tW5yfSE
Anonymity Advisor
LEVEL 1
600 XP
Overview of last year's forecasts
1. The number of services offering cryptographers to bypass security software will grow
We regularly monitor underground markets for new cryptors designed to obfuscate code in malware samples. The main task of such tools is to hide malicious code from detection by security solutions. According to our experts, in 2024, there are noticeably more cryptographic ads on the darknet. Developers of this software are actively implementing new ways to bypass security systems and add them to the list of features of their commercial solutions.
Prices for such instruments remained the same: from $ 100. USD per month for regular cryptos available on darknet forums, up to $20,000. USD for private premium subscriptions. At the same time, there is an increase in the popularity of private premium solutions, which are gradually replacing public offers.
Verdict: the forecast came true
2. Downloader distribution services will continue to develop
As expected, bootloaders were actively distributed in 2024. Loaders with different functionality were presented on the shadow market: from mass and cheap to highly specialized, developed according to individual requirements and sold for thousands of dollars.
https://i.ibb.co/FBHkh1N/KSB-dark-web-predictions-01-1024x1024.pngExamples of posts about the sale of commercial downloaders
In addition, cybercriminals are increasingly using several programming languages. For example, the client part of the malware can be developed in C++, and the server administrative panel can be developed in Go.
In addition to the variety of downloader offerings, we also noted the demand for specific tools that trigger specific infection chains.
https://i.ibb.co/GsYxnjt/KSB-dark-web-predictions-02-1024x177.pngExample of a post about finding a loader taking into account specific requirements
Verdict: the forecast came true
3. The number of services with malware for stealing cryptocurrency assets will increase in the shadow markets
In 2024, we found an increase in the activity of drainers in the shadow markets — malicious tools for stealing crypto assets, such as tokens or NFTs. Throughout the year, new drainers appeared, which were actively advertised on darknet platforms. Separately, it is worth noting that the number of unique threads discussing drainers in underground markets increased from 55 in 2022 to 129 in 2024. Often these posts redirected users to Telegram channels.
Number of unique threads discussing drainers on darknet forums (https://media.kasperskycontenthub.c...12/13180237/01-en-ru-es-dark-web-diagrams.png)
In fact, in 2024, Telegram channels have become an important hub for drainer-related activity.
https://i.ibb.co/bLWh97T/KSB-dark-web-predictions-03-1024x327.pngDark web post directing potential accomplices to Telegram
Drainer developers are increasingly focusing on working with long-term customers, with the bulk of the activity being conducted through invite-only channels.
From a functional point of view, drainers have undergone few changes, mainly support for new types of crypto assets — coins, tokens, and NFTs — has been added. In addition, the first mobile drainer (https://research.checkpoint.com/2024/wallet-scam-a-case-study-in-crypto-drainer-tactics/) appeared in 2024.
Verdict: the forecast came true
4. Black traffic generation schemes will be very popular
Black traffic generation schemes in underground markets have remained popular in 2024. Black traffic merchants continued to promote malicious pages through ads that misled users. Such services were actively sold in underground markets, and stable demand emphasized the effectiveness of malware distribution through popular advertising platforms. This method remains the preferred way for attackers to reach a wide audience and poses a constant threat to internet users.
Verdict: the forecast came true partially
5. The market for bitcoin mixers and cryptocurrency anonymization services is evolving
In 2024, the number of services advertising solutions for cryptocurrency laundering did not show significant growth. Most popular services continue to operate on the market, while the competitive environment has changed only slightly.
Verdict: the forecast did not come true
Our predictions for 2025
1. Data leaks through contractors
In trusted relationship attacks between a company and a contractor, attackers first penetrate the provider's systems and then gain access to the target organization's infrastructure or data. Sometimes such attacks lead to serious data breaches, as was the case (https://www.wired.com/story/epam-snowflake-ticketmaster-breach-shinyhunters/) with Ticketmaster. Then the attackers allegedly gained access to their cloud account in Snowflake by hacking into the systems of a third-party contractor. The IntelBroker threat actor also used similar tactics. Together with his accomplices, he reportedly gained access through contractors to data from companies such as Nokia (https://hackread.com/hackers-claim-access-nokia-internal-data-selling-20k/), Ford, as well as several Cisco customers, including Microsoft. (https://www.csoonline.com/article/3...icrosoft-barclays-and-sap-developer-data.html)
https://i.ibb.co/VH39qcN/KSB-dark-web-predictions-04-1-1024x374.pngIntelBroker profile on the popular darknet "@ here"
forum We expect contractor attacks that result in data breaches to be more frequent in 2025. Cloud platforms and IT services often store data from multiple organizations, so a hack from one company can threaten the security of many others. It's important to note that a leak doesn't have to involve critical assets to be devastating. Not every report of a data breach on the dark web is related to a major incident. Information about the databases for sale may be unreliable. For example, attackers can pass off compilations of publicly available or previously leaked information as recent leaks. In addition, they may be promoting dubious data from an unknown source as a database of a well-known brand. By creating a stir around old, irrelevant or even non-existent data, attackers can cause public outcry, sow panic and damage the reputation of both suppliers and their customers.
