In 2025, KrakenLabs tracked a series of shifts that reshaped how cyber threats materialized across organizations. Drawing on research conducted throughout the year, this article highlights the most consequential developments observed by KrakenLabs in 2025, where attacker success depended less on new tools or novel exploits and more on the large-scale exploitation of people, identity, and trusted access.

Based on analysis carried out across 2025, KrakenLabs observed how geopolitical conflict, organized cybercrime, and emerging technologies converged to accelerate and professionalize the underground ecosystem, changing how threat actors operate, collaborate, and monetize access.

What emerged was a faster and more industrialized threat landscape. Crimeware-as-a-service (CaaS) matured into a stable commercial model, artificial intelligence (AI) became embedded in everyday criminal workflows, and traditional carding fraud continued to decline under regulatory pressure, improved detection, and sustained law enforcement disruption.

At the same time, threat actors increasingly monetized initial access to corporate networks, abused trusted third-party platforms, and blended ideological narratives with ransomware and extortion-driven business models. These patterns defined threat activity in 2025 and continue to inform the risk landscape moving into 2026.

Key cyber threat trends in 2025 included:

• Rising geopolitical tensions directly influencing cyber threat activity.

• Increased professionalization of the underground cybercrime ecosystem.

• CaaS reaching industrial scale.

• AI becoming embedded in everyday criminal workflows.

• Decline of traditional carding fraud under regulatory and law enforcement pressure.

• Greater focus on monetizing initial access to corporate networks.

• Increased identity abuse and trust exploitation through third-party security weaknesses, particularly in software-as-a-service (SaaS) environments.

• Growing convergence of ideological motives with ransomware and extortion-driven business models.

To help organizations better prioritize security investments and controls in 2026, the sections that follow examine these trends in greater detail, including the operational use of AI, the expansion of Pay-Per-Install (PPI) distribution models, and the growing role of Initial Access Brokers (IABs) in monetizing access to corporate networks.

AI becomes embedded in cybercrime operations

In 2025, AI stopped being an experiment for cybercriminals and became part of their standard operating model. KrakenLabs’ research into EncryptHub, an individual cybercriminal tracked by the team, revealed systematic use of ChatGPT as an operational assistant. EncryptHub relied on large language models to write malicious code, including clippers and cookie stealers, configure command-and-control servers, build phishing infrastructure, and automate Telegram bots. This streamlined multiple stages of the attack lifecycle, from development through deployment and ongoing management.

However, AI has not yet replaced human expertise, instead it has operations and expanded scale. Tasks that previously required specialist knowledge or collaboration can now be executed by a single operator, lowering the barrier to entry and increasing operational tempo across cybercriminal activity.

Now, thanks to AI, an individual can deliver what would have taken a small team of attackers. By reducing development time and reliance on specialist skills, AI enables faster iteration and broader participation, increasing both the volume and pace of attacks. For defenders, this translates into less time to detect, investigate, and respond.

EncryptHub asking ChatGPT AI to write code of clipper malware.

The industrialization of CaaS

Olymp Loader illustrates how CaaS transitioned from ad hoc tooling into a stable commercial offering in 2025. Marketed as a loader and crypter written entirely in assembly language, Olymp Loader was designed to evade machine learning and heuristic-based detection and was positioned as fully undetectable.

Its significance lies in how those capabilities were delivered. Rather than bespoke tooling tied to individual operators, Olymp Loader was packaged as a maintained product, complete with feature updates, pricing tiers, customer support channels, and an evolving roadmap. Capabilities such as deep XOR encryption, automated Windows Defender exclusions, aggressive UAC-Flood privilege escalation, and signed binaries were made available through a service model rather than developed in-house by each customer.

This productization changed how malware capabilities circulated within the ecosystem. Advanced loaders, crypters, and stealer modules became standardized components reused across multiple campaigns, reducing differentiation between operators while increasing consistency in tooling observed in the wild. As a result, the threat landscape became less dependent on individual developer skill and more shaped by shared service platforms, with repeated use of the same tools across different intrusion sets rather than unique, custom-built malware.

PPI formalized malware distribution

KrakenLabs investigated LabInstalls as a dedicated distribution service operating on a PPI model, offering customers bulk delivery of malicious executables and PowerShell scripts in exchange for a fee. Rather than developing or managing distribution infrastructure themselves, customers outsourced this stage of the attack chain to a third-party service.

