In 2025, the cyber risk ecosystem experienced several changes due to new geopolitical scenarios with a consequent increase in automated attack techniques. Moreover, cyber threats recorded a 5.8% rise in reports related to data exposure on the dark web, compared to the previous year, with more than 2,200,000 alerts. In terms of the open web, on the other hand, the number of reports related to data exposure stood at 55,000, decreasing by 6.6% from 2024.

These are some of the findings from the CRIF Cyber Observatory, which analyzes the vulnerability of users and companies to cyber-attacks, outlining the main trends related to data exchanged on both the dark web and open web.

The evolution of the global political scenario is also reflected in cyber threats: one emblematic example is Iran, rising from the 124^th position to the 3^rd in the compromised e-mail addresses global ranking.

The Cyber Observatory shows that cyberattacks are not just rising in number, but are also becoming difficult to identify and counter, thanks to the availability of an unprecedented amount of data and ever more sophisticated compromising techniques. Among the most popular ones, there are smishing, phishing, vishing and spear phishing campaigns, that are more effective because of Artificial Intelligence.

At the same time, the risk of account takeover is on the rise, favored by the combination of stolen credentials and hyper-personalized social engineering. To complete the picture, we see the fast proliferation of stealers-as-a-service, capable of acquiring full data packets, which are extremely valuable for the criminal market, and exposing users to significant risk.

“The cyber threats landscape is rapidly and constantly evolving. In 2025 we saw the rise of new technologies and actors, with phishing attacks upgraded by AI and hyper-personalized content deceiving victims with unprecedented precision. However, 2025 has also highlighted another front: companies are becoming increasingly exposed and attractive targets. Wealthier data combinations circulate in the dark web, including personal information, as well as professional credentials and references to business accounts. These datasets allow precise attacks against business processes and operative platforms, turning every compromised credential into a potential entry point to the organization’s systems” states Beatrice Rubini, Executive Director of Mister Credit line by CRIF, who goes on to say: “Protecting our data and paying attention to what we share remains essential, but it is not enough: today it is fundamental to identify the new attack techniques made possible by Artificial Intelligence, such as e-mails generated by advanced language models, deepfake audio and video, convincing multi-channel phishing campaigns”. 

Data combinations most exposed on the dark web

The most exposed and vulnerable categories of data on the dark web are passwords, e-mail addresses, usernames, residential addresses and full names. Data related to phone numbers, personal identifiers and credit cards are also frequently found.

Analysis of the most frequently exposed data combinations in 2025 reveals that the combination of credit card numbers and full name is found in 94,2% of cases, which is particularly worrying due to the major risk of financial fraud. The combination of password and email address remains extremely common, with the first appearing next to the second in 91,5% of cases. Whereas the theft of both username and password, which accounts for 85,2% of cases, is mainly related to corporate accounts, underlying potential vulnerabilities in companies.

This data confirms that account theft continues to be a priority for hackers, underlining the importance of adopting secure password management practices, such as the use of unique credentials, regular updates, and the use of password managers.

The full residential address, associated with phone numbers in 44,5% of cases, is also very attractive to cybercriminals. Moreover, the widespread association of passport numbers with first and last names (64,6%) and passport number with full residential address (57,5%) broadens the risk of identity theft, impersonation and advanced profiling.

Data Souce Provider: Cyber CRIF Observatory

Most frequent types of accounts on the dark web

Excluding e-mail services, usernames found on the dark web are mostly associated with online services (53,7%), followed by accounts related to popular social networks (15%) and web sites (10,4%). In fourth place we find the theft of accounts associated with gaming (5,9%), increased by 22,9%, followed by governmental services (5,2%), while e-commerce platforms occupy 6th position (5%).

Data Source Provider: Cyber CRIF Observatory

Stolen credentials can be used for a wide variety of criminal purposes: unauthorized access to victims’ accounts, misusing services, sending messages with requests for money or phishing links, distributing malware or ransomware, and generally extorting or stealing money.

The “human factor” plays a crucial role in these data thefts, as user negligence is one of the most common causes, together with weak passwords or passwords used across multiple accounts.

In addition to this dynamic, Account Takeover attacks (ATO) are expanding, striking not only traditional accounts, but messaging services such as WhatsApp as well.

Another commonality across certain account types (such as social networking, streaming and gaming platforms) is the willingness of users to give their credentials out to seemingly innocent services that offer freebies or extra features, when in fact often this is a simple credential-harvesting tool.

An international comparison: Countries most affected by data theft

In terms of the countries most affected by online e-mail and password theft, the USA is still in top spot, followed by Russia, Iran, Germany, and France. Italy is in 6^th position, followed by the United Kingdom. As anticipated above, the increase in Iranian accounts can partially be attributed to geopolitical tensions of the Middle East and that seems to be confirmed by the fact that government agencies have especially been targeted.

Regarding the countries most affected by the exchange of stolen credit card data, Russia is in 1^st place, followed by India and the United States.

The ranking of continents most affected by illicit credit card data exchange still places Europe at the top (78,3%), with a significant increase compared to 2024 (+32,1%), followed by Asia (13,1%) and North America (5,7%).

Data Source Provider: Cyber CRIF Observatory

“In a context characterized by geopolitical tensions and increasingly automated cyber-attacks, preventive safety measures and rapid responses are essential to protect people, companies, critical infrastructures and institutions from targeted threats. As CRIF, we continue educating users on these evolving dangers, encouraging them to safeguard their personal data and keep updated on new kinds of online scams, since lack of awareness is still the most exploited element by attackers.” - concludes Beatrice Rubini.

Open full infographic

The information contained in this article is provided for informational purposes only and does not constitute professional advice and is not guaranteed to be accurate, complete, reliable, current or error-free.