https://i.ibb.co/KjKHybM/KSB-dark-web-predictions-05-1024x211.pngIntelBroker's message on the dark web about the alleged Tesla data breach, which was later edited and now claims that the leak refers to a third-party company providing electric vehicle
charging services Overall, there has been an increase in the number of announcements about the distribution of corporate databases on the dark web. For example, on one of the popular forums, the number of posts in August-November 2024 increased by 40% compared to the same period last year.
Number of dark web posts about database proliferation; one of the popular forums, August 2023 – November 2024 (https://media.kasperskycontenthub.c.../2024/12/13213058/02-ru-dark-web-diagrams.png)
This increase can be partly attributed to the republication or merging of old leaks, but attackers are clearly interested in spreading leaked data – both new and old, and sometimes fake. In 2025, we are likely to see not only an increase in the number of hacks and data breaches through contractors, but also an overall increase in the number of breaches.
2. Migration of criminal activity from Telegram to darknet forums
Despite the surge (https://securityreviewmag.com/?p=26906) in attacker activity on Telegram in 2024, we expect them to gradually return to darknet forums. Administrators of shadow Telegram channels are increasingly reporting that they are being blocked.
https://i.ibb.co/M235n3H/KSB-dark-web-predictions-06-1024x776.pngExamples of messages from cybercriminals announcing the blocking of their channels and accounts on Telegram
It is expected that the return or influx of attackers to darknet forums will increase competition between platforms. To attract new audiences, forum owners are likely to introduce new features and improve the conditions for data trading. For example, they may offer automated guarantor services, simplified dispute resolution, and enhanced security and anonymity measures.
3. Conducting large-scale and high-profile operations by law enforcement officers against APT groups
2024 has become a key year in the global fight against cybercrime. We have witnessed many successful operations by international task forces, such as Cronos (https://www.europol.europa.eu/media...t-disrupt-worlds-biggest-ransomware-operation) vs. LockBit, Magnus (https://thehackernews.com/2024/10/dutch-police-disrupt-major-info.html) vs. RedLine and MetaStealer, and Endgame vs. TrickBot, IcedID, and SmokeLoader. Among other things, we can highlight the seizure of the hacker forum BreachForums and the arrest of the administrators of the WWH-Club. Kaspersky Lab experts also actively assisted law enforcement agencies in the fight against cybercrime. For example, they supported INTERPOL-coordinated efforts to eliminate the Grandoreiro (https://www.kaspersky.com/about/pre...tion-to-disrupt-grandoreiro-malware-operation) malware, participated in cybersecurity during the 2024 Olympics (https://www.kaspersky.com/about/pre...o-counter-cybercrime-during-the-2024-olympics), and contributed to Operation Synergia II (https://www.kaspersky.com/about/pre...esulting-in-the-arrest-of-over-40-individuals), which aims to combat phishing, ransomware, and stealers. In addition, we participated in the joint INTERPOL-Afripol operation (https://www.kaspersky.com/about/pre...-operation-combating-cybercrime-across-africa) against cybercrime in Africa. These and other events have become examples of effective cooperation between law enforcement agencies and cybersecurity organizations.
We expect that in 2025 there will be an increase in the number of public arrests and measures to dismantle the infrastructure of malicious actors and shadow forums. At the same time, in response to the successful operations of 2024, attackers are likely to change tactics and start moving into deeper and more anonymous corners of the dark web. We also expect to see an increase in the popularity of private forums and invite-only access models.
