Europol has published its annual Internet Organised Crime Threat Assessment (IOCTA), outlining how the cybercrime landscape has evolved over the past 12 months, with a focus on emerging threats and shifting criminal tactics. Ransomware remains a dominant threat across the EU, with more than 120 active ransomware brands observed by Europol in 2025. Criminal actors continue to exploit vulnerabilities in the digital supply chain and employ increasingly sophisticated social engineering techniques. The extortion model is shifting away from data encryption toward pure data theft, with attackers increasingly relying on the threat of exposure to force payment.
“The accelerating pace of cybercrime presents progressively sophisticated threats to society, with harmful implications both online and offline,” Catherine De Bolle, executive director of Europol, wrote in the report. “Cybercriminals are rapidly exploiting advanced technologies, particularly AI tools, to enhance the speed, efficiency, and scope of their illicit activities. These tools not only enable automation in criminal processes but also blur the lines between legitimate and malicious uses of technology.”
De Bolle noted that the resilience and adaptability of dark web marketplaces and forums, coupled with the use of cryptocurrencies, further complicate policing efforts in the digital domain. “The current online fraud epidemic, the threat posed by ransomware intertwining with hybrid threats, and the monetisation of child sexual abuse material underscore the urgent need for more proactive and collaborative efforts.”
The IOCTA 2026 report added that while financial gain remains the primary driver of cyberattacks, the relationship between hybrid threat actors and cybercriminals is blurring. Hybrid threat actors are increasingly using cybercriminal networks as proxies for disruptive operations, including DDoS attacks, intrusions, and ransomware attacks. In the growing CaaS economy, hybrid threat actors are simply another customer, further complicating efforts to counter these multifaceted threats.
It recognizes that the ransomware landscape continues to evolve with expansion of ransomware-as-a-service (RaaS), as criminal actors adapt their platforms and launch new services to attract affiliates. There is also a continuous proliferation of extortion tactics that criminals use to apply psychological pressure on victims, including data exfiltration, DDoS attacks, and cold-calling.
The IOCTA 2026 report notes that modern enterprises are generally better prepared to deal with the impact of data being lost (encrypted or erased) than of being published. Simultaneous DDoS attacks, spamming of corporate email addresses and psychological pressure via cold-calling are common in the extortion toolkit of ransomware actors, and are sometimes offered as a service.
This comes as public RaaS affiliate programs have lowered the barrier to entry, allowing almost anyone to launch attacks using bundled, ready-made toolkits. These platforms go well beyond basic malware, offering integrated capabilities such as botnets for payload delivery, persistence, and victim monitoring tools, data exfiltration infrastructure, machine learning support, and even services for ransom negotiation and leak-site hosting. In return, operators take a cut of each successful ransom payment.
Since maintaining exfiltration systems and leak sites is resource-intensive, many cybercriminals rely on RaaS providers, which are incentivized to deliver streamlined, all-in-one offerings that attract affiliates and build a stable, recognizable brand within the underground economy.
The IOCTA 2026 report highlights reshaped ransomware landscape in 2025, led by increasingly professionalized groups with overlapping ties and evolving tactics. Qilin has emerged as a dominant player, offering a full-featured affiliate toolkit, integrating DDoS capabilities for added pressure, and reportedly working to automate exploitation of Fortinet SSL VPN vulnerabilities; it is believed to have links to the defunct Conti ransomware group and offers high affiliate payouts of up to 85 %. Akira ransomware group, also tied to Conti, remains highly active, expanding attacks to virtualized environments by exploiting SonicWall VPN vulnerabilities.
Meanwhile, LockBit ransomware group has struggled to regain footing after its 2024 takedown and subsequent data breach, despite launching a more advanced cross-platform version with enhanced anti-forensics. DragonForce ransomware group stands out for its modular, service-driven model, using leaked Conti and LockBit codebases and offers tailored extortion services, including data analysis and pressure tactics for high-value targets. Notably, a new alliance between DragonForce, LockBit, and Qilin surfaced in late 2025, signaling deeper collaboration in the ransomware ecosystem.
Ransomware operations are increasingly segmented into semi-closed and closed groups, reflecting a shift toward tighter control and specialization. Semi-closed groups selectively recruit skilled and trusted affiliates rather than operating open programs. For example, Fog ransomware group uses a modular approach that lets attackers tailor encryption scope and ransom messaging, supported by dedicated leak sites and negotiation portals. BlackBasta ransomware group, with roots in the defunct Conti ransomware group, relied on spear-phishing and known vulnerabilities, but suffered a major internal leak in 2025, exposing operational data and likely forcing members to rebrand.
Closed groups, by contrast, operate with minimal reliance on cybercrime-as-a-service ecosystems, developing their own malware, infrastructure, and sometimes exploits, while maintaining strict internal trust and operational security. This makes them harder to track and disrupt. Cl0p ransomware group exemplifies this model, resurfacing in 2025 with its hallmark use of zero-day vulnerabilities. Meanwhile, Play ransomware group remains active, continuing to target critical infrastructure and deploy double extortion tactics, including assurances of confidentiality to pressure victims into paying.
The IOCTA report flags emergence of the Scattered LAPSUS$ Hunters (SLSH) alliance in August 2025, bringing together Scattered Spider, ShinyHunters, and LAPSUS$. These largely English-speaking groups have a track record spanning SIM swapping, social engineering, insider recruitment, large-scale data theft, and extortion targeting major corporations, healthcare, and transport sectors. Their consolidation signals a more coordinated and potentially more aggressive phase of operations.
The threat is amplified by their past capabilities and evolving tactics, including persistent harassment and coercion that can continue even after ransom payments are made. Some members are also reportedly linked to encrypted channels associated with The Com network, which has ties to real-world violence, child sexual exploitation, and extremist activity. The overlap underscores how fluidly cybercrime ecosystems are intersecting with broader criminal networks, raising the stakes beyond financial extortion alone.
The IOCTA 2026 report also said that Infostealers persisted as a key enabler for the entire spectrum of cyber-attacks in 2025. Infostealers cater to a broad illicit market of cybercriminals ranging from IABs and ransomware affiliates to fraudsters. “The success of LEAs actions against key enablers also relies on contributions from the private sector, providing technical support to the takedown, as well as infrastructure identification and mapping.”
It observed sustained by the wide availability of modular stressor and booter service offerings, DDoS attacks remain a threat. They are often state-sponsored and driven by ideological motivation, but also deployed as a means to extort victims or undermine competitors in the criminal ecosystem. Targets include governments, critical infrastructure and high-impact economic sectors. While effective mitigation measures are generally in place and the impact is often low, the relatively minimal effort needed to launch these kinds of attacks makes it an effective and sustainable strategy for continuous destabilization.
Looking ahead, the IOCTA 2026 report identified that the cybercrime landscape will continue to rapidly evolve, driven by increasingly sophisticated tools and methods. To effectively combat these threats, law enforcement authorities must invest in AI capabilities, improve cross-border cooperation, and advocate for stronger data retention and lawful access policies. As criminals exploit new technologies and create complex networks, law enforcement must adapt quickly to ensure the safety and security of the digital world. In the coming years, law enforcement’s ability to tackle cybercrime will depend on its capacity to bridge this ‘velocity gap’ by harnessing technology.
However, the rapid evolution of cybercrime will require more than just technological integration – it will require closer collaboration with the private sector. Law enforcement authorities must secure access to the vast data held by online service providers (OSPs) to identify and apprehend criminals and terrorists.
