Cybercrime Stolen Logins Are Fueling Everything From Ransomware to Nation-State Cyberattacks Report shows how industrialized credential theft underpins ransomware, SaaS breaches, and geopolitical attacks, shifting security focus from prevention to detecting misuse of legitimate access. By Kevin Townsend | March 31, 2026 (11:04 AM ET) Flipboard Reddit Whatsapp Whatsapp Email Like an inverted pyramid, the range of different attack modes are now built on top of the single point of identity abuse. Stolen credentials are a major threat. Legitimate credentials illegitimately acquired provide legitimate access to illegitimate actors. Once inside the network, these bad actors have greater ability to move and act in stealth. The continuing rise in ransomware attacks bears testament. The theft and resale of credentials operates on an industrial scale. Fueled by the rise of increasingly more sophisticated infostealers, stolen credentials are packaged into ‘logs’ and sold to criminals on the black market. Ontinue reports , “Listings tied to LummaC2 alone surged by 72%, with high-privilege cloud console credentials selling for $1,000–$15,000+.” Ransomware has been one of the primary beneficiaries of stolen credentials. More than 7,000 incidents and 129 active groups were tracked through 2025. At the same time, ransom payments decreased slightly from $892M in 2024 to $820M in 2025. This apparent contradiction is actually logical. “Larger targets, with larger payout potential, will have seen the most aggressive corporate investment (process and technology) mitigating exposure to this attack pattern,” explains Trey Ford, chief strategy and trust officer at Bugcrowd. These larger targets are also more susceptible to government pressure to not pay ransoms, and ransomware income has consequently declined. The ransomware groups have responded with more attacks demanding smaller payments from more but smaller companies. These bad actors have simultaneously increased the pain threshold. Theft of data for blackmail has been growing for several years but is now often supplemented with operational disruption. “Beyond encrypting endpoints, attackers disrupt the ability to operate by wiping systems, deleting backups, sabotaging virtualization, attacking OT/ICS-adjacent services, or breaking identity/administration planes.” Advertisement. Scroll to continue reading. Think of modern ransomware as a multi-layer extortion machine, it continues. “Even when victims avoid paying, they are still dealing with downtime, regulatory exposure, third-party disruption, and long recovery cycles.” Nathaniel Jones, VP of security & AI strategy, and field CISO at Darktrace, adds, “Rather than relying solely on encrypting a target’s data for ransom, threat actors will increasingly employ double or even triple extortion strategies, encrypting sensitive data but also threatening to leak or sell stolen data.” At the same time, adversarial use of AI to assist in attacks is growing. Sophisticated and compelling phishing attacks are already evident, but Ontinue has also seen “the first meaningful signs of LLM-assisted malware development in 2H 2025.” This isn’t yet autonomous malware, but are signs that attackers are using AI to assist malware development for speed and features. “LLMs didn’t write the malware, but they wrote large pieces of it,” says Ontinue. “This lowers the bar dramatically. Adversaries with minimal engineering ability now ship tools that look more professional but still contain fundamental security flaws.” Stolen credentials are also fueling supply chain and SaaS attacks. The two big examples from 2025 are the Salesloft Drift OAuth campaign (with more than700 victim organizations) and the Shai-Hulud npm worm. Both campaigns abused the trust necessary in modern business infrastructure, with that trust breached by legitimate but stolen credentials. The increase in global geopolitical tension has further increased and complicated the cybersecurity battlefield – and has probably decreased any remaining ‘honor among thieves’. The Shai-Hulud actor (financially motivated rather than nation state motivated), for example, may attempt to delete the target’s home directory if it finds little to harvest. “This nihilistic ‘scorched earth’ fallback is new and signals the author’s willingness to cause irreversible damage,” notes Ontinue. Such behavior has traditionally been associated with nation state political motivations. This is widening. It is no longer government against government: targets now include civilian entities while attackers include politically motivated citizens as well as elite nation state actors. Ontinue quotes three examples: North Korea’s Lazarus Group $1.5B cryptocurrency theft ; wiper attacks targeting Polish civilian infrastructure by Ghost Blizzard; and record-setting DDoS activity peaking at 31.4 Tbps via botnets with more than 500,000 IPs. There is little sign that geopolitically motivated attacks are likely to decrease in the immediate future – they are more likely to increase. Prompted by the US/Israel war against Iran, Iranian actors used wipers in the attack against Stryker earlier this year. The base of this inverted pyramid of malicious activity is occupied by infostealers fueling the activity. Infostealers are a successful tool for malicious actors. They use social engineering to get installed. Industry is yet to find a successful method to prevent social engineering, so it is unlikely that we will be able to stop infostealers. The implication is organizations should assume that attackers have or will obtain legitimate identities to use in their attacks. This means that more energy must be applied to recognizing and blocking the misuse of credentials while in use rather than simply trying to prevent their theft. “To combat today’s new era of threats, driven by the force multiplier of AI, we need to embrace a new approach of adaptive identity,” says Mark McClain, CEO at SailPoint. “Modern identity tools need to be able to discern between regular user activity and abnormal activity, and grant – or deny – access accordingly. Every access decision is driven by who or what the identity is, the context of the data they touch, and the security signals surrounding them. By unifying identity, security, and data contexts, businesses can make real-time decisions to mitigate risk without disrupting operations.” Ontinue summarizes this. “The organizations that will succeed in this new landscape will not necessarily be those with the strongest perimeters, but those that rethink how security is applied across identity. This means treating identity as the core control plane, monitoring authentication activity as closely as endpoint behavior, and securing both human and non-human identities with equal rigor.” Related : AI Speeds Attacks, But Identity Remains Cybersecurity’s Weakest Link Related : Iran Readied Cyberattack Capabilities for Response Prior to Epic Fury Related : Shadow AI Risk: How SaaS Apps Are Quietly Enabling Massive Breaches Related : 136 NPM Packages Delivering Infostealers Downloaded 100,000 Times Written By Kevin Townsend Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines. More from Kevin Townsend Silent Drift: How LLMs Are Quietly Breaking Organizational Access Control AI Speeds Attacks, But Identity Remains Cybersecurity’s Weakest Link DoE Publishes 5-Year Energy Security Plan Iran Readied Cyberattack Capabilities for Response Prior to Epic Fury Hacker Conversations: Ben Harris, From Unintentional Young Hacker to Intentional Adult CEO The Collapse of Predictive Security in the Age of Machine-Speed Attacks Shadow AI Risk: How SaaS Apps Are Quietly Enabling Massive Breaches AI, APIs and DDoS Collide in New Era of Coordinated Cyberattacks Latest News Venom Stealer Raises Stakes With Continuous Credential Harvesting TeamPCP Moves From OSS to AWS Environments CrewAI Vulnerabilities Expose Devices to Hacking Google Slashes Quantum Resource Requirements for Breaking Cryptocurrency Encryption Exploitation of Critical Fortinet FortiClient EMS Flaw Begins StrongSwan Flaw Allows Unauthenticated Attackers to Crash VPNs Lloyds Data Security Incident Impacts 450,000 Individuals Critical Vulnerability in OpenAI Codex Allowed GitHub Token Compromise Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the Move Moderna has promoted Farzan Karimi to Deputy Chief Information Security Officer. Brian Goldfarb has been appointed Chief Marketing Officer at SentinelOne. Token has appointed Katy Nelson as Chief Revenue Officer. More People On The Move Expert Insights Why Agentic AI Systems Need Better Governance – Lessons from OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution o