Nearly 2.9 billion compromised credentials were tracked globally in 2025, according to a sweeping new analysis that lays out how stolen logins, automated malware and AI-driven workflows reshaped the threat landscape.
KELA’s tally: what makes up 2.9 billion compromised credentials
The threat intelligence firm KELA reports that its latest study, The State of Cybercrime 2026: Emerging Threats & Predictions, tracked nearly 2.9 billion compromised credentials last year. Those records include usernames, passwords, session tokens and cookies found in URL, login and password (ULP) lists, breached email repositories and items sold on cybercrime marketplaces. KELA cautioned that individual credentials "may or may not have been valid," but said the numbers reflect "the sheer scale and persistence of the threat."
Infostealers and infected endpoints: 347 million credentials from 3.9 million machines
At least 347 million of the compromised items were originally obtained by infostealers operating on roughly 3.9 million infected machines, KELA found. The firm said those figures were significantly boosted by a dramatic rise in macOS-targeting infostealers, with macOS infections jumping from under 1,000 in 2024 to over 70,000 in 2025 — a surge that helped swell the overall credentials pool.
Ransomware victims, active extorter groups, and vulnerability trends
KELA recorded a 45% year‑over‑year increase in ransomware victims, rising to 7,549 in 2025, and identified 147 active ransomware groups, including 80 entities that appeared for the first time. On the vulnerability front, KELA noted that 238 vulnerabilities were added to CISA's Known Exploited Vulnerabilities (KEV) Catalog in 2025, up 29% from 185 additions in 2024. The report also observed a market shift toward fully weaponized, mass‑exploitation scripts and exclusive exploits, as opposed to basic proof‑of‑concept code.
AI dominates the kill chain: from supportive tool to agentic workflows
KELA documented broad adoption of artificial intelligence across attack phases, saying that "cybercriminals and APT groups have moved from using AI merely as a supportive tool in attacks to making it an essential component in the complexity, enhancement, and escalation of those attacks." The report describes a progression beyond basic LLM jailbreaking to techniques KELA calls "vibe hacking" that enable autonomous execution of complete workflows. KELA also flagged an increase in AI‑assisted malware and prompt‑injection attacks designed to hijack agent systems.
David Carmiel, CEO of KELA, framed the change starkly: "We’re seeing a fundamental pivot in adversary behavior with the shift from AI‑assisted tools to fully autonomous, agentic malicious workflows, where over 80% of operations require minimal human oversight." Carmiel added that attackers "no longer need to break in through a backdoor, they can quickly find the key and walk through the front using stolen credentials," and KELA warned organizations relying on stale intelligence and legacy defenses instead of AI‑powered solutions are increasing their exposure.
Hacktivism, DDoS, and supply‑chain weaponization
The report tied rising geopolitical tensions to a wave of disruptive activity: KELA counted 250 new hacktivist groups in 2025 and a 400% increase in distributed denial‑of‑service activity, totaling about 3,500 attacks for the year. It also called out growing weaponization of the software supply chain, including OAuth compromise and the emergence of open‑source worms inside developer ecosystems.
What this means for technologists, policymakers, and end users
- Technologists and security teams should register the dual pressures documented by KELA: credential theft at massive scale (including a marked macOS trend), and a shift toward AI‑driven, minimally supervised attack workflows that leverage stolen credentials and weaponized exploit tooling.
- Policymakers and regulators will see signals in the KEV Catalog growth — 238 additions in 2025, up 29% from 2024 — and in the proliferation of new ransomware and hacktivist groups; those metrics point to a rising operational tempo for vulnerability management and incident response planning.
- End users and enterprise buyers face a broader threat surface: billions of credential records of uncertain validity in circulation, thousands of ransomware victims, thousands of DDoS incidents, and supply‑chain compromise vectors. KELA’s analysis underscores how credential exposure and AI‑augmented attacks can compound risk.
KELA’s findings paint a picture of a threat environment where scale, automation and weaponized exploit markets intersect. The report leaves a clear challenge for defenders: how to adapt detection, patching and authentication approaches in a world where stolen credentials, mass‑exploitation scripts and autonomous AI agents increasingly determine which attacks succeed. As KELA emphasizes, the choice between legacy defenses and AI‑enhanced countermeasures may be the difference between a contained incident and a cascade of compromise.
