckons that generative AI could enable fraud to the tune of $40bn by 2027, up from $12bn in 2023.
Gartner, a research firm, predicts that corporate spending on cyber-security will rise by a quarter from 2024 to 2026, hitting $240bn. Palo Alto Networks, one of the world's largest cyber-security businesses, reported in mid-2025 that its operating profits had grown by 82% year on year, and announced plans to buy CyberArk, an identity-security firm, for $25bn. SentinelOne announced the acquisition of Prompt Security for $250m. In March 2025 Alphabet spent $32bn on Wiz, a cyber-security startup.
Law-enforcement agencies have struggled to keep pace. When cybercrime operates through countless providers, shutting down one node barely dents the system. Britain has proposed outlawing payment of ransoms by public-sector bodies and operators of critical infrastructure, hoping to make them less attractive as targets.
I used to think I was indecisive, but now I'm not so sure.