In the first six months of 2025, cybercriminals have already stolen billions of credentials, exploited thousands of vulnerabilities, and launched record-breaking ransomware attacks–leaving security teams and organizations worldwide scrambling to keep up.
A Flashpoint midyear tally shows credential theft has jumped ninefold, vulnerability disclosures have risen 3.5 times, and ransomware incidents have nearly tripled.
“In today’s threat environment, where kinetic conflict, digital sabotage, economic warfare, and terrorism can be intertwined, understanding the full spectrum of risk is critical,” said Andrew Borene, Flashpoint Executive Director, International Markets and Global Security. “By recognizing these converging threats and clearly communicating their implications to Boards and C-Suite leaders, security professionals can help their organizations address today’s crises while building the strategic resilience for what comes next.”
The US, India, and Brazil have been the most targeted in info-stealing and ransomware attacks in the six months ending June 30, 2025, according to a threat intelligence report by Flashpoint shared with CSO ahead of its publication on Thursday.
Credentials and breaches drove the attack chain
Credential theft via information-stealing malware rose by 800%, with 1.8 billion credentials stolen from 5.8 million infected hosts. Infostealers such as Lumma and Redline remain active despite takedowns, while new strains like StealC and Acreed are emerging, the report noted.
Stolen credentials directly fuelled a 235% surge in data breaches, which exposed 9.45 billion records in just six months. Nearly 78% of breaches were due to unauthorized access, disproportionately impacting sectors such as professional services, healthcare, finance, manufacturing, and information.
Borene commented that “the first half of 2025 has revealed a world in flux, where the boundaries between traditional warfare, cyber conflict, and geopolitical competition are dissolving.” He noted that these overlapping crises are increasingly reinforcing one another, magnifying the risks organizations face.
Exploits multiply as defenders play catch-up
Vulnerability disclosure rose by 246%, and publicly available exploits increased by 179%, with over 20000 vulnerabilities disclosed in the first half of 2025–35% of which already have exploit code.
A backlog of 42000 vulnerabilities awaiting NVD analysis and delays in CVE enrichment leave organizations blind to many critical flaws, the report noted. Flashpoint advised risk-based patching that prioritizes remotely exploitable vulnerabilities with known fixes, potentially reducing workloads by up to 87%.
Borene noted that “A confluence of profound geopolitical shifts, traditional conflicts, emergent cyber threats, and escalating terrorism risk—all reinforce one another in a truly perilous fashion.” This convergence, he suggested, makes timely advanced intelligence essential for defenders.
A vulnerability breakdown by Flashpoint revealed a total of 2,447 remotely exploitable flaws with both patches and exploit codes available in public.
Ransomware’s relentless rise
Ransomware incidents spiked 179%, with manufacturing, technology, and legal industries among the hardest hit. Groups like Clop drove record activity by exploiting Cleo software flaws, while Akira and Qilin filled the void left by LockBit’s decline.
The United States bore the brunt, with 2160 reported attacks, highlighting how ransomware-as-a-service (RaaS) continues to thrive despite global law enforcement pressure.
“With ransomware up 179% and data breaches surging 235%, the sheer scale of malicious activity is undeniable,” said Ian Gray, Flashpoint VP, cyber threat intelligence operations. “Effective defense now demands proactive, comprehensive threat intelligence to protect what matters most.”
The report urges organizations to adopt advanced threat intelligence, proactive identity protection, and faster patching strategies to disrupt attackers before they strike.