The Underground Shift: Why Declining Breach Numbers Don't Tell the Whole Story

Tags:

blog-header-2026-state-of-underground
emma-stevens-bio-portrait
Written by Emma Stevens
Threat Intelligence Researcher

In Bitsight’s annual State of the Underground report we discuss cyber threat trends, key players, attack vectors, and why it all matters. The key theme from the 2026 State of the Underground is that cyber risk is changing as we know it. We are starting to see threat actors pivot alongside the changing threat landscape. We also explored how the threat landscape is reacting to the ever-growing changes brought on by AI. 

The paradox: Declining numbers don't tell the whole story

Some numbers moved downward in 2025, including breachesendpoint logscompromised credentials, and credit card listings. But those declines should not be taken at face value. To understand the decline, you need to understand the current geopolitical climate and how it applies to the cyber threat landscape. The decline in these numbers reflects a shift toward hacktivism, AI, better security, and nation-state efforts. There’s a lot going on in the world right now, and threat actors are responding. 

While financially motivated threat actors are still active, we also saw groups that are more politically or ideologically inclined ramping up their activity. Ransomware threat actors are shifting toward large blast-radius attacks to create more disruption, more pressure, and increase the likelihood of payment. Hacktivists and nation-state actors are focusing on critical infrastructure and key resources in alignment with their geopolitical, religious, or ideological views. 

3 threat actor categories reshaping the landscape

Ransomware, hacktivism, and state-sponsored activity increased in 2025, and each represents a distinct threat model with different motivations and tactics. 

Ransomware groups are financially motivated actors whose main goal is to steal and encrypt a victim’s data and demand a ransom in exchange for the decryption key. These ransomware groups are making a lot of money and have little motivation to halt their activity. 

Number of ransomware attacks over the past three years - 2025 data
Figure 1. Number of ransomware attacks over the past three years.

Hacktivists are groups of threat actors who target and hack victims based on the group's political, religious, or ideological views. These groups feel strongly about their position and are unlikely to stop because they feel justified in their targeting. 

Nation State groups, or Advanced Persistent Threats (APTs), are groups of hackers that are sponsored and paid for by their government or related entities. For example, Charming Kitten out of Iran is reportedly sponsored by the IRGC. These groups are persistent because it is quite literally their job to target their adversaries. Furthermore, unlike ransomware threat actors, APTs are not going to post their exploits on the dark web. Similarly most nations are not going to actively report on their targeting or their attacks on their infrastructure, which can make breach numbers appear lower than they really are. 

Geopolitical conflict accelerates cyber attacks

The increase in hacktivism and nation state/APT activity ties back to the current geopolitical climate, including Russia/Ukraine, Israel/Palestine, and Iran conflicts. Across all three categories, attackers showed continued interest in critical infrastructure and the systems that keep societies running, including telecommunications, energy, transportation, government, technology, and utilities. There are a few reasons for this: crippling a perceived enemy, forcing a ransom payment, or proving a political point. 

Why threat actors target critical infrastructure

Aside from large blast-radius attacks leveraged by ransomware threat actors, ideologically and politically motivated threat actors are targeting the very things that allow a society to run smoothly. They know that if they take down critical infrastructure they can cause grave damage to a business or a nation. Imagine what it would be like from a day-to-day perspective in both business and our everyday lives to lose power, WiFi, or water for a month. How much business would you lose? How much of your sanity would you lose? 

In today's society, we rely heavily on electricity, internet, and cell phone service, which makes us more connected than ever before. This gives threat actors many more attack vectors than many of us care to think about. For example, in a telegram channel, threat actors claimed to have infected 20,000 smart fridges and 30,000 cameras. In a separate study, Bitsight TRACE identified 40,000 exposed cameras on the dark web. 

Ransomware's evolution: Higher-value targets and broken trust

Recently, Bitsight Threat Intelligence observed a decrease in the number of victims paying the ransom after an attack. This is due in part to new laws and regulations forbidding the payment of a ransom, particularly in the UK. In light of this change, threat actors are targeting higher-value targets, third-party vendors, and large blast-radius attacks, likely in an attempt to force a ransom payment. Often, companies lose more money in downtime than the cost of the ransom request. Threat actors are betting on this exact mindset to attempt to encourage a victim to pay the ransom rather than deal with the larger fallout. 

However, threat actors' tactics are backfiring in some cases. Anubis, a notorious ransomware threat actor, has reportedly leveraged a wiper malware that wipes all data after exfiltration making it virtually impossible to recover that data, even after the ransom is paid. This discourages victims from paying because they may not even get their data back. 

Other ransomware groups like Vect did attempt to give the data back after a breach but their decryption key failed to work so the victims were ultimately unable to decrypt the stolen data. Vect was thought to be the malware leveraged in the TeamPcp LiteLLM breach. However, TeamPCP put out a statement saying that Vect was not used during the attack. This is likely to encourage victims to pay TeamPCP’s ransom demand in the event of an attack because they do give the data back once payment is received. 

In light of those scenarios, some companies are more hesitant to pay the ransom for fear they may not recover their data. Other companies are taking a stance against ransomware by refusing to pay the ransom.  

How threat actors are weaponizing AI

Just like threat researchers and security professionals, threat actors are stepping back and studying AI, how it can help them, and how security folks intend to use it for defense purposes. In our research for the State of the Underground, we saw threat actors increasingly talking about AI, the various platforms, and how to jailbreak them. In the age of Mythos, this means faster exploits and shorter windows from discovery to breach.

Relationship between AI tool mentions and malware type - 2025 data
Figure 2. Relationship between AI tool mentions and malware type.

Oftentimes, AI applications have a long list of permissions and access. This is a huge threat to cybersecurity. If a threat actor were to breach one AI system within an organization, how interconnected is that system? How much data can that system — and subsequently the threat actor — access? This matters not only for first-party, but also for third- and fourth-parties. 

What this means for your organization

The threat landscape in 2025 did not get safer; it changed shape. For defenders, the takeaway is clear: sharpen prioritization, harden identity, monitor vendors, and maintain strong controls, not relax them. Dive into all these data points and in depth analysis in our 2026 State of the Underground report.