Threat actors compromised more than 3.2 billion credentials in 2024—a 33 percent increase over 2023, according to a new report from Flashpoint.  The stolen data has flooded illicit marketplaces and is used to fuel illegal campaigns, including ransomware.

The report, Flashpoint 2025 Global Threat Intelligence Report: Stay Ahead of Emerging Threats, identified four critical trends shaping the digital threat landscape in 2025:

• Compromised credentials spiked to 3.2 billion last year. In the first two months of 2025, more than 200 million credentials have already been stolen.
• Infostealers are the primary threat vector here—75 percent of 2024’s stolen credentials were sourced from information-stealing malware. More than 23 million devices have been affected by infostealers.
• Vulnerabilities grew last year by more than 12 percent. More than 39 percent of those vulnerabilities have publicly available exploit code, enabling threat actors to force their way into exposed systems.
• Ransomware attacks increased by 10 percent in 2024, following an 84 percent increase in 2023. The five most prolific ransomware-as-a-service (RaaS) groups were responsible for more than 47 percent of 2024’s attacks.

To get further insights into the research, Security Management connected via email with Ian Gray, vice president of intelligence at Flashpoint. The conversation has been lightly edited for clarity.

Security Management (SM). Why are threat actors focusing on credentials rather than directly profitable data like credit card information? Does this reflect improved security around fraud detection or credit card security or a broader swing toward larger cybercrimes and frauds like ransomware attacks?

Ian Gray. [Previously,] threat actors capitalized on the gradual shift toward EMV chips in the United States, targeting merchants that continued to use magnetic stripe, which was more vulnerable to attacks. During this period of 2015 to 2019, multiple credit card shops like the now shuttered Joker’s Stash capitalized on this by targeting various merchants within the United States. Within the last couple of years, credit card information has been more difficult to monetize as merchants and consumers shift towards NFC payments (like Apple Pay, Samsung Pay, and Google Pay).

Several factors, including COVID and shift towards card not present (CNP), as opposed to card present (CP), transactions, as well as improved security and fraud detection, shifted the focus of threat actors to monetize other types of data. While compromised point-of-sale (PoS) terminals and online shopping carts could potentially be compromised, infostealers allowed threat actors to monetize multiple forms of data, with credit card numbers being just one.

Though there are still credit card shops operating today, the scale has decreased. Flashpoint analysts assess with moderate confidence this is due to the shift of cybercriminals to infostealers, where credit card data along with usernames, passwords, cryptocurrency wallets, and several other types of data can be monetized.

It is difficult to compare credit card compromise from the 2010s with ransomware of the 2020s. Credit card compromise is more akin to infostealers in that either the individual or merchant will bear the burden of a compromise. Infostealers are often an initial access vector for ransomware attacks. While ransomware may have downstream impacts in terms of availability, the objective is to force victim companies to pay a ransom through extortion.

While infostealers (and credit card information to a lesser extent) are widely useful to threat actors, more prominent groups are seeking to target larger corporations in favor of larger payouts and notoriety.

Retail cybercriminals are shopping for credentials more than credit card details these days, according to a new report from human risk management cybersecurity company @KnowBe4. https://t.co/hKWYb6GF82

— Security Management (@SecMgmtMag) March 12, 2025

SM. The report noted that the ongoing Ukraine-Russia conflict has created divisions between threat actor groups and has led to increased targeting of Russian entities. What has changed in the taboo around attacking Russian organizations and systems? How does this reflect the broader effect of geopolitics on cyber activity?

Gray. The Ukraine-Russian War was a watershed moment, not just in terms of hybrid warfare, but in changing the sentiment of the cybercrime underground. Prior to the conflict, many of the Ukrainian and Russian threat actor group communities operated or collaborated in the same Dark Web communities. However, once the invasion began, many of these groups splintered, supporting either Ukrainian or Russian interests. With the conflict still underway, many Ukrainian or pro-Ukrainian groups have actively targeted Russian organizations and systems. Beyond Ukraine and Russia, we are seeing a clear trend where geopolitical events are converging with modern cyber warfare.

SM. The report advises organizations to adopt exploitability prioritization in cybersecurity defenses and patching. Can you explain what that looks like in practice and why it’s a more sustainable and effective approach?

Gray. Ultimately, organizations need to patch as many vulnerabilities as fast as possible. However, using a traditional severity-based prioritization model often results in wasted time and resources, when time and resources are at a premium. Most commonly, vulnerability management teams will research a “critical or high” severity issue only to find that there isn’t an actual fix for it yet, or that it is only exploitable in a difficult way unlikely to happen (such as having to compromise the system in-person).

But using an exploitability model, teams are able to identify the issues that can be exploited anywhere in the world, find the exploit code that enables them to do so, and then apply the solution to it to patch it. In the real world, that process could look like this:

• Cyber threat intelligence (CTI) team uncovers threat actor chatter/real-time discussions involving specific common vulnerabilities and exposures (CVE) IDs or proof of concept code.
  
  
• Vulnerability management (VM) team uses resources such as Flashpoint’s known exploited vulnerabilities (KEV) list, the base CISA KEV, or etc. to identify zero-days or exploited-in-the-wild vulnerabilities.
  
  
• The organization then determines if any of those vulnerabilities affect deployed systems.
  
  
• If any of them do, using a comprehensive source of vulnerability intelligence, determine which ones are remotely exploitable and have solution code available.
  
  
• Patch them and initiate feedback loops.
  
  
• This approach saves time and resources by focusing on real-world threats rather than potential severity levels.

SM. Ransomware continues to be extremely popular—Flashpoint identified 5,742 ransomware attacks in 2024. Why has this threat continued to grow so rapidly? How does the RaaS model make this a difficult tactic to defend against?

Gray. The continued growth of ransomware can be attributed to the RaaS model, where multiple parts of the operation are segmented and distributed among multiple workers. Among these skilled workers, RaaS employs affiliates, who are paid a commission of the ransom, incentivizing "big game hunting" of large corporations. While there have been multiple law enforcement operations targeting ransomware groups, the decentralized and distributed nature of the operations has allowed them to operate or rebrand as new groups.

 

 

MOST POPULAR ARTICLES

1. Private Security Officers Charged After Unruly Town Hall Incident

2. 6 Behaviors That Indicate Heightened Agitation and Risk of Violence

3. Essential Security Lessons from Partners Across K-12 Education