FortiGuard Labs 2025 reports cybercrime-as-a-service boom as hackers weaponize AI

In the report, data shows adversaries are moving faster than ever, automating reconnaissance, compressing the time between vulnerability disclosure and exploitation, and scaling their operations through the industrialization of cybercrime. Also, Fortiguard observed that threat actors are leveraging automation, commoditized tools, and AI to systematically erode traditional advantages held by defenders.

“Our latest Global Threat Landscape Report makes one thing clear: Cybercriminals are accelerating their efforts, using AI and automation to operate at unprecedented speed and scale,” Derek Manky, chief security strategist and global vice president for threat intelligence at Fortinet FortiGuard Labs, said in a media statement.

Derek also commented that the traditional security playbook is no longer enough. Organizations must shift to a proactive, intelligence-led defense strategy powered by AI, zero trust, and continuous threat exposure management to stay ahead of today’s rapidly evolving threat landscape.

The FortiGuard Labs 2025 report disclosed that cybercriminals are deploying automated scanning tools at a massive scale. In 2024, active scanning in cyberspace surged by 16.7 percent globally. FortiGuard Labs recorded billions of monthly scan attempts, equivalent to 36,000 scans per second. These scans increasingly target exposed services such as SIP, RDP, and OT/IoT protocols like Modbus TCP, accounting for about 1.6 percent of scans, highlighting concerns about industrial infrastructure and supervisory control and data acquisition (SCADA) systems.

Hackers are also adopting AI to enhance phishing, impersonation, extortion, and evasion techniques. Tools like FraudGPT, BlackmailerV3, and ElevenLabs are being used to automate malware generation, craft realistic deepfakes, clone voices, and build phishing sites—creating more scalable, convincing, and effective attack campaigns. As predicted, Cybercrime-as-a-Service (CaaS) operators are embracing specialization, optimizing distinct parts of the attack chain using these AI capabilities.

The report found that the underground economy for initial access has exploded. FortiGuard Labs observed a 42 percent increase in compromised credentials available for sale, alongside a surge in Initial Access Broker (IAB) activity offering VPNs, RDPs, and admin panels. Infostealers like Redline and Vidar have driven a staggering 500 percent increase in credential logs found on darknet forums, enabling threat actors to purchase ready-made access to corporate environments. These credentials are the backbone of ransomware and espionage operations. Threat actors no longer just hunt for vulnerabilities to exploit; they’re buying entry into networks, and as long as stolen credentials remain abundant, brute force is unnecessary.

The FortiGuard Labs 2025 report said that while 13 new ransomware groups entered the Ransomware-as-a-Service (RaaS) ecosystem in 2024, illustrating market fragmentation, the top four groups still accounted for 37 percent of observed attacks, underscoring their continued dominance. Hacktivists are increasingly adopting ransomware tactics, and nation-state actors remain active, targeting key sectors such as manufacturing, government, education, and technology. Telegram has emerged as a central hub for sharing exploits, tools, and infrastructure, fostering operational unity across otherwise disparate threat groups.

While the average time to exploit new vulnerabilities remained steady at around 5.4 days in 2024, the volume of exploitation attempts surged, exceeding 97 billion for the year. Attackers increasingly targeted exposed IoT devices, routers, firewalls, and cameras for botnet control, lateral movement, and persistent access. Notably, CVE-2024-21887 in Ivanti products was exploited just six days after disclosure.

Another interesting disclosure from the FortiGuard Labs 2025 report was that credentials available on the darknet are not just from past data breaches. “In 2024, FortiGuard Labs observed a 500 percent increase in logs from systems compromised by infostealer malware, with 1.7 billion stolen credential records shared in underground forums.”

The FortiGuard Labs 2025 Report highlights a rapidly evolving threat landscape in 2024, driven by the emergence of new ransomware groups, the growing sophistication of hacktivist campaigns, and the persistent activity of state-sponsored espionage actors. FortiGuard Labs analyzed these developments to deliver a comprehensive overview of adversaries’ tactics, techniques, and procedures (TTPs).

The RaaS ecosystem continues to expand, with new groups emerging and establishing double and triple extortion models. In 2024, RansomHub (13 percent), LockBit 3.0 (12 percent), Play (8 percent), and Medusa (4 percent) were the most active ransomware groups, accounting for 37 percent of the 1,638 identified victims used in the research analysis.

Lastly, the report recommended strategic areas for CISOs (Chief Information Security Officers) to focus on. They include shifting from traditional threat detection to continuous threat exposure management, as the proactive approach emphasizes continuous attack surface management, real-world emulation of adversary behavior, risk-based remediation prioritization, and automation of detection and defense responses.

Utilizing breach and attack simulation (BAS) tools to regularly assess endpoint, network, and cloud defenses against real-world attack scenarios ensures resilience against lateral movement and exploitation. They must also simulate real-world attacks by conducting adversary emulation exercises, red and purple teaming, and leveraging MITRE ATT&CK to test defenses against threats like ransomware and espionage campaigns.