4. Stealer and drainer distribution services will become even more popular on the darknet
Cryptocurrencies have been one of the main targets of attackers for many years. Under various pretexts, they lure cryptocurrency owners to fraudulent sites (https://securelist.ru/hot-and-cold-cryptowallet-phishing/107672/) and Telegram bots (https://www.kaspersky.ru/blog/toncoin-cryptocurrency-scam/37311/), as well as introduce cryptocurrency theft functionality into infostealers (https://securelist.ru/kral-amos-vidar-acr-stealers/110815/#kral) and banking Trojans (https://securelist.com/grandoreiro-banking-trojan/114257/). As the bitcoin rate continues to (https://www.reuters.com/technology/bitcoin-record-highs-sets-sights-100000-2024-11-22/) set records (https://www.reuters.com/technology/bitcoin-breaches-94000-first-time-2024-11-20/), the popularity of drainers designed to steal tokens from cryptocurrency wallets is likely to remain high next year.
Interest in cryptocurrencies will also be affected by infostealers — malware that steals confidential information from users' devices, including private keys of cryptocurrency wallets, passwords, cookies, and autofill form data. In recent years, we have seen (https://www.kaspersky.com/about/pre...ed-sevenfold-since-2020-kaspersky-experts-say) a sharp increase in credential leaks through this malware, and we expect this trend to continue and possibly intensify. Most likely, we will see the emergence of new stealer families along with an increase in the activity of existing ones.
Both stealers and drainers are likely to be increasingly offered on the dark web as services. Malware-as-a-Service (https://www.kaspersky.com/about/pre...ed-sevenfold-since-2020-kaspersky-experts-say) (MaaS), or subscription, is a business model on the dark web that allows you to rent software to carry out cyberattacks. Usually, customers of such services are provided with a personal account for managing the attack and technical support. This reduces the level of technical knowledge that a potential attacker must have.
addition to advertising stealers and drainers, you can also find ads on the dark web looking for traffickers — people who help attackers distribute and promote stealers, drainers, scams, and phishing pages.
https://i.ibb.co/Sy3fjxt/KSB-dark-web-predictions-08-1024x417.pngExamples of searching for traffic for drainers
https://i.ibb.co/1zmjY4k/KSB-dark-web-predictions-09-1024x276.pngExample of searching for traffic for cryptocurrency scams (not drainers)
5. Fragmentation of ransomware groups
We expect that in the coming year, groups of ransomware operators will continue to split into smaller, independent teams, which will make them more difficult to track, increase their level of flexibility and stealth. According to Kaspersky Digital Footprint Intelligence (DFI), in 2024, the number of sites with exfiltrated data (DLS) increased by 1.5 times compared to 2023. Despite this growth, the average number of unique posts per month remained at last year's (https://securelist.ru/darknet-predictions-for-2024/108801/) level.
Ransomware operators are likely to continue to use (https://securelist.ru/key-group-ransomware-samples-and-telegram-schemes/110670/) (https://securelist.com/lockbit-ransomware-builder-analysis/110370/) leaked source codes and malware collectors to create their own versions. This approach significantly reduces the barrier to entry for new teams, allowing them to avoid developing tools from scratch. The same applies to DLS portals: unskilled attackers can use the leaked source code of blogs of well-known groups to create almost exact copies, which can already be observed on the darknet.
https://i.ibb.co/F3ZjxbB/KSB-dark-web-predictions-10-1024x447.pngDLS Portal LockBit
https://i.ibb.co/D8CVLXM/KSB-dark-web-predictions-11-1024x448.pngDLS Portal DarkVault is almost an exact copy of the LockBit portal
6. Escalating Cyber Threats in the Middle East: The Rise of Hacktivism and Extortion
According to Kaspersky Digital Footprint Intelligence (DFI), in the first half of 2024, hacktivist activity has become one of the most significant (https://dfi.kaspersky.com/blog/whispers-from-darkweb) darknet-related cybersecurity threats in the Middle East. The region has seen an increase in hacktivist activity due to the current geopolitical situation, and if tensions do not subside, the situation is likely to worsen.
Kaspersky DFI researchers have documented more than 11 hacktivist movements and groups across the region. Amid the current geopolitical instability, hacktivists are moving from DDoS attacks and website deface attacks to more serious attacks aimed at stealing data and compromising organizations.
Another threat that is likely to remain relevant in the region is ransomware. Over the past two years, the number of victims of ransomware attacks in the Middle East has increased significantly (https://dfi.kaspersky.com/blog/whispers-from-darkweb), from an average of 28 in the first half of the year in 2022-2023 to 45 in the first half of 2024, according to DLS portals. This trend is likely to continue in 2025.
