The Shift in Cybercrime: Attackers Now Prefer Logging In with Stolen Credentials

In the ever-evolving landscape of cyber threats, recent findings from Ontinue's 2H 2025 Threat Intelligence Report are alarming. These insights reveal a significant transformation in how cybercriminals access sensitive information. Instead of breaching defenses through traditional methods like malware, attackers are increasingly leveraging compromised credentials to infiltrate organizations.

Understanding the Trends

Ontinue, a leader in AI-driven Managed Extended Detection and Response (MXDR), has highlighted a disturbing trend in the cybercrime world. According to Balazs Greksza, Director of Advanced Threat Operations at Ontinue, the era of attackers attempting to break into systems is fading. Now, they are more likely to simply log in using stolen credentials. This trend raises the bar for what organizations must do to protect themselves in today's digital environment.

The report reflects a staggering rise in identity compromise, which has become the predominant method for gaining illegal access to cloud environments. The shift from traditional malware-driven intrusions to exploiting compromised identities emphasizes the need for enhanced security measures that can better detect and respond to these tactics.

Credential Theft on the Rise

The report documents the rise of identity-based attacks such as adversary-in-the-middle (AiTM) phishing and credential exposure, which are now the focus of security investigations worldwide. Attackers are recalibrating their strategies to exploit stolen credentials for direct access to cloud systems rather than relying on software vulnerabilities. Infostealer malware has become a critical factor in this trend, with types like LummaC2 capturing passwords, session cookies, and other sensitive information from infected devices.

These stolen credentials create a thriving underground marketplace, where criminal groups trade access to corporate environments. Listings of stolen credentials associated with LummaC2 have surged by 72%, underscoring the rapid growth of the credential-theft economy. Such illicit access can have significant financial implications, garnering thousands of dollars per stolen account and positioned now as one of the most lucrative avenues in cybercrime.

Ransomware Attacks Continue to Escalate

While the landscape of cybercrime is changing, ransomware remains a significant concern. In 2025, organizations reported over 7,000 ransomware incidents globally, with 2025's payments dropping from $892 million to $820 million. Despite this decline, the sheer number of incidents continues to pose a serious threat, with numerous active ransomware groups roaming the cyber domain.

These campaigns are characterised by increasingly sophisticated techniques, employing multiple forms of pressure, including direct social engineering methods targeting employees and customers. This multi-faceted approach often leads to what experts describe as double, triple, or even quadruple extortion scenarios.

Emphasis on Generative AI in Malware

Interestingly, the report also points to a burgeoning trend where cybercriminals are experimenting with generative AI to develop malicious tools. Preliminary analysis of malware samples indicates patterns consistent with AI-assisted programming, benefitting those with lower technical skills. Although still an emerging tactic, the implications for organizations could be profound as this technology potentially reduces the barriers to creating effective cyber threats.

Supply Chain Vulnerabilities and SaaS Attacks

The document highlights growing vulnerabilities surrounding software supply chains and SaaS platforms. Attackers are increasingly focusing on targeting development pipelines and third-party service providers to indirectly gain access to corporate systems. The rapid spread of these attacks within trusted ecosystems can lead to multiple organizational breaches simultaneously, compounding security challenges.

A Record Surge in Infrastructure Attacks

In addition to identity-focused attacks, there has also been a notable upswing in infrastructure scale threats. Campaigns utilizing Distributed Denial-of-Service (DDoS) attacks peaked at an unprecedented 31.4 Tbps, showcasing the growing capabilities of modern threat actors to wield significant destructive power.

Final Thoughts

The evolving tactics employed by cybercriminals demonstrate a heightened level of sophistication that challenges traditional cybersecurity defenses. As Craig Jones, Chief Security Officer at Ontinue, asserts, organizations must adapt to the reality of these threats. This requires a shift from merely aiming to prevent breaches to proactively improving risk management and rapidly detecting and responding to threats. By collaborating with capable managed security providers, organizations can harness advanced technologies and real-time intelligence to fortify their defenses against modern cyber threats.

In conclusion, the insights gleaned from Ontinue's report serve as a stark reminder of the increasingly complex cyber threat landscape we face. Organizations must remain vigilant, adapt, and invest in robust security measures to safeguard their digital futures.