FY26 SOTU Report Background

research report

2025 State of the Underground

Stay ahead of underground threats.

The underground cybercrime economy is evolving—fast. Ransomware attacks surged by nearly 25% last year, data breaches increased by 43%, and the underground markets grew more sophisticated and resilient. Our 2025 State of the Underground report offers a deep dive into this shifting landscape, powered by cutting-edge, AI-driven analysis.

Download the report to get actionable insights to better protect your organization in an increasingly complex threat landscape.

Ransomware Word Cloud

Gain unparalleled visibility into key underground trends

    • We will use your information to communicate with you about this contact form and other solutions and related resources that may be of interest to you. You may unsubscribe at any time. For more information, please see our Privacy Policy.

  • required
    Read more
    I consent to sharing this information with BitSight Technologies, Inc. (“Bitsight”) for sales and marketing communications, as detailed in our Privacy Policy. I understand I may unsubscribe.

Bitsight IQ

Based on tens of thousands of dark web and deep web posts processed using Bitsight IQ, this year’s report brings you unparalleled visibility into key trends, including:

On the rise

New ransomware gangs and their focus on smaller organizations

2.9 billion

A record 2.9 billion unique credential leaks, up sharply from 2023​

Lumma and Risepro​

The leading malware trends, including the emergence of Lumma and Risepro​

AI and Politics

How AI is reshaping cyber defense strategies​ and shifts in hacktivism reflecting global geopolitical tensions

report reveals

Escalating and evolving dangers critical for security teams

Key trends demand immediate attention, with deeper insights available in our full report.

  • Ransomware attacks soared by nearly 25%, with attacker leak sites up 53%, signaling new adversary tactics
  • Data breaches discussed on underground forums rose 43%, disproportionately hitting U.S. organizations and specific service sectors
  • Endpoint compromises yielded 7.7 million logs, and 2.9 billion credentials flooded illicit markets from new dominant stealers like Lumma and Risepro
  • Over 380 unique malware variants, dominated by Stealers and RATs, hit criminal forums as geopolitical hacktivism intensified
  • The U.S. faced an 80% share of the 14.5 million compromised credit cards listed and led in critical vulnerability exposures