1. The number of services offering cryptographers to bypass security software will grow
We regularly monitor underground markets for new cryptors designed to obfuscate code in malware samples. The main task of such tools is to hide malicious code from detection by security solutions. According to our experts, in 2024, there are noticeably more cryptographic ads on the darknet. Developers of this software are actively implementing new ways to bypass security systems and add them to the list of features of their commercial solutions.
Prices for such instruments remained the same: from $ 100. USD per month for regular cryptos available on darknet forums, up to $20,000. USD for private premium subscriptions. At the same time, there is an increase in the popularity of private premium solutions, which are gradually replacing public offers.
Verdict: the forecast came true
2. Downloader distribution services will continue to develop
As expected, bootloaders were actively distributed in 2024. Loaders with different functionality were presented on the shadow market: from mass and cheap to highly specialized, developed according to individual requirements and sold for thousands of dollars.
https://i.ibb.co/FBHkh1N/KSB-dark-web-predictions-01-1024x1024.pngExamples of posts about the sale of commercial downloaders
In addition, cybercriminals are increasingly using several programming languages. For example, the client part of the malware can be developed in C++, and the server administrative panel can be developed in Go.
In addition to the variety of downloader offerings, we also noted the demand for specific tools that trigger specific infection chains.
https://i.ibb.co/GsYxnjt/KSB-dark-web-predictions-02-1024x177.pngExample of a post about finding a loader taking into account specific requirements
Verdict: the forecast came true
3. The number of services with malware for stealing cryptocurrency assets will increase in the shadow markets
In 2024, we found an increase in the activity of drainers in the shadow markets — malicious tools for stealing crypto assets, such as tokens or NFTs. Throughout the year, new drainers appeared, which were actively advertised on darknet platforms. Separately, it is worth noting that the number of unique threads discussing drainers in underground markets increased from 55 in 2022 to 129 in 2024. Often these posts redirected users to Telegram channels.
Number of unique threads discussing drainers on darknet forums (https://media.kasperskycontenthub.c...12/13180237/01-en-ru-es-dark-web-diagrams.png)
In fact, in 2024, Telegram channels have become an important hub for drainer-related activity.
https://i.ibb.co/bLWh97T/KSB-dark-web-predictions-03-1024x327.pngDark web post directing potential accomplices to Telegram
Drainer developers are increasingly focusing on working with long-term customers, with the bulk of the activity being conducted through invite-only channels.
From a functional point of view, drainers have undergone few changes, mainly support for new types of crypto assets — coins, tokens, and NFTs — has been added. In addition, the first mobile drainer (https://research.checkpoint.com/2024/wallet-scam-a-case-study-in-crypto-drainer-tactics/) appeared in 2024.
Verdict: the forecast came true
4. Black traffic generation schemes will be very popular
Black traffic generation schemes in underground markets have remained popular in 2024. Black traffic merchants continued to promote malicious pages through ads that misled users. Such services were actively sold in underground markets, and stable demand emphasized the effectiveness of malware distribution through popular advertising platforms. This method remains the preferred way for attackers to reach a wide audience and poses a constant threat to internet users.
Verdict: the forecast came true partially
5. The market for bitcoin mixers and cryptocurrency anonymization services is evolving
In 2024, the number of services advertising solutions for cryptocurrency laundering did not show significant growth. Most popular services continue to operate on the market, while the competitive environment has changed only slightly.
Verdict: the forecast did not come true
Our predictions for 2025
1. Data leaks through contractors
In trusted relationship attacks between a company and a contractor, attackers first penetrate the provider's systems and then gain access to the target organization's infrastructure or data. Sometimes such attacks lead to serious data breaches, as was the case (https://www.wired.com/story/epam-snowflake-ticketmaster-breach-shinyhunters/) with Ticketmaster. Then the attackers allegedly gained access to their cloud account in Snowflake by hacking into the systems of a third-party contractor. The IntelBroker threat actor also used similar tactics. Together with his accomplices, he reportedly gained access through contractors to data from companies such as Nokia (https://hackread.com/hackers-claim-access-nokia-internal-data-selling-20k/), Ford, as well as several Cisco customers, including Microsoft. (https://www.csoonline.com/article/3...icrosoft-barclays-and-sap-developer-data.html)
https://i.ibb.co/VH39qcN/KSB-dark-web-predictions-04-1-1024x374.pngIntelBroker profile on the popular darknet "@ here"
forum We expect contractor attacks that result in data breaches to be more frequent in 2025. Cloud platforms and IT services often store data from multiple organizations, so a hack from one company can threaten the security of many others. It's important to note that a leak doesn't have to involve critical assets to be devastating. Not every report of a data breach on the dark web is related to a major incident. Information about the databases for sale may be unreliable. For example, attackers can pass off compilations of publicly available or previously leaked information as recent leaks. In addition, they may be promoting dubious data from an unknown source as a database of a well-known brand. By creating a stir around old, irrelevant or even non-existent data, attackers can cause public outcry, sow panic and damage the reputation of both suppliers and their customers.
