Reported by
Cybercriminals are no longer just hackers—they are rapidly becoming large-scale data brokers, weaponizing and monetizing stolen personal information at every stage of their operations, according to Europol’s 2025 Internet Organized Crime Threat Assessment (IOCTA).
The report warns that data exploitation is now embedded across the cybercrime lifecycle, from breaching systems to selling stolen data on encrypted platforms. Everyday online environments—such as e-commerce sites, social media, and gaming platforms—are increasingly misused for grooming, radicalization, and financial crime.
Personal information, Europol says, is no longer just a byproduct of cyberattacks but a core commodity fueling ransomware, fraud, identity theft, and child exploitation. Social engineering remains the most common entry point, while advances in artificial intelligence have made these attacks faster, more scalable, and harder to detect.
According to Philipp Amann, former Group Chief Information Security Officer at Austrian Post and former head of expertise and stakeholder management at Europol’s European Cybercrime Centre (EC3), the IOCTA shows that stolen personal data has become the backbone of a vast cybercriminal ecosystem.
He noted that the crime-as-a-service model—complete with phishing-kit rentals and laundering platforms—has made it possible for even low-skilled actors to launch high-impact attacks.
“Criminal use of AI is now well established,” Amann told OCCRP. He said generative models are being used to produce multilingual phishing emails, voice-cloned calls for CEO fraud, and synthetic child sexual abuse material, warning that this trend is transforming the threat landscape by enabling further automation and scale.
The report states that “cybercriminals increasingly use large language models (LLMs) to write convincing phishing messages and automate social interaction with victims.” These tools strengthen business email compromise (BEC)—a form of fraud in which criminals impersonate executives or business partners via email to deceive organizations into wiring money or sharing confidential information—as well as other impersonation schemes.
Malware known as infostealers—including Lumma, RedLine, and Vidar—are now central to this ecosystem. These programs extract login credentials, tokens, cookies, and device fingerprints, allowing attackers to replicate a victim’s digital identity.
In 2025, Europol and Microsoft disrupted the Lumma malware network as part of Operation Endgame, which targeted a marketplace listing stolen data from over 390,000 infected devices.
That data is frequently resold by initial access brokers—actors who offer credentials and access to inboxes, VPNs, desktops, and cloud systems. These are often used in ransomware attacks, lateral intrusions, or credential-stuffing operations.
Encrypted messaging platforms such as Telegram and Wickr have become key channels for trading stolen data and conducting criminal deals. Europol notes rising use of end-to-end encryption to traffic sensitive content, including child sexual abuse material, medical records, financial documents, and doxxing packages.
Despite major takedowns and better detection, systemic vulnerabilities persist. Poor password hygiene, oversharing on social media, and outdated systems continue to expose users and organizations to risk.
Amann emphasized that tactical responses are no longer enough. Disrupting cybercrime, he said, requires a coordinated, intelligence-led, ecosystem-wide approach. He added that Europol, through EC3, is well-positioned to lead this effort by supporting joint investigations, threat assessments, and public-private cooperation across jurisdictions.
