STOLEN credentials are a major, industrialised threat underpinning ransomware, SaaS breaches and geopolitical attacks, with logs of credentials sold on the black market after being stolen by infostealers. The piece notes more than 7,000 incidents and 129 active ransomware groups tracked through 2025, while ransom payments fell from $892M in 2024 to $820M in 2025, a shift linked to larger targets facing greater pressure not to pay.
Ontinue reports that listings tied to LummaC2 surged by 72%, with high-privilege cloud credentials selling for $1,000–$15,000+, and the Shai-Hulud npm worm and Salesloft Drift OAuth campaign in 2025 demonstrated how trusted credentials fuel supply-chain and SaaS attacks.
Analysts such as Trey Ford of Bugcrowd and Nathaniel Jones of Darktrace describe a move toward multi-layer extortion and AI-assisted attack development, while industry leaders urge organisations to treat identity as the core control plane and to monitor authentication activity as closely as endpoint behaviour. The article, according to Ontinue, also highlights geopolitical tension widening the cyber battlefield, with both nation-state and politically motivated actors targeting civilian entities.