https://i.ibb.co/KjKHybM/KSB-dark-web-predictions-05-1024x211.pngIntelBroker's message on the dark web about the alleged Tesla data breach, which was later edited and now claims that the leak refers to a third-party company providing electric vehicle
charging services Overall, there has been an increase in the number of announcements about the distribution of corporate databases on the dark web. For example, on one of the popular forums, the number of posts in August-November 2024 increased by 40% compared to the same period last year.
Number of dark web posts about database proliferation; one of the popular forums, August 2023 – November 2024 (https://media.kasperskycontenthub.c.../2024/12/13213058/02-ru-dark-web-diagrams.png)
This increase can be partly attributed to the republication or merging of old leaks, but attackers are clearly interested in spreading leaked data – both new and old, and sometimes fake. In 2025, we are likely to see not only an increase in the number of hacks and data breaches through contractors, but also an overall increase in the number of breaches.
2. Migration of criminal activity from Telegram to darknet forums
Despite the surge (https://securityreviewmag.com/?p=26906) in attacker activity on Telegram in 2024, we expect them to gradually return to darknet forums. Administrators of shadow Telegram channels are increasingly reporting that they are being blocked.
https://i.ibb.co/M235n3H/KSB-dark-web-predictions-06-1024x776.pngExamples of messages from cybercriminals announcing the blocking of their channels and accounts on Telegram
It is expected that the return or influx of attackers to darknet forums will increase competition between platforms. To attract new audiences, forum owners are likely to introduce new features and improve the conditions for data trading. For example, they may offer automated guarantor services, simplified dispute resolution, and enhanced security and anonymity measures.
3. Conducting large-scale and high-profile operations by law enforcement officers against APT groups
2024 has become a key year in the global fight against cybercrime. We have witnessed many successful operations by international task forces, such as Cronos (https://www.europol.europa.eu/media...t-disrupt-worlds-biggest-ransomware-operation) vs. LockBit, Magnus (https://thehackernews.com/2024/10/dutch-police-disrupt-major-info.html) vs. RedLine and MetaStealer, and Endgame vs. TrickBot, IcedID, and SmokeLoader. Among other things, we can highlight the seizure of the hacker forum BreachForums and the arrest of the administrators of the WWH-Club. Kaspersky Lab experts also actively assisted law enforcement agencies in the fight against cybercrime. For example, they supported INTERPOL-coordinated efforts to eliminate the Grandoreiro (https://www.kaspersky.com/about/pre...tion-to-disrupt-grandoreiro-malware-operation) malware, participated in cybersecurity during the 2024 Olympics (https://www.kaspersky.com/about/pre...o-counter-cybercrime-during-the-2024-olympics), and contributed to Operation Synergia II (https://www.kaspersky.com/about/pre...esulting-in-the-arrest-of-over-40-individuals), which aims to combat phishing, ransomware, and stealers. In addition, we participated in the joint INTERPOL-Afripol operation (https://www.kaspersky.com/about/pre...-operation-combating-cybercrime-across-africa) against cybercrime in Africa. These and other events have become examples of effective cooperation between law enforcement agencies and cybersecurity organizations.
We expect that in 2025 there will be an increase in the number of public arrests and measures to dismantle the infrastructure of malicious actors and shadow forums. At the same time, in response to the successful operations of 2024, attackers are likely to change tactics and start moving into deeper and more anonymous corners of the dark web. We also expect to see an increase in the popularity of private forums and invite-only access models.