LabInstalls functioned as a broker, decoupling malware development from delivery. The service handled installation logistics through automated workflows, allowing customers to purchase installs without direct interaction with victims or control over delivery mechanisms. EncryptHub was confirmed as a client, alongside other threat actors, demonstrating how widely these services are used across the ecosystem.

The significance of PPI lies in its role specialization. By externalizing distribution, threat actors could focus on payload development, access monetization, or post-compromise activity, while installation services absorbed operational risk and exposure. This separation of responsibilities mirrors legitimate software distribution models and contributes to a more modular cybercrime ecosystem.

KrakenLabs tweet highlighting the LabInstalls PPI service.

The quiet collapse of traditional carding

Traditional credit card fraud entered a clear downtrend in 2025. KrakenLabs analysis confirmed that stricter regulatory controls such as PCI DSS, widespread AI-driven fraud detection, and sustained law enforcement pressure destabilized the ecosystem. High-profile disruptions, including the BidenCash seizure and the arrest of a prominent XSS forum figure, further destabilized underground markets.

As confidence in carding declined, sophisticated financially motivated actors shifted toward alternative fraud models, including synthetic identity fraud, account takeovers, and cryptocurrency-based scams. Carding no longer offered the reliability or scalability required for sustained criminal revenue.

This shift is significant because it redirects financial crime toward areas that rely more heavily on identity abuse and access rather than stolen payment data, altering where defenders should focus monitoring and mitigation efforts.

Underground forum user ‘albanec’ discusses the growing challenges of carding.

IABs monetize vulnerable edge devices

As traditional fraud models declined, access itself emerged as one of the most valuable commodities in the cybercriminal economy. IABs increasingly leveraged vulnerable edge devices to obtain and sell corporate network access. A clear example is Belsen Group, which capitalized on large-scale compromise of Fortinet FortiGate devices to establish itself as a broker of high-value access. In early 2025, the group transitioned from publishing exposed data to monetizing network access directly, advertising corporate access for thousands of dollars.

KrakenLabs observed Belsen Group selling access derived from more than 15,000 compromised FortiGate devices, including high-profile targets such as major financial institutions and aviation organizations. Advertised prices reached $15,000 per access, reflecting the value placed on ready-made entry points into enterprise environments.

The significance of this activity lies in how edge infrastructure vulnerabilities are converted into downstream attack opportunities. By selling access rather than executing follow-on attacks themselves, IABs shifted risk and responsibility to buyers, while enabling ransomware groups, data extortion actors, and other operators to bypass the most difficult stage of intrusion.

Belsen Group access listings hosted on a dark web marketplace.

Trust became the primary attack surface

Some of the most damaging incidents observed in 2025 did not depend on novel exploits or complex malware chains. Instead, they succeeded by exploiting trust relationships and weaknesses in identity controls.

The Scattered LAPSUS$ Hunters campaign targeting Salesforce-hosted data at Qantas and Vietnam Airlines demonstrated how social engineering and identity manipulation could bypass technical safeguards entirely. By abusing customer-side weaknesses, attackers gained access to cloud-hosted data and exfiltrated large volumes of highly actionable personal information.

Data leak site hosting Salesforce victims’ data for download.

These incidents reinforced a critical reality for organizations. Responsibility for protecting data does not transfer to the platform hosting it. As SaaS environments expand the effective attack surface, identity and trust relationships increasingly determine whether security controls hold or fail.

The rise of geopolitical cyber warfare and faketivism

In 2025, the boundary between geopolitical conflict and cybercrime became increasingly blurred. Cyber operations evolved into a routine instrument of state-level confrontation, used to inflict economic, reputational, and psychological damage alongside conventional military and diplomatic actions.

Following Israel’s June 2025 strikes on Iranian military and nuclear targets, a coordinated surge of cyber activity emerged. More than 80 largely pro-Iranian and pro-Palestinian hacktivist groups launched campaigns against Israel and its allies. Groups such as Keymous+, Inteid, Anonymous Kashmir, and Mr Hamza Cyber Force publicly announced alliances, shared resources, and coordinated activity through platforms including Telegram, reflecting a higher degree of organization than seen in earlier hacktivist waves.

