State of the Underground 2025: Key Trends Shaping Cyber Risk Today

We know that everyone loves a feel-good, optimistic story, and when we set out to write our annual State of the Underground report — an analysis of nearly 2 billion intelligence items that we collected in 2024, including posts from underground forums and markets, Telegram messages, and news articles — we hoped to find the cyber equivalent of a cup of hot chocolate.

Stop reading here if you don’t want to be disappointed… but unfortunately the data didn’t cooperate with our desires. But nevertheless, here’s a summary of what you need to know, and what you can do to stay ahead of underground threats. For our full findings, check out the 2025 State of the Underground report.

Key takeaways

• Ransomware attacks rose by almost 25% in 2024, and the number of ransomware group leak sites rose by 53%.
• Data breaches posted on underground forums increased by 43%, with US organizations making up nearly 20% of total breaches.
• 384 unique varieties of malware were sold in 2024, an increase from 349 in 2023.
• Compromised credit cards for sale rose nearly 20% in the past year, due exclusively to a surge in US cards.
• Despite everything happening, best practices remain remarkably consistent.

The underground cybercrime economy is evolving – fast

The rise in both attacks and groups indicates that this sophistication is diffusing to additional entities, possibly as group members spin off from the band and establish solo careers. And the data pointed to the likelihood that ransomware groups are increasingly targeting mid-sized companies, those that don’t always have the resources to invest in proper protection.

The number of data breaches shared on underground forums also rose significantly (+43%), as did endpoint logs for sale (+13%) and compromised credentials (+34%). Hacktivism was prevalent, hundreds of unique varieties of malware were sold on underground forums, and some of the worst vulnerabilities were found in information security products themselves.

When it comes to credit cards, if you live outside the US, you should be reassured that 3 million compromised cards were listed for sale on underground markets, which is 1.6 million less than in 2023. However, US cardholders are out of luck; 12.7 million US cards were listed, marking an over 50% rise from 2023.

Recommendations and next steps

If we need to assess where things are heading, we think that it’s in a bumpy direction. The proliferation of ransomware groups means that they are increasing faster than law enforcement can shut them down, and their focus on smaller organizations means that anyone may be a target. Meanwhile, the geopolitical climate — filled with fear, uncertainty, and doubt — creates a fertile breeding ground for cyberwarfare, cybercrime, and hacktivism.

Despite all of this, we remain positive. Things like MFA, usage of complex, unique passwords, and thinking twice before downloading suspicious email attachments might sound boring, but they still work. Keeping your patches up-to-date, your employees aware, and your data segmented can go a long way to reducing risk.

Furthermore, defenders nowadays have new tools and capabilities to classify data and understand risk: LLMs can do the heavy lifting for data classification at scales that were not possible before. We should know — we used that very technique to help produce this report. By leveraging Bitsight IQ, our embedded generative AI technology, to process tens of thousands of deep and dark web posts, we were able to produce a report that previously would have only been possible with a brigade of analysts working around the clock.

Ultimately, we hope that the 2025 State of the Underground report not only helps you understand what’s happening in the world, but also see what types of insights are possible with tools like Bitsight IQ and Bitsight Pulse. Thanks for reading, and let us know how we can help!