AI-enabled cybercrime surges

Fortinet has recently released the 2026 Global Threat Landscape Report from FortiGuard Labs. Derived exclusively from FortiGuard Labs telemetry, the latest annual report is a snapshot of the active threat landscape and trends from 2025, including a comprehensive analysis across all tactics used in cyberattacks, as outlined in the MITRE ATT&CK framework. The data reveals that cybercrime no longer functions as a series of isolated campaigns- it operates as a system, with malicious hackers operating across an end-to-end life cycle and compressing the attack life cycle with shadow agents.

Derek Manky, Chief Security Strategist and Global VP of Threat Intelligence, Fortinet FortiGuard Labs said: “As cybercriminals increasingly use AI to bolster their tactics, cyber defenders must evolve cybersecurity operations into an industrialized defense and adopt AI-enabled tools that respond at the same velocity as modern threats".

As FortiGuard Labs Cyberthreat Predictions for 2026 projected, the most capable threat groups function as semi-autonomous enterprises, supported by shadow agents, access brokers, and botnet operators who provide services on demand. Key findings from the 2026 Global Threat Landscape Report show that shadow agents reduce operator skill requirements while increasing workflow speed.

With AI, criminals work smarter, not harder. FortiGate IPS telemetry recorded a 22% decrease in brute force attempts YoY, pointing to efficiency gains: With optimized, intelligent brute force techniques, threat actors are making fewer attempts against better-selected targets, increasing success probability per credential tested. This activity translates into about 67.65 billion brute force events globally, with approximately 185 million attempts per day; 1.3 billion attempts per week; and 5.6 billion attempts per month. At the same time, intelligence revealed a 25.49% increase in global exploitation attempts YoY.

In 2026, FortiRecon intelligence found an additional 79% increase and revealed a shift toward theft of more comprehensive data sets, enabled by agentic AI. Within dark web “database” activity, stealer logs dominated advertised and shared datasets (67.12%), exceeding combolists (16.47%) and leaked credentials (5.96%). Stealer logs reduce attacker effort by bundling identity material with contextual artifacts, including browser-resident data, enabling immediate replay and faster conversion than brute force or password spraying.

Credential-stealer malware remains a lucrative industry and primary upstream engine for exposure generation. FortiRecon telemetry shows stealer activity dominated by RedLine: 911,968 infections (50.80%); Lumma: 499,784 (27.84%) and Vidar: 236,778 (13.19%).

The 2026 Global Threat Landscape Report reveals that incentivizing the disruption of cybercrime has never been more important. To empower defenders to stay ahead of cybercriminals, Fortinet and Crime Stoppers International launched the Cybercrime Bounty program to provide a secure, anonymous channel for citizens and ethical hackers to submit information about cyberthreats.

Discover how FortiGuard Labs Advisory Services combine cutting-edge technology and expert services to help organizations strengthen their security posture before threats emerge. FortiGuard Outbreak Alerts provide key information about ongoing cybersecurity attacks with significant ramifications affecting companies, organizations and industries. In the event of an incident, FortiGuard Labs offers swift, effective response and in-depth forensic analysis to minimize impact and prevent future intrusions, delivering comprehensive protection in today’s increasingly volatile digital landscape.