Fortinet report reveals surge in AI-enabled cybercrime

Derived exclusively from FortiGuard Labs telemetry, the latest annual report is a snapshot of the active threat landscape and trends from 2025, including a comprehensive analysis across all tactics used in cyberattacks, as outlined in the MITRE ATT&CK framework. The data reveals that cybercrime no longer functions as a series of isolated campaigns–it operates as a system, with malicious hackers operating across an end-to-end life cycle and compressing the attack life cycle with shadow agents.

“Cybercrime is one of the world’s most pervasive and costly threats, and our latest Global Threat Landscape Report reveals how malicious actors are beginning to leverage agentic AI to execute more sophisticated attacks,” said Derek Manky, chief security strategist and global vice president of Threat Intelligence at Fortinet FortiGuard Labs.

“As cybercriminals increasingly use AI to bolster their tactics, cyber defenders must evolve cybersecurity operations into an industrialised defence and adopt AI-enabled tools that respond at the same velocity as modern threats.”

Modern cybercrime crosses borders and sectors, and even traditional definitions of crime itself. As attacks grow more sophisticated and interconnected, key findings from the latest FortiGuard Labs Global Threat Landscape Report highlight several critical trends.

Velocity defines risk as time-to-exploit (TTE) shrinks. As AI accelerates reconnaissance, weaponisation, and execution, FortiGuard Intelligence shows that TTE as 24–48 hours for critical outbreaks, a sharp increase from earlier reports that revealed a TTE of 4.76 days. Real-world incidents reflect how minutes can define outcomes: Active exploitation attempts were made within hours of the React2Shell vulnerability public disclosure.

Ransomware victims skyrocket, with FortiRecon adversary intelligence identifying 7,831 confirmed ransomware victims globally, skyrocketing from approximately 1,600 identified victims. Availability of crime service kits like WormGPT, FraudGPT, and BruteForceAI contributed to this 389 per cent increase on-year. The top three targeted sectors include manufacturing (1,284), business services (824), and retail (682). Geographic concentration includes the US (3,381), Canada (374), and Germany (291).

Identity sprawl defines cloud exposure. FortiCNAPP intelligence confirms that throughout 2025, most confirmed cloud incidents originated from stolen, exposed, or misused credentials rather than from infrastructure exploitation. Sector analysis shows hospitals/physician clinics and retail establishments as the number one target. Large identity populations, federated access models, and complex cloud integrations make these prime targets for malicious hackers.

The report projected that the most capable threat groups function as semi-autonomous enterprises, supported by shadow agents, access brokers, and botnet operators who provide services on demand.

One of the key findings is that shadow agents reduce operator skill requirements while increasing workflow speed. FortiRecon dark web signals captured AI-enabled offensive tooling advertised as services and products, including enhanced versions of WormGPT and FraudGPT, and novel services like HexStrike AI, an offensive AI tool with automated reconnaissance attack path generation; and BruteForceAI, a penetration testing tool that integrates large language models (LLMs) for intelligent form analysis and can execute sophisticated multi-threaded attacks.

With AI, criminals work smarter, not harder. FortiGate IPS telemetry recorded a 22 per cent decrease in brute force attempts on-year, pointing to efficiency gains: With optimised, intelligent brute force techniques, threat actors are making fewer attempts against better-selected targets, increasing success probability per credential tested. This activity translates into about 67.65 billion brute force events globally, with approximately 185 million attempts per day; 1.3 billion attempts per week; and 5.6 billion attempts per month. At the same time, intelligence revealed a 25.49 per cent increase in global exploitation attempts on-year.

Stolen datasets are more popular than leaked credentials. In the 2025 Global Threat Landscape Report, FortiGuard Labs observed a 500 per cent increase in logs available from systems compromised by infostealer malware. In 2026, FortiRecon intelligence found an additional 79 per cent increase and revealed a shift towards theft of more comprehensive data sets, enabled by agentic AI. Within dark web “database” activity, stealer logs dominated advertised and shared datasets (67.12 per cent), exceeding combolists (16.47 per cent) and leaked credentials (5.96 per cent). Stealer logs reduce attacker effort by bundling identity material with contextual artifacts, including browser-resident data, enabling immediate replay and faster conversion than brute force or password spraying.

Another finding is that credential-stealer malware persists. Credential-stealer malware remains a lucrative industry and primary upstream engine for exposure generation. FortiRecon telemetry shows stealer activity dominated by RedLine: 911,968 infections (50.80 per cent); Lumma: 499,784 (27.84 per cent); and Vidar: 236,778 (13.19 per cent).

Fortinet is committed to disrupting cybercrime by collecting and sharing threat intel and actively working to combat cyberthreats on a global scale.

A recent collaborative effort spearheaded by Interpol and supported by Fortinet through the World Economic Forum Cybercrime Atlas resulted in the takedown of a cybercriminal network. Operation Red Card 2.0 took down infrastructure and operators behind online scams, mobile money fraud, and fraudulent loan applications in Africa.

Fortinet is a founding member of the Cybercrime Atlas, a global public-private collaboration effort hosted by the World Economic Forum that uses open-source intelligence to map cybercriminal networks, identify infrastructure vulnerabilities, and support joint disruption operations with law enforcement, such as the recent Operation Red Card 2.0 and Operation Serengeti 2.0.

The 2026 Global Threat Landscape Report reveals that incentivising the disruption of cybercrime has never been more important. To empower defenders to stay ahead of cybercriminals, Fortinet and Crime Stoppers International launched the Cybercrime Bounty programme to provide a secure, anonymous channel for citizens and ethical hackers to submit information about cyberthreats.

Detection gaps widen as AI-fuelled attacks reshape cybersecurity in the region Fortinet, the global cybersecurity leader driving the convergence of networking and security, on June 3 announced the findings of a new IDC survey that reveals a sharp escalation in both the volume and sophistication of cyber threats across Asia-Pacific.

AI adoption in cybersecurity surges across Vietnam Fortinet has announced the findings of a 2025 IDC survey highlighting how organisations across Vietnam are adopting AI as the front line of their cyber defence strategy.

Cyberthreats targeting the 2025 holiday season FortiGuard has analysed data from the past three months to identify the most significant patterns shaping the 2025 holiday cyber-threat risks.