The IBM X-Force Threat Intelligence Index 2026 paints a stark picture of a threat landscape defined less by novelty than by scale, speed and systemic weakness. Drawing on incident response engagements, penetration tests and underground monitoring, IBM’s X-Force team found that attackers in 2025 leaned heavily on exploiting public-facing applications, exposed systems and fragile software supply chains to gain initial access.
Credential theft remained central to major campaigns, amplified by infostealer malware and the rapid uptake of AI chatbot platforms, where stolen login data increasingly surfaced on dark web marketplaces. At the same time, ransomware groups splintered into smaller, more volatile operations, while nation-state and cybercriminal tactics continued to blur, complicating attribution and response.
Although AI (artificial intelligence) accelerated reconnaissance and social engineering, many breaches still traced back to basic failures such as weak authentication, misconfigurations and poor visibility across cloud and development environments. The overarching message is clear that organizations must identify protection, disciplined patching and secure configuration across interconnected ecosystems as no longer optional controls but the foundation of cyber resilience.
According to the IBM X-Force Threat Intelligence Index 2026, exploitation of public-facing applications rose 44% in 2025 as attackers increasingly targeted software supply chains, development ecosystems and trusted infrastructure to gain initial access. X-Force tracked nearly 40,000 vulnerabilities during the year, and 56% of disclosed flaws did not require authentication to exploit, underscoring persistent gaps in secure-by-design practices and showing that many attackers succeeded without credentials, MFA bypass or user interaction.
Infostealer malware drove the exposure of more than 300,000 ChatGPT credentials observed for sale on dark web marketplaces in 2025, signaling that AI platforms now carry credential risks comparable to core enterprise SaaS systems. Although none of the posted credentials remained valid, they were consistently linked to infostealer infections and previously leaked credential collections. Over five years, X-Force also recorded an almost 4x increase in major supply chain or third-party breaches, as adversaries exploited developer trust relationships and identity integrations to pivot into cloud environments and maintain persistence across interconnected systems. Techniques once largely associated with nation-state actors are now widely adopted by financially motivated groups.
Ransomware activity grew more fragmented, with a 49% increase in active ransomware groups compared to 2024. X-Force identified 109 extortion groups in 2025, up from 73 the previous year, reflecting lower barriers to entry as operators reused leaked tooling, recycled playbooks and shifted identities to conduct opportunistic, low-volume attacks.
Manufacturing remained the most targeted industry for the fifth consecutive year, accounting for 27.7% of incidents, slightly higher than 26% in 2024. Finance and insurance followed closely at 27% in 2025, up from 23% the prior year. Regionally, 29% of attacks targeted North America, making it the most attacked region for the first time in six years and rising from 24% in 2024. Asia Pacific, by contrast, saw its share decline from 34% to 27%.
The IBM X-Force Threat Intelligence Index 2026 shows a clear shift in initial access tactics in 2025. After two years in which abuse of valid credentials dominated, exploitation of public-facing applications surged 44%, accounting for 40% of incidents, compared with 32% tied to stolen or misused credentials. Attackers increasingly exploited vulnerabilities and misconfigurations in internet-facing applications, a trend fueled by fragile supply chains, insecure development practices and weaknesses such as poor authentication and insecure code. At the same time, vulnerability disclosures continued to rise, with 56% of tracked flaws requiring no authentication, significantly expanding the attack surface.
Although no longer the top vector, legitimate credentials remained central to many campaigns. Threat actors used phishing, infostealers and targeted malware to harvest login data, then blended into normal authentication flows to move laterally and maintain persistence. Research also showed how compromising systems such as Microsoft System Center Configuration Manager could allow attackers to decrypt stored service-account passwords and pivot across enterprise environments without deploying additional exploits. Credential harvesting was the most common impact observed in 2025.
The rapid adoption of AI chatbots introduced another credential exposure risk. Infostealer infections led to more than 300,000 ChatGPT credentials being advertised for sale, and incidents demonstrated how stolen chatbot tokens could enable access to connected enterprise systems. Even as law enforcement disrupted parts of the infostealer ecosystem, stolen credentials from earlier campaigns continued to resurface, reinforcing a consistent lesson: stronger authentication, tighter access controls and better visibility into credential exposure remain essential to reducing risk.
The IBM X-Force Threat Intelligence Index 2026 finds that supply chain and third-party compromises intensified in 2025, evolving into coordinated, multi-stage campaigns aimed at open-source ecosystems, CI/CD platforms and cloud infrastructure. Rather than targeting endpoints, attackers focused on the environments where software is built and deployed, exploiting developer trust, automation workflows and identity integrations to infiltrate pipelines, harvest credentials and pivot into cloud services.
IBM X-Force observed rising attacks on platforms such as GitHub, GitLab and npm, along with intrusions into cloud providers and SaaS ecosystems that underpin development operations. Open-source registries remained high risk because a single compromised account could distribute malicious updates across thousands of downstream projects. CI/CD platforms became prime targets for token and API key theft, enabling long-term access across repositories and cloud environments. Once inside, attackers used legitimate credentials and misconfigured IAM roles to enumerate assets, create unauthorized accounts and extract sensitive data, amplifying the impact of a single breach across interconnected systems.
Over the past five years, X-Force recorded a nearly fourfold increase in major supply chain or third-party compromises. A single breach at a trusted supplier often cascaded into widespread infiltration and data theft among downstream customers. Techniques once associated mainly with nation-state actors are now routinely adopted by financially motivated groups, underscoring how the modern supply chain functions as an interconnected stack of dependencies and identities where a single weak link can expose entire ecosystems.
The IBM X-Force observed a surge in campaigns in 2025 aimed at exploiting supply-chain and third-party vendor relationships, driven in part by three prolific criminal groups: Scattered Spider, LAPSUS$ and ShinyHunters. These actors have significantly shaped the current threat landscape through tactics that target identity systems, vendor trust and SaaS interconnectivity.
Scattered Spider has been repeatedly cited in industry and government reporting as a social engineering-focused intrusion group that manipulates help desks, identity providers and cloud access channels. By abusing federated identity and managed service relationships, the group has compromised not only primary victims but also downstream customers.
LAPSUS$ has targeted telecom providers, outsourcing firms and identity services, using MFA reset abuse and insider recruitment to move laterally into interconnected organizations. ShinyHunters has built a reputation for breaching SaaS platforms and consumer services to steal large datasets, which are later used for credential stuffing, account takeover and follow-on intrusions across customer ecosystems.
Together, these groups demonstrate how modern cybercrime exploits identity weaknesses and vendor trust to trigger cascading third-party risk. Their reported alliance in mid-2025 marked a notable escalation, combining social engineering, large-scale data theft and extortion into coordinated, multi-stage campaigns against high-value enterprise targets.
The IBM X-Force Threat Intelligence Index 2026 shows that most cybercrime in 2025 was driven by data and credential objectives rather than outright system disruption. Credential harvesting accounted for 26% of observed impacts and data leaks for 19%, underscoring attackers’ focus on accessing sensitive systems and extracting valuable information by exploiting weak identity and data protection controls. Reconnaissance made up 17% of activity, reflecting the significant time adversaries spend mapping networks and identifying vulnerabilities before escalating operations.
Illicit financial gain and data theft each represented 14% of impacts, reinforcing the continued monetization of stolen information through fraud or resale. Less frequent but still damaging outcomes included brand reputation damage at 5%, data destruction at 2% and digital currency mining at 1%. Together, the figures highlight the need for stronger identity security, tighter data protection, improved detection of reconnaissance and exfiltration activity, and resilient incident response planning to