Over the course of 2025, the cybercriminal underground underwent a dramatic transformation in how stolen data was shared and distributed. Long-standing data leak forums and ransomware leak sites were seized, due to a wave of coordinated law-enforcement takedowns. Meanwhile, platforms like Telegram changed their terms and conditions leading to a tightening in their moderation, removing channels and bots that once made stolen data easy to access. Though it may seem on the surface as if there are less hacks, in fact the cybercrime data-sharing ecosystem has simply become quieter, more gated, and monetised.

A New Era of Law Enforcement Pressure

One of the main reasons, and ultimately the overriding reason that the landscape shifted so dramatically in 2025 was the sharp increase in law enforcement effectiveness. Over the early 2020’s, agencies gradually improved at taking down dark forums, ransomware leak sites, Telegram bots distributing stolen data and cloud storages used for hosting data dumps. With law enforcement recognising the impact stolen data was having on not just businesses but also individuals, they improved tactics by seizing servers and gaining warrants for jurisdictions that were previously untouchable, making the scale of their efforts far wider-reaching. A notable example came in April 2025, when BreachForums, one of the largest and longest-running data leak forums, was taken down once and for all in a coordinated international operation after a year of repeatedly reappearing after seizure.

This rising pressure triggered paranoia among threat actors. Even those with strong operational security found that the old protections no longer guaranteed safety. Thus, the once-popular large, centralised data sharing forums were seen as liabilities and bad actors were seen scattering, disappearing or shifting to new ways of sharing stolen data. As a result, less stolen data has appeared publicly in 2025 than any years before it. On the other hand, this has pushed bad actors further underground, finding more discreet methods of being able to share the data they once were able to share so easily.

Migration to Pay-for-access forums

As forum seizures ramped up and administrators increasingly found themselves arrested or indicted, the dark-forum ecosystem reactively adapted in 2025. Many long-standing platforms introduced tighter posting rules, limiting what kinds of stolen data could be shared openly. In some cases, datasets could only be posted if users paid for the privilege using forum-specific currency. More noticeably, however, was the general downturn in data being posted on the popular dark-forums, instead bad actors shifted to premium access communities such as Exploit, RAMP and other invite-only Russian forums, where cyber-crime enforcement remains weaker and where anonymity is easier to maintain.

These gated communities operate with rigid entry barriers: steep entrance fees, referrals from long-standing members, or proof of technical expertise. This model ensures that only high-value contributors, established hackers, or individuals willing to invest significant money can join. The surge in applicants in 2025 also pushed these forums to adopt anti-leak policies where members who repost data outside the platform risk immediate bans, and many breach samples now include invisible watermarks to trace the source of any leaks.

Changing guidelines for Telegram

Telegram had long been the go-to messaging platform for distributing stolen data but this all changed in 2025. Following the arrest of Telegram CEO Pavel Durov in August 2024, Telegram overhauled its terms of service and privacy policy which changed how Telegram would forever operate and removed much of the anonymity that made is attractive to cybercriminals. The crackdown targeted criminality occurring on the platform, which included the sharing of stolen data. Throughout 2025, automated moderation systems flagged and removed large numbers of channels. Many of the groups, including those monitored by White Blue Ocean, were seized. These channels often hosted full data breaches, compiled credential lists, and illicit logs.

Whilst this did stop casual leeching - where data is easily accessible for free - it did not stop bad actors from finding a new way to distribute their data. Many channels went private, accessible only through invite, or were replaced with pay-to-view subscription models. While these measures taken by bad actors are not foolproof as even these are regularly taken down, they appear to be taken down at a slower rate than the publicly available channels essentially slowing but not preventing the inevitable Telegram automated takedown.

Rise of Private Cloud Storage & Subscription Distribution

Alongside the migration to closed forums, 2025 also saw the explosive rise of private, cloud-based subscription models. Over the year, there has been a sharp increase in clouds containing up to terabytes of stolen data have been seen where they are on a subscription-based model. They will often have ongoing updates with new and fresh data, search tools to facilitate navigation and occasional exclusive data not available anywhere else. In this sense, a data-as-a-service (DaaS) has emerged where stolen data is not simply stolen and posted on a forum or Telegram but is packaged, hosted and resold. This approach is more stable, harder to track and profitable. Instead of a one-off sale, data becomes a recurring revenue stream that is highly lucrative. While the data itself is no longer posted publicly on forums, many forums continue to promote these subscription-based cloud offerings, directing members to these hidden repositories.

Looking ahead to 2026

Looking ahead, 2026 is likely to see the cybercriminal underground continue the trends set in 2025, but in ways that are faster, smarter, and more automated. With hackers already moving data sharing into private clouds and subscription models, the next step will be the wider adoption of AI and automation. AI tools will help bad actors find, organise, and sell stolen data more efficiently, meaning stolen information could be packaged, searched, and delivered more quickly than ever before.

At the same time, the underground will remain highly selective. Access to data will continue to be gated, with private clouds and invite-only forums keeping the most high-value stolen data hidden from the general public. Hackers are likely to use AI not just to distribute data faster, but also to better protect themselves, spotting attempts to trace or disrupt their operations before law enforcement can act.

While this may sound alarming, it also underscores a key point: the cybercrime ecosystem is not shrinking, it’s evolving. The data is still there, but it’s harder to see and harder to reach. For 2026, the emphasis will likely be on speed, efficiency, and discretion, with AI helping hackers work smarter rather than more openly.

Sources

https://www.kelacyber.com/blog/telegrams-policy-shift-how-cybercriminals-are-reacting-to-new-data-sharing-rules/

https://socradar.io/breachforums-seized-yes-again/

https://www.theguardian.com/technology/article/2024/aug/28/telegram-ceo-charged-france-allowing-criminal-activity-app

https://www.cognyte.com/blog/law-enforcement-dark-web-cybercrime/

https://www.fortinet.com/blog/industry-trends/inside-industrialization-of-cybercrime-what-to-expect-in-2026

https://newsroom.trendmicro.com/2025-11-25-Trend-Micro-Predicts-2026-as-the-Year-Cybercrime-Becomes-Fully-Industrialized

The information contained in this article is provided for informational purposes only and does not constitute professional advice and is not guaranteed to be accurate, complete, reliable, current or error-free.