4. Stealer and drainer distribution services will become even more popular on the darknet
Cryptocurrencies have been one of the main targets of attackers for many years. Under various pretexts, they lure cryptocurrency owners to fraudulent sites (https://securelist.ru/hot-and-cold-cryptowallet-phishing/107672/) and Telegram bots (https://www.kaspersky.ru/blog/toncoin-cryptocurrency-scam/37311/), as well as introduce cryptocurrency theft functionality into infostealers (https://securelist.ru/kral-amos-vidar-acr-stealers/110815/#kral) and banking Trojans (https://securelist.com/grandoreiro-banking-trojan/114257/). As the bitcoin rate continues to (https://www.reuters.com/technology/bitcoin-record-highs-sets-sights-100000-2024-11-22/) set records (https://www.reuters.com/technology/bitcoin-breaches-94000-first-time-2024-11-20/), the popularity of drainers designed to steal tokens from cryptocurrency wallets is likely to remain high next year.
Interest in cryptocurrencies will also be affected by infostealers — malware that steals confidential information from users' devices, including private keys of cryptocurrency wallets, passwords, cookies, and autofill form data. In recent years, we have seen (https://www.kaspersky.com/about/pre...ed-sevenfold-since-2020-kaspersky-experts-say) a sharp increase in credential leaks through this malware, and we expect this trend to continue and possibly intensify. Most likely, we will see the emergence of new stealer families along with an increase in the activity of existing ones.
Both stealers and drainers are likely to be increasingly offered on the dark web as services. Malware-as-a-Service (https://www.kaspersky.com/about/pre...ed-sevenfold-since-2020-kaspersky-experts-say) (MaaS), or subscription, is a business model on the dark web that allows you to rent software to carry out cyberattacks. Usually, customers of such services are provided with a personal account for managing the attack and technical support. This reduces the level of technical knowledge that a potential attacker must have.
Loading…
i.ibb.co
https://i.ibb.co/Sy3fjxt/KSB-dark-web-predictions-08-1024x417.pngExamples of searching for traffic for drainers
https://i.ibb.co/1zmjY4k/KSB-dark-web-predictions-09-1024x276.pngExample of searching for traffic for cryptocurrency scams (not drainers)
5. Fragmentation of ransomware groups
We expect that in the coming year, groups of ransomware operators will continue to split into smaller, independent teams, which will make them more difficult to track, increase their level of flexibility and stealth. According to Kaspersky Digital Footprint Intelligence (DFI), in 2024, the number of sites with exfiltrated data (DLS) increased by 1.5 times compared to 2023. Despite this growth, the average number of unique posts per month remained at last year's (https://securelist.ru/darknet-predictions-for-2024/108801/) level.
Ransomware operators are likely to continue to use (https://securelist.ru/key-group-ransomware-samples-and-telegram-schemes/110670/) (https://securelist.com/lockbit-ransomware-builder-analysis/110370/) leaked source codes and malware collectors to create their own versions. This approach significantly reduces the barrier to entry for new teams, allowing them to avoid developing tools from scratch. The same applies to DLS portals: unskilled attackers can use the leaked source code of blogs of well-known groups to create almost exact copies, which can already be observed on the darknet.
https://i.ibb.co/F3ZjxbB/KSB-dark-web-predictions-10-1024x447.pngDLS Portal LockBit
https://i.ibb.co/D8CVLXM/KSB-dark-web-predictions-11-1024x448.pngDLS Portal DarkVault is almost an exact copy of the LockBit portal
6. Escalating Cyber Threats in the Middle East: The Rise of Hacktivism and Extortion
According to Kaspersky Digital Footprint Intelligence (DFI), in the first half of 2024, hacktivist activity has become one of the most significant (https://dfi.kaspersky.com/blog/whispers-from-darkweb) darknet-related cybersecurity threats in the Middle East. The region has seen an increase in hacktivist activity due to the current geopolitical situation, and if tensions do not subside, the situation is likely to worsen.
Kaspersky DFI researchers have documented more than 11 hacktivist movements and groups across the region. Amid the current geopolitical instability, hacktivists are moving from DDoS attacks and website deface attacks to more serious attacks aimed at stealing data and compromising organizations.
Another threat that is likely to remain relevant in the region is ransomware. Over the past two years, the number of victims of ransomware attacks in the Middle East has increased significantly (https://dfi.kaspersky.com/blog/whispers-from-darkweb), from an average of 28 in the first half of the year in 2022-2023 to 45 in the first half of 2024, according to DLS portals. This trend is likely to continue in 2025.