At the same time, faketivism became more pronounced. Groups operating under hacktivist branding increasingly exhibited behaviors aligned with state objectives. Actors such as CyberAv3ngers, Handala, and Gonjeshke Darande demonstrated capabilities, targeting discipline, and operational intent that extended beyond ideological disruption.

The attack on Nobitex illustrated this shift. Attributed to Gonjeshke Darande, the operation resulted in the destruction of approximately US$90 million in cryptocurrency by transferring funds to invalid wallets. The objective was not financial gain, but symbolic impact, positioning cryptocurrency infrastructure as a psychological and political battlefield rather than a purely economic target.

KrakenLabs tweet reporting on Iran-aligned threat actor Handala targeting Israeli organizations.

The convergence of crime and ideology

Hacktivist groups traditionally focused on disruption increasingly adopted revenue-driven cybercriminal models in 2025. This shift was illustrated by the pro-Palestinian actor zerodayx1, which launched the BQTLock Ransomware-as-a-Service offering, explicitly combining ideological messaging with subscription-based extortion.

BQTLock subscription tiers.

A similar convergence was observed in the activity of Lionishackers, a financially motivated actor focused on corporate database exfiltration and resale, primarily targeting organizations in Asian markets through techniques such as SQL injection.

Lionishackers was identified as an administrator of the Hunt3r Kill3rs Telegram channel and collaborated on distributed denial-of-service campaigns, reinforcing how ideological alignment and profit-seeking activity increasingly coexist within the same operations.

Black Basta’s leaked chats exposed the human layer

Behind the service models, alliances, and monetization strategies observed in 2025 are people, internal dynamics, and operational weaknesses. In February 2025, a leak of 196,000 internal Matrix chat logs belonging to the ransomware group Black Basta exposed how the group operated behind the scenes. The logs revealed a core team of five to ten members led by “Tramp” (TA577), with “Bio” acting as a long-time deputy focused on cryptocurrency laundering until being sidelined following a law enforcement encounter. Another member, “Lapa,” coordinated attacks despite persistent internal conflicts, while additional operators were linked to Qakbot activity.

The chats also provided insight into day-to-day operations. Black Basta’s negotiator, “tinker,” relied on a detailed fake IT support call script to pressure victims into installing Remote Monitoring and Management software. Discussions showed the group’s willingness to spend heavily on infrastructure, including virtual private network services and Ivanti zero-day exploits, underscoring both their financial resources and operational intent.

The leak demonstrated that even well-organized ransomware groups are constrained by human factors. Internal friction, reliance on a small number of individuals, and lapses in discipline created exposure that no tooling or infrastructure investment could fully mitigate.

What 2025 taught us

Research conducted throughout 2025 highlights several lessons that reinforce the need for proactive, intelligence-led security:

• Basic security failures remain decisive: The EncryptHub research reinforced that fundamental controls still determine outcomes. Weak password practices, missing multi-factor authentication, exposed services and misconfigurations, and poor access hygiene create the conditions attackers rely on. Technical sophistication is often unnecessary when basic security fundamentals are not consistently enforced.

• Cryptocurrency infrastructure is now a strategic target: The Nobitex attack showed that cryptocurrency platforms are increasingly targeted for symbolic and psychological impact, not just financial theft. Organizations operating or relying on crypto infrastructure must account for geopolitical risk as well as criminal abuse.

• Third-party risk is an organizational responsibility: The Salesforce-related breaches confirmed that accountability for data does not transfer to software-as-a-service providers. Identity abuse, social engineering, and customer-side weaknesses remain common entry points, making third-party risk management a core security requirement.

• Threat actor motivation can no longer be assumed: The blending of ideological messaging with extortion and service-based crime models makes intent unreliable as a signal of risk. Defenders must prioritize observed behavior, capability, and access overstated ideology when assessing threats.

The threat activity observed in 2025 reflects an ecosystem that rewards reuse, access, and scale. Proactive defense depends on understanding how these dynamics reduce the effort required to compromise organizations.

Talk to Outpost24

If you want to understand how these trends apply to your organization or discuss how threat intelligence can support a more proactive security strategy, contact Outpost24 to explore how intelligence-led insight can inform your defensive priorities.