Every year, the European Union Agency for Law Enforcement Cooperation (Europol) collects cybersecurity threat intelligence data from a variety of sources, enabling its Europol European Cyber Crime Centre (EC3) to analyze and report on the state of cybersecurity and attacker activity. The Internet Organised Crime Threat Assessment (IOCTA) report discusses trends around cybercriminal activities.
In the 2025 IOCTA report, “Steal, deal, and repeat: how cybercriminals trade and exploit your data,” Europol revealed that cyber criminals target data as a fundamental enabler and commodity in the criminal ecosystem. Although security professionals have long understood that data has financial value, the report highlights the important role that data commodification plays across the cybercriminal ecosystem.
At a high level, the report identifies the following key insights:
- Stolen data fuels cybercrime: Cybercriminals treat data as a means of further exploitation and a tradable commodity often targeting credentials, personal information, and corporate access.
- Social engineering is dominant: To steal login credentials and personal data, cybercriminals increasingly deploy phishing, vishing, and infostealer malware.
- Generative AI escalates threats: Large Language Models (LLMs) now tailor phishing messages, create deepfakes, and impersonate trusted individuals at scale.
- Initial access brokers (IABs) are data brokers: These cybercriminals operate robust marketplaces for selling stolen credentials as an integral part of the Ransomware-as-a-Service ecosystem.
Keep reading for the takeaways security practitioners can gain from the report.
Threat Actors Abuse Generative AI for Social Engineering in Infostealer Malware Attacks
A constant theme throughout the 2025 report is cybercriminals leveraging generative AI as part of their social engineering schemes to improve their ability to deploy infostealer malware. Malicious actors increasingly exfiltrate data during ransomware attacks then feed the information into Large Language Models (LLMs) to craft convincing phishing lures and deepfake-enabled business email compromise (BEC) scams.
To steal the data, cybercriminals use infostealer malware specifically designed to extract sensitive information from compromised devices. Infostealers typically steal and collect information like:
- Application tokens and session cookies that enable unauthorized access as an authenticated user.
- Operating system, browser, and setting data for imitating the compromised device’s digital fingerprint.
Some cited examples of infostealer malware include:
- Lumma: The largest infostealer that cybercriminals used on a massive scale to harvest credentials, financial data, and personal information.
- RedLine: A dominant malware across the cybercriminal ecosystem that offers a customizable file-grabber.
- META: A stealer malware advertised as an improved version of RedLine.
Takeaway: With a Threat Exposure Management solution, security teams can monitor stealer logs and dark web data breach dumps to uncover compromised employee credentials before threat actors use them in phishing or account takeover attacks.
Criminal Marketplaces Continue to be Embedded in the Cybercrime Economy, Especially with Initial Access Brokers (IABs)
Criminal marketplaces retain a significant role in the cybercriminal as-a-Service business model. According to the 2025 report, the key commodities listed include:
- Unanalyzed infostealer logs and leaked or stolen data.
- Unanalyzed or verified credit card dumps.
- Initial access offer, like credentials for remote services and accounts or established backdoor access.
- Account login credentials for different web services, like email or social media accounts.
- Criminal services, like selling subscriptions to infostealers.
- Anti-detection tools, like virtual private networks (VPNs).
Initial access brokers (IABs) selling access to compromised systems continue to be a primary concern. The report cited Flare’s research on the top five dark web marketplaces to monitor discussing how the Russian Market continues to specialize in selling:
- Stolen identities
- Access credentials
- Web shells
- Financial information
In an attempt to evade detection, many cybercriminals leverage end-to-end encryption (E2EE) services, like Telegram, to create a lack of visibility into their activities, impeding criminal investigations.
Takeaway: Flare Research proves that Telegram remains a popular place for threat actors to communicate and convene for cybercrime. Security teams can effectively monitor illicit Telegram channels with their Threat Exposure Management solution.
Credential-Based Attacks Can be Starting Point for Larger Attacks
Data is a financially valuable product since cybercriminals purchase it for use in attacks. The IOCTA report explains that criminal platforms list and offer various data types specifically to use for credential stuffing attacks. Armed with the information, cybercriminals can then use automated tools to try the stolen login credentials against various websites and applications.
Essentially, access to a compromise account or system becomes part of the larger cycle that fuels cybercrime. Once cybercriminals gain this initial access, they move across the wider network to further their interests through:
- Distributing malware.
- Stealing sensitive information.
- Impersonating a victim or using a legitimate account to distribute malicious content from a trusted source.
As part of these activities, the cybercriminals often gather additional credentials which they sell to other malicious actors, perpetuating the cycle.
Takeaway: Security teams break this cycle by automatically identifying exposed credentials and prioritizing remediation. Integrating their Threat Exposure Management solution into their workflow, using either webhook alerting or SIEM/SOAR integrations, can correlate the solution’s real-time insights with alerts from the connected security tools to reduce mean time to detect and response (MTTD/MTTR) in cases of identity compromise.
Cybercrime Culture Can be Difficult to Follow
For cybercriminals, forums and E2EE services offer the socialization that enables their ongoing relationships and activities. The IOCTA report explains that participation in criminal marketplaces and forums is based on trust and the user’s reputation within the underground community. Typically, the reputation requires being an active forum member, with factors that include:
- A long-term, stable presence on forums and marketplaces.
- Number of posts.
- Successful deals.
- Positive reviews and endorsement from other members.
The report cited Flare’s research when noting that in some cases, newcomers may need to pay a deposit prior to being allowed to view any listings. These market dynamics create an environment in which criminals seek to validate other users prior to engaging in transactions, yet the anonymity necessary to maintain criminal activities requires building a reputation through consistent interaction. These social norms make monitoring the cybercriminal ecosystem difficult and time-consuming for most security teams.
Takeaway: Security teams can follow insights from cybercrime researchers who follow threat actor advertising behavior, kit sales, and operational tooling. In addition, their TEM solution could provide this threat intelligence in an actionable format for both strategic analysts and tactical responders, enabling organizations to preemptively defend against threat actor campaigns.
Conclusion
IOCTA 2025 continues to confirm that security teams can be successful by proactively finding, contextualizing, and prioritizing digital risks arising from identity exposure, compromised access, and dark web activity. An automated, continuous monitoring approach fits in well for modern security teams to defend against data-centric cybercrime.
Monitor and Act Upon Cybercrime with Flare
The Flare Threat Exposure Management (TEM) solution empowers organizations to proactively detect, prioritize, and mitigate the types of exposures commonly exploited by threat actors. Our platform automatically scans the clear & dark web and prominent threat actor communities 24/7 to discover unknown events, prioritize risks, and deliver actionable intelligence you can use instantly to improve security.
Flare integrates into your security program in 30 minutes and often replaces several SaaS and open source tools. Learn more by signing up for our free trial.
