KELA Report Reveals 2.9 Billion Compromised Credentials in Credentials in 2025, AI-Driven Attacks Surge
KELA's 2026 threat report tracked 2.9 billion compromised credentials globally in 2025, with infostealer infections on macOS surging from under 1,000 to over 70,000 and a 45% increase in ransomware victims.
The threat landscape in 2025 was defined by a staggering volume of compromised credentials and the maturation of AI-driven attack workflows, according to a new report from threat intelligence firm KELA. The firm's 'State of Cybercrime 2026' report tracked nearly 2.9 billion compromised credentials globally last year, encompassing usernames, passwords, session tokens, and cookies harvested from infostealers, URL/login/password (ULP) lists, breached email repositories, and cybercrime marketplaces.
At least 347 million of those credentials were originally obtained by infostealers found on approximately 3.9 million infected machines. The numbers were significantly boosted by a massive increase in macOS infostealer infections, which surged from under 1,000 in 2024 to over 70,000 in 2025. Although not all credentials may have been valid, KELA noted the figures reflect 'the sheer scale and persistence of the threat.'
Beyond credential theft, the report documented a 45% annual increase in ransomware victims, reaching 7,549. Attacks were claimed by 147 active groups, including 80 new entities. KELA also tracked 238 vulnerabilities added to CISA's Known Exploited Vulnerabilities (KEV) Catalog in 2025, a 29% increase from 185 in 2024. The report noted that markets now favor 'fully weaponized mass-exploitation scripts and exclusive exploits over basic PoC code.'
Geopolitical tensions fueled a 400% increase in DDoS attacks to 3,500 in 2025, with 250 new hacktivist groups emerging. The weaponization of the software supply chain also accelerated, with adversaries increasingly targeting OAuth compromises and deploying open-source worms in developer ecosystems.
KELA highlighted a fundamental shift in adversary behavior driven by artificial intelligence. 'Cybercriminals and APT groups have moved from using AI merely as a supportive tool in attacks to making it an essential component in the complexity, enhancement, and escalation of those attacks,' the report warned. Attacks have evolved from basic jailbreaking of LLMs to 'vibe hacking' for autonomous execution of entire workflows, with AI-assisted malware and prompt injection attacks designed to hijack agents becoming increasingly common.
'We're seeing a fundamental pivot in adversary behavior with the shift from AI-assisted tools to fully autonomous, agentic malicious workflows, where over 80% of operations require minimal human oversight,' said David Carmiel, CEO of KELA. 'Attackers no longer need to break in through a backdoor, they can quickly find the key and walk through the front using stolen credentials.'
The report underscores the growing challenge for defenders as credential-based attacks and AI-powered automation converge. KELA's findings suggest that organizations relying on stale intelligence and legacy defenses are increasingly vulnerable to attacks that attackers can now operate with unprecedented speed and scale.