Nearly half of cyberattacks in 2025 involved stolen data, IBM report

Cybercriminals are continuing to shift to more covert methods, and lower-profile credential thefts are on the rise. A new 2025 report by IBM shows that nearly half of all cyberattacks resulted in stolen data or credentials, and identity abuse was the preferred entry point.

There was an 84% increase in emails delivering infostealers in 2024 compared to the year before, a method threat actors relied heavily on to scale identity attacks. Seventy per percent of all attacks that IBM X-Force reacted to last year were from critical infrastructure organisations, and over a quarter of these attacks were the result of vulnerability exploitation.

More cybercriminals opted to steal data (18%) than encrypt it (11%) as advanced detection technologies and increased law enforcement efforts pressure cybercriminals to adopt faster exit paths. Nearly one in three incidents in 2024 also resulted in credential theft.

Sophisticated Threats To Critical Infrastructure 
Reliance on legacy technology and slow patching cycles are a challenge for critical infrastructure organisations, with cybercriminals exploiting vulnerabilities in more than one-quarter of incidents observed by IBM X-Force.

Four out of the top ten common vulnerabilities and exposures (CVEs) were linked to sophisticated threat actor groups, escalating the risk of disruption, espionage and financial extortion. Exploit codes for these CVEs were openly traded on online forums, fuelling a growing market for attacks against power grids, health networks and industrial systems.

Automated Credential Theft Sparks Chain Reaction
In 2024, there was an uptick in phishing emails delivering infostealers, and 2025 data reveals an even greater increase of 180% compared to 2023. This may be attributed to attackers leveraging AI to create phishing emails at scale.

Threat actors now find identity attacks to be inexpensive, scalable, and profitable thanks to credential phishing and infostealers. Infostealers shorten their time on target and leave minimal forensic evidence in their wake. More than eight million ads were posted on the dark web by the top five infostealers in 2024 alone, and each advertisement may include hundreds of credentials, the report said.

Ransomware Actors Shift To Lower-Risk Models
While ransomware made up the largest share of malware cases in 2024 at 28%, the report observed a reduction in ransomware incidents overall compared to 2023, with identity attacks surging to fill the void.

Ransomware actors are restructuring high-risk models towards more distributed, lower-risk operations. For example, well-established malware families such as ITG23 (aka Wizard Spider, Trickbot Group) and ITG26 (QakBot, Pikabot) completely shut down operations or turned to new malware.

Asia, North America Most Attacked Regions
Collectively accounting for nearly 60% of all attacks that IBM X-Force responded to globally, Asia (34%) and North America (24%) experienced more cyberattacks than any other region in 2024.

Manufacturing Most Attacked
For the fourth consecutive year, manufacturing was the most attacked industry. Facing the highest number of ransomware cases last year, the return on investment for encryption holds strong for this sector due to its extremely low tolerance for downtime.

Linux And Windows Threats
The report also found that the most active ransomware families, such as Akira, Clop, Lockbit and RansomHub, are now supporting both Windows and Linux versions of their ransomware. NDTV Profit