Credential Theft Escalates, Criminals Pivot to Stealthier Tactics

IBM released the 2025 X-Force Threat Intelligence Index, highlighting that cybercriminals continued to pivot to stealthier tactics. Lower-profile credential theft spiked, while ransomware attacks on enterprises declined.

IBM X-Force observed an 84% increase in emails delivering infostealers in 2024 compared to the prior year, a method that threat actors relied heavily on to scale identity attacks. Critical infrastructure organizations accounted for 70% of all attacks that IBM X-Force responded to last year, with more than one-quarter of these attacks caused by vulnerability exploitation.

More cybercriminals opted to steal data (18%) than encrypt it (11%) as advanced detection technologies and increased law enforcement efforts pressure cybercriminals to adopt faster exit paths. Nearly one in three incidents observed in 2024 resulted in credential theft, as attackers invest in multiple pathways to quickly access, exfiltrate, and monetize login information.

Reliance on legacy technology and slow patching cycles proves to be an enduring challenge for critical infrastructure organizations, as cybercriminals exploited vulnerabilities in more than one-quarter of incidents that IBM X-Force responded to in this sector last year. In reviewing the common vulnerabilities and exposures (CVEs) most mentioned on dark web forums, IBM X-Force found that four out of the top ten have been linked to sophisticated threat actor groups, including nation-state adversaries, escalating the risk of disruption, espionage, and financial extortion.

Exploit codes for these CVEs were openly traded on numerous forums, fueling a growing market for attacks against power grids, health networks, and industrial systems. This sharing of information between financially motivated and nation-state adversaries highlights the increasing need for dark web monitoring to help inform patch management strategies and detect potential threats before they are exploited. 

In 2024, IBM X-Force observed an uptick in phishing emails delivering infostealers, and early data for 2025 reveals an even greater increase of 180% compared to 2023. This upward trend, fueling follow-on account takeovers, may be attributed to attackers leveraging AI to create phishing emails at scale. Credential phishing and infostealers have made identity attacks cheap, scalable, and highly profitable for threat actors. Infostealers enable the quick exfiltration of data, reducing their time on target and leaving little forensic residue behind.

While ransomware made up the largest share of malware cases in 2024 at 28%, IBM X-Force observed a reduction in ransomware incidents overall compared to the prior year, with identity attacks surging to fill the void. International takedown efforts are pushing ransomware actors to restructure high-risk models towards more distributed, lower-risk operations.

While large-scale attacks on AI technologies didn't materialize in 2024, security researchers are racing to identify and fix vulnerabilities before cybercriminals exploit them. Issues like the remote code execution vulnerability will become more frequent. With adoption set to grow in 2025, so will the incentives for adversaries to develop specialized attack toolkits targeting AI, making it imperative that businesses secure the AI pipeline from the start, including the data, the model, the usage, and the infrastructure surrounding the models.