What 2025 data tells us about cybercrime cost, ransomware, AI-driven attacks, and country risk in 2026.
In February 2025, a UK engineering firm named Arup paid roughly $25 million after an employee joined a video call with what they believed was their CFO and several senior finance team members. Every face on the call was a deepfake. By the time the fraud was caught, the money had moved through multiple offshore accounts and was gone.
That incident, more than any single statistic, captured what changed in cybercrime last year. The tools got cheaper. The attacks got harder to detect. And the economics of defense stopped matching the economics of attack.
The broader story of 2025 was not what most people expected. Ransomware payments fell. Attack volumes hit record highs at the same time. And the median ransom jumped nearly fourfold, landing at a level that surprised even the analysts tracking the space.
If you’re a business leader trying to make sense of the 2026 threat landscape, the numbers that matter aren’t the headline breach counts. They’re the shifts underneath, the ones that tell you where attacker economics are actually heading and what you should be preparing for over the next 18 months.
Proxyrack’s Global Cybercrime Report 2026 pulled data from Verizon DBIR, IBM’s threat research, Chainalysis, the FBI IC3 unit, and a handful of primary sources to map out where things stand. The full report runs long. For everyone else, here are the six shifts that matter most, and what to actually do about them.
1. Cybercrime is projected to cost $11.88 trillion in 2026
The number itself is almost too big to internalize. But the trajectory is what should worry you.
Proxyrack’s cost model, built off the Cybersecurity Ventures historical baseline and a 13% CAGR grounded in current DBIR, IBM, and Chainalysis inputs, projects $11.88 trillion in global cybercrime cost for 2026 and $19.71 trillion by 2030. That covers direct financial loss, recovery expenses, regulatory penalties, productivity impact, and forced operational downtime. It excludes brand damage and long-term customer trust erosion, which are real but harder to quantify with current methodologies.

Figure 1. Global cybercrime cost forecast. Source: Proxyrack Global Cybercrime Report 2026.
For context, if global cybercrime were a country, its “GDP” would already sit third behind the United States and China. And it’s growing faster than any legitimate economy on the planet.
Here’s the practical implication. Cybersecurity is no longer an IT line item. It’s a P&L conversation. If your board still treats cyber budget as a cost center rather than a risk-adjusted investment category, you’re operating on 2019 assumptions in a 2026 threat landscape. The organizations that will spend proportionally less on incident recovery over the next three years are the ones treating this as capital allocation, not vendor negotiation.
2. Ransomware got smaller in payments and bigger in impact
This is the shift that surprised the most people in the security community.
Chainalysis data shows ransomware payments in 2025 fell to an estimated $820 million, down roughly 8% from the prior year. At the same time, attack volumes hit record highs, and the median payment per successful extortion jumped 368%.
Read that again. Fewer companies paid. The ones that did paid dramatically more.

Figure 2. Ransom payments fell while attack volumes climbed. Source: Chainalysis, Proxyrack Global Cybercrime Report 2026.
What actually happened is the industry restructured. Law enforcement takedowns of major operators like LockBit and BlackCat pushed the ecosystem to reorganize, rebrand, or fragment. Around 70 active ransomware groups were tracked in Q1 2026 alone. The top 10 accounted for roughly 73% of payment volume, meaning consolidation is accelerating even as the total group count grew.
Your defense posture should reflect this. The old model of “assume you’ll get hit, negotiate a manageable payment” no longer works when the average settlement has quadrupled. Backups you’ve actually tested, recovery procedures that don’t live only in a Confluence page, and a legal team that has war-gamed a ransomware scenario are worth more than a bigger cyber insurance policy right now.
The vertical impact matters too. Healthcare saw more than 290 documented ransomware incidents against providers in 2025, including the DaVita and Change Healthcare cases that disrupted patient care and prescription workflows for weeks. The financial cost to those organizations wasn’t just the ransom. It was the operational shutdown, the regulatory scrutiny that followed, and the class-action exposure that continues to work its way through the courts. For any organization with regulated data or safety-critical operations, the multi-quarter tail on a ransomware incident is now the primary financial risk, not the initial payment demand.
3. AI has collapsed the skill floor for attackers
The theoretical concern of “what happens when generative AI hits cybercrime” is no longer theoretical. It hit in 2025.
The clearest signal was the FunkSec case. This is a ransomware group whose developers openly stated they weren’t experienced coders and had used AI tools to produce working malware. Their reported victim count reached 113 in a single year. IBM’s 2025 threat data found that roughly 16% of breaches studied involved some AI assistance, whether in reconnaissance, payload generation, social engineering, or all three together.
Two things follow from this. First, the attacker pipeline no longer requires the same technical skill it once did. Anyone with a decent prompt library and access to a jailbroken model can produce a working phishing kit or a passable custom ransomware variant. Second, the volume of low-to-medium sophistication attacks is going to keep rising, which means SOC teams built for a lower baseline of attempted intrusions are going to feel it.
The full data on AI-assisted cybercrime, including the FunkSec case study and IBM’s breakdown, is available in the Proxyrack Global Cybercrime Report PDF.
The defensive move here is boring but necessary. Basic hygiene at scale. Automated patching. MFA enforcement without exceptions. Email filtering that assumes the phishing lure was written by a fluent-sounding LLM, because increasingly it was.
4. The global cybercrime map got redrawn
Country-level risk rankings shifted meaningfully in 2026, and not in the direction most Western analysts assumed.
Proxyrack’s Cybercrime Risk Model combines five indices into a single normalized score: the National Cyber Security Index, the Basel AML index refreshed for 2025, the Cybersecurity Exposure Index, the ITU Global Cybersecurity Index, and the Digital Development Level. The 2026 top of the list went to Myanmar with a score of 8.43. Haiti and the Democratic Republic of Congo followed at 8.12 and 7.94 respectively. Finland ranked safest at 1.29.

Figure 3. Global cybercrime risk rankings for 2026, top 5 and bottom 5. Source: Proxyrack Global Cybercrime Report 2026.
Two things worth flagging on this map. First, the concentration of the highest-risk countries in South and Southeast Asia isn’t just about cybercrime origination. It reflects breakdowns in AML enforcement, weak digital regulatory capacity, and in some cases active state tolerance of cyber-enabled fraud economies. Second, several countries that appear “safe” by traditional metrics have quietly slipped in the rankings because their AML frameworks aren’t keeping pace with the sophistication of laundering routes.
If you operate internationally or run vendor relationships across borders, the implication is that country risk isn’t a one-time due diligence check. It’s a rolling assessment, and your vendor screening should reflect the 2026 rankings, not the ones you baked into policy in 2019.
5. Third-party breaches doubled to 30% of all breaches
This is the number that reset how mature security teams think about supply chain risk.
The Verizon DBIR reported that third-party involvement in breaches doubled from 15% in 2024 to 30% in 2025. Third-party doesn’t just mean your SaaS vendors. It covers everyone in your supply chain with any degree of system access. Managed service providers, software vendors, hardware supply chains, contract developers, and increasingly, the AI providers you’ve plugged into your production workflow.

Figure 4. Third-party involvement in data breaches doubled in a single year. Source: Verizon DBIR.
Manufacturing absorbed the sharpest hit. The sector saw a 61% year-over-year surge in ransomware activity, with Akira, Qilin, and Play dominating the named victim lists. The pattern was consistent. Attackers compromised a supplier’s environment, then used that trusted connection to move laterally into the primary target’s operational systems. The compromise wasn’t at the target. It was at the door held open by a partner.
For OT and ICS environments specifically, the risk profile shifted from “IT breach with operational side effects” to “operational breach that starts in IT.” Jaguar Land Rover’s 2025 incident is a useful reference point. What started as a compromise in a supporting system escalated into a production halt across multiple factory lines, with an estimated operational impact running into hundreds of millions before recovery was complete. Similar patterns played out at Marks and Spencer during the same period. The lesson isn’t that manufacturing is uniquely vulnerable. It’s that manufacturing consequences show up on the balance sheet faster than most other verticals when a defense fails.
What actually works against this is unglamorous. Vendor risk assessments with real teeth. Segmented network access so a compromised supplier can’t reach your production systems. Contract language that requires breach notification within hours, not days. And a genuine understanding of which vendors have privileged access to your environment, which almost no organization currently maintains with accuracy.
6. Defense investment is climbing, but not where you’d expect
The last shift is about where security money is actually going in 2026, and it’s not where the CISO conference talks suggest.
Roughly a fifth of enterprise security budgets are now going to identity and access management, up meaningfully from prior years. Cloud workload protection is the second-largest spend category. Endpoint detection and response holds the third. What’s underfunded across the board is application security and third-party risk management, which is somewhat ironic given the pattern outlined in the previous section.
SMBs are especially exposed here. Sophos data cited in the Proxyrack report found that 88% of small and mid-sized businesses do not have a dedicated security function, meaning IT teams are running defense while also keeping the lights on. That’s not a security posture. That’s a hope.
If you own a security budget, the honest question to ask is whether your spend allocation actually reflects the 2026 threat map or the 2020 one. Most organizations haven’t updated the underlying assumptions since Colonial Pipeline, and the gap between “what we’re defending” and “what’s actually attacking us” keeps widening every quarter.
The regulatory environment is also shifting in ways that force the conversation. The EU’s NIS2 Directive is now in full enforcement across member states. The US Cyber Trust Mark rolled out for consumer IoT in 2025. CISA’s shift to more prescriptive guidance on critical infrastructure has changed how sector-specific mandates land. For any organization with cross-border operations, the compliance overhead alone is now a meaningful line item. But the underlying signal is more important than the mechanics. Regulators have concluded that voluntary cyber standards produced insufficient results, and they’re pushing organizations toward postures that reflect the current threat environment. The board conversation is no longer about whether to invest in cybersecurity. It’s about whether the current investment matches the current risk, and whether leadership can prove it during the next audit or incident.
What to take from all of this
The convenient story about cybercrime in 2026 is that everything is getting worse and there’s nothing meaningful to do about it. That’s not accurate. What’s actually happening is that attacker economics have shifted while defender assumptions haven’t kept up in most cases. The organizations that close that gap fastest will spend proportionally less on incident recovery over the next three years than the ones still operating on outdated threat models.
None of the six shifts above require a security transformation program. They require an honest look at whether your current posture matches the current threat landscape.
Proxyrack’s Global Cybercrime Report 2026 is the most concise source for the underlying data, methodology, and country-level detail. It’s worth reading if you’re planning your 2026 security roadmap or if you’re the one who has to explain the current risk picture to a board that hasn’t been in a real cyber briefing since 2023.
The next 18 months will separate the companies that took the 2025 shifts seriously from the ones still operating on assumptions that stopped being true two years ago. The data is public. What matters now is whether you use it.






