Identity has become the new vulnerability – 3.3 billion stolen logins per year.
Cyberthreats no longer fit neatly into categories like malware, credential theft, or infrastructure attacks. Flashpoint estimates that by 2026, all these vectors will have converged into a single, dense stream, with the same attackers simultaneously exploiting stolen logins, vulnerabilities , ransomware, phishing, and AI-powered automation. The speed of attacks is also changing. While humans once played a key role in many schemes, there's now a noticeable shift toward machine-like speed, with agent-based AI systems taking over some of the operations: collecting data, tailoring messages to the victim, modifying infrastructure, learning from failed attempts, and continuing the attack almost without pause.
Flashpoint describes precisely this picture in its Global Threat Intelligence Report 2026. The report is addressed not only to cyber intelligence and vulnerability management teams, but also to physical security specialists and the CISO office—that is, the executives responsible for a company's overall security strategy. The authors bluntly state that the traditional silos within security have disintegrated, and fragmented visibility is no longer sufficient to maintain control. When attackers simultaneously target users, infrastructure vulnerabilities, and automation, defenses in individual areas begin to lag.
The report offers several figures that clearly illustrate the scale of the shift. At the end of 2025, AI-related illicit activity increased by 1,500% in just one month. For all of 2025, Flashpoint counted 3.3 billion compromised credentials and cloud tokens. The number of ransomware incidents from January to December 2025 increased by 53%. The number of disclosed vulnerabilities during the same period increased by 12%, with the company estimating that the gap between a problem's publication and its mass exploitation has almost disappeared.
The report is based on data from Flashpoint's Primary Source Collection, a proprietary model for collecting intelligence from primary sources. The company relies on data from within hostile environments themselves, rather than relying solely on external reports and aggregated overviews. This approach, according to the authors, is necessary because modern attacks are evolving too rapidly and too often originate in closed or semi-closed criminal ecosystems, where signals about a new scheme emerge before traditional monitoring tools can detect it.
One of the report's key points concerns agent-based AI. Flashpoint believes that 2026 will be the year of cyberattacks in which such systems will play a central role. Agent-based AI here refers not simply to text or image generators, but to more autonomous tools capable of performing a whole chain of actions: collecting information, changing tactics, launching new attack iterations, and refining the plan after a failure. According to the company, in November and December 2025, discussions of AI in the underworld increased by 1,500%, and this is no longer a matter of curiosity or abstract experiments, but a shift toward the creation of malicious frameworks .
Flashpoint specifically notes that such systems are built on data from the criminal environment and tailored to real-world fraud scenarios. These tools can collect intelligence, rewrite messages for a specific target, switch infrastructure, and learn from past failures without constant operator intervention. In practice, the implication is simple and unpleasant: the cost of failure for an attacker decreases. When automation makes each new attempt cheap, an attacker can iterate over and over again until they find a viable entry point. The report attributes this evolution to vibe-coded phishing, AI-assisted lures, malware, and new platforms for cybercrime.
The second major shift is that the primary penetration vector is no longer a vulnerability in code, but someone else's digital identity. Flashpoint puts it bluntly: identity is the new exploit. In 2025, the company recorded over 11.1 million infected machines running stealers. A stealer is malware that steals passwords, cookies, tokens, autofill data, and other information useful for account takeover. According to Flashpoint, these infections have fueled a gigantic market of 3.3 billion stolen credentials and cloud tokens.
This is changing the very mechanics of crime. Previously, attackers often tried to breach security through vulnerabilities or brute-force attacks. Now, the goal is increasingly reduced to simply logging in as a legitimate user. Stolen session cookies, logins, and tokens allow attackers to act almost like the real account owner. This development is especially frustrating for defenders, as many of the old defenses were designed for overt hacking, not silent authorization with genuine credentials.
The report specifically highlights the ransomware market, which Flashpoint describes as an increasingly professionalized franchise model. This model has long been known in RaaS (ransomware-as-a-service), where some groups build the platform, tools, support, and infrastructure, while others use this ready-made kit in real attacks. The report cites RansomHub and Clop as examples. The authors view them not as isolated gangs, but as indicators of an entire economy, where cybercrime operates almost like a business, with separate roles, distribution channels, and reusable tools.
Against this backdrop, another development is particularly significant: ransomware is increasingly attacking people, not code. Flashpoint emphasizes that as technical defenses against traditional encryption become stronger, attackers are shifting to a simpler approach—human trust. The company describes this scenario as "ransomware is hacking the person, not the code." This explains the rise in incidents: from January to December 2025, they increased by 53%, and over 87% of all ransomware attacks were carried out by groups operating under the RaaS model.
Essentially, this is a shift from purely technical encryption to extortion through credentials, access, and psychological pressure. If an attacker has already logged into a system as an employee, gained access to the cloud, downloaded data, and understood internal processes, they no longer necessarily need to launch a high-profile, mass-encryption phase. Pressure can be built on the threat of data disclosure, disruption of business processes, or blackmail of employees and management. This approach is often simpler, faster, and safer for the attacker.
The third key topic of the report is vulnerabilities and the reduction in patch deployment time. According to Flashpoint, the number of disclosed vulnerabilities increased by 12% in 2025, and for one in three (33%), public exploit code was already available. What's particularly concerning for defenders isn't the increase itself, but the nearly vanishing time lag between the discovery of a problem and its widespread exploitation. The company cites a disturbing benchmark: zero-day vulnerabilities in some cases began to be widely exploited within 24 hours of disclosure. A zero-day is a vulnerability for which defenders have almost no time to patch and deploy mitigations.
That's why the report states that the patching window is rapidly closing. Previously, companies still had a more or less clear cycle: learn about the issue, assess the risk, approve the update, test it, and deploy the fix. Now, many organizations no longer have this flexibility. If a publication is quickly accompanied by working exploitable code, and attackers are also automating the search and attack, a delay of even one or two days begins to seem too costly.
Flashpoint boils the picture down to four key themes that will shape the threat landscape in 2026. First, the era of agent-based cyberattacks, where AI-powered automation accelerates the entire cycle. Second, the transformation of digital identities into the primary entry point, with stolen logins, tokens, and sessions outperforming traditional hacking. Third, the dramatic shrinking window between vulnerability discovery and exploitation. Fourth, the evolution of ransomware into a scheme that increasingly relies on people and trust, not just file encryption.
The report's authors draw a stark conclusion: cosmetic improvements to old defense models are no longer sufficient. When an adversary operates at machine speed, the advantage lies not with those who simply have more perimeter defenses, but with those who see the hostile environment first and understand how attacks are generated within it. Flashpoint directly warns that defenders who rely on fragmented visibility will inevitably lag behind.
This leads to the company's key practical advice: defense should be built around intelligence, not just response. Intelligence in this case doesn't mean abstractly reading news, but rather working with primary sources from hostile ecosystems where new schemes are discussed, access is traded, exploits are shared, and tools for automated attacks are assembled. For organizations and communities, according to Flashpoint, this intelligence-first approach becomes the foundation of resilience in this new environment.
Overall, the report paints a disturbing but very consistent picture. Cybercrime is becoming increasingly industrialized, and the boundaries between phishing, stealers, extortion, vulnerability exploitation, and identity theft are becoming increasingly blurred. In such a system, AI no longer plays the role of an exotic add-on, but rather an accelerator that reduces the cost of brute-force attacks, helps attackers adapt more quickly, and allows attacks to scale without a comparable increase in human effort. Against this backdrop, defense ceases to be a matter of individual resources and increasingly becomes a matter of pace: who can spot the attack first, while it's still in the process of being launched.
Cyberthreats no longer fit neatly into categories like malware, credential theft, or infrastructure attacks. Flashpoint estimates that by 2026, all these vectors will have converged into a single, dense stream, with the same attackers simultaneously exploiting stolen logins, vulnerabilities , ransomware, phishing, and AI-powered automation. The speed of attacks is also changing. While humans once played a key role in many schemes, there's now a noticeable shift toward machine-like speed, with agent-based AI systems taking over some of the operations: collecting data, tailoring messages to the victim, modifying infrastructure, learning from failed attempts, and continuing the attack almost without pause.
Flashpoint describes precisely this picture in its Global Threat Intelligence Report 2026. The report is addressed not only to cyber intelligence and vulnerability management teams, but also to physical security specialists and the CISO office—that is, the executives responsible for a company's overall security strategy. The authors bluntly state that the traditional silos within security have disintegrated, and fragmented visibility is no longer sufficient to maintain control. When attackers simultaneously target users, infrastructure vulnerabilities, and automation, defenses in individual areas begin to lag.
The report offers several figures that clearly illustrate the scale of the shift. At the end of 2025, AI-related illicit activity increased by 1,500% in just one month. For all of 2025, Flashpoint counted 3.3 billion compromised credentials and cloud tokens. The number of ransomware incidents from January to December 2025 increased by 53%. The number of disclosed vulnerabilities during the same period increased by 12%, with the company estimating that the gap between a problem's publication and its mass exploitation has almost disappeared.
The report is based on data from Flashpoint's Primary Source Collection, a proprietary model for collecting intelligence from primary sources. The company relies on data from within hostile environments themselves, rather than relying solely on external reports and aggregated overviews. This approach, according to the authors, is necessary because modern attacks are evolving too rapidly and too often originate in closed or semi-closed criminal ecosystems, where signals about a new scheme emerge before traditional monitoring tools can detect it.
One of the report's key points concerns agent-based AI. Flashpoint believes that 2026 will be the year of cyberattacks in which such systems will play a central role. Agent-based AI here refers not simply to text or image generators, but to more autonomous tools capable of performing a whole chain of actions: collecting information, changing tactics, launching new attack iterations, and refining the plan after a failure. According to the company, in November and December 2025, discussions of AI in the underworld increased by 1,500%, and this is no longer a matter of curiosity or abstract experiments, but a shift toward the creation of malicious frameworks .
Flashpoint specifically notes that such systems are built on data from the criminal environment and tailored to real-world fraud scenarios. These tools can collect intelligence, rewrite messages for a specific target, switch infrastructure, and learn from past failures without constant operator intervention. In practice, the implication is simple and unpleasant: the cost of failure for an attacker decreases. When automation makes each new attempt cheap, an attacker can iterate over and over again until they find a viable entry point. The report attributes this evolution to vibe-coded phishing, AI-assisted lures, malware, and new platforms for cybercrime.
The second major shift is that the primary penetration vector is no longer a vulnerability in code, but someone else's digital identity. Flashpoint puts it bluntly: identity is the new exploit. In 2025, the company recorded over 11.1 million infected machines running stealers. A stealer is malware that steals passwords, cookies, tokens, autofill data, and other information useful for account takeover. According to Flashpoint, these infections have fueled a gigantic market of 3.3 billion stolen credentials and cloud tokens.
This is changing the very mechanics of crime. Previously, attackers often tried to breach security through vulnerabilities or brute-force attacks. Now, the goal is increasingly reduced to simply logging in as a legitimate user. Stolen session cookies, logins, and tokens allow attackers to act almost like the real account owner. This development is especially frustrating for defenders, as many of the old defenses were designed for overt hacking, not silent authorization with genuine credentials.
The report specifically highlights the ransomware market, which Flashpoint describes as an increasingly professionalized franchise model. This model has long been known in RaaS (ransomware-as-a-service), where some groups build the platform, tools, support, and infrastructure, while others use this ready-made kit in real attacks. The report cites RansomHub and Clop as examples. The authors view them not as isolated gangs, but as indicators of an entire economy, where cybercrime operates almost like a business, with separate roles, distribution channels, and reusable tools.
Against this backdrop, another development is particularly significant: ransomware is increasingly attacking people, not code. Flashpoint emphasizes that as technical defenses against traditional encryption become stronger, attackers are shifting to a simpler approach—human trust. The company describes this scenario as "ransomware is hacking the person, not the code." This explains the rise in incidents: from January to December 2025, they increased by 53%, and over 87% of all ransomware attacks were carried out by groups operating under the RaaS model.
Essentially, this is a shift from purely technical encryption to extortion through credentials, access, and psychological pressure. If an attacker has already logged into a system as an employee, gained access to the cloud, downloaded data, and understood internal processes, they no longer necessarily need to launch a high-profile, mass-encryption phase. Pressure can be built on the threat of data disclosure, disruption of business processes, or blackmail of employees and management. This approach is often simpler, faster, and safer for the attacker.
The third key topic of the report is vulnerabilities and the reduction in patch deployment time. According to Flashpoint, the number of disclosed vulnerabilities increased by 12% in 2025, and for one in three (33%), public exploit code was already available. What's particularly concerning for defenders isn't the increase itself, but the nearly vanishing time lag between the discovery of a problem and its widespread exploitation. The company cites a disturbing benchmark: zero-day vulnerabilities in some cases began to be widely exploited within 24 hours of disclosure. A zero-day is a vulnerability for which defenders have almost no time to patch and deploy mitigations.
That's why the report states that the patching window is rapidly closing. Previously, companies still had a more or less clear cycle: learn about the issue, assess the risk, approve the update, test it, and deploy the fix. Now, many organizations no longer have this flexibility. If a publication is quickly accompanied by working exploitable code, and attackers are also automating the search and attack, a delay of even one or two days begins to seem too costly.
Flashpoint boils the picture down to four key themes that will shape the threat landscape in 2026. First, the era of agent-based cyberattacks, where AI-powered automation accelerates the entire cycle. Second, the transformation of digital identities into the primary entry point, with stolen logins, tokens, and sessions outperforming traditional hacking. Third, the dramatic shrinking window between vulnerability discovery and exploitation. Fourth, the evolution of ransomware into a scheme that increasingly relies on people and trust, not just file encryption.
The report's authors draw a stark conclusion: cosmetic improvements to old defense models are no longer sufficient. When an adversary operates at machine speed, the advantage lies not with those who simply have more perimeter defenses, but with those who see the hostile environment first and understand how attacks are generated within it. Flashpoint directly warns that defenders who rely on fragmented visibility will inevitably lag behind.
This leads to the company's key practical advice: defense should be built around intelligence, not just response. Intelligence in this case doesn't mean abstractly reading news, but rather working with primary sources from hostile ecosystems where new schemes are discussed, access is traded, exploits are shared, and tools for automated attacks are assembled. For organizations and communities, according to Flashpoint, this intelligence-first approach becomes the foundation of resilience in this new environment.
Overall, the report paints a disturbing but very consistent picture. Cybercrime is becoming increasingly industrialized, and the boundaries between phishing, stealers, extortion, vulnerability exploitation, and identity theft are becoming increasingly blurred. In such a system, AI no longer plays the role of an exotic add-on, but rather an accelerator that reduces the cost of brute-force attacks, helps attackers adapt more quickly, and allows attacks to scale without a comparable increase in human effort. Against this backdrop, defense ceases to be a matter of individual resources and increasingly becomes a matter of pace: who can spot the attack first, while it's still in the process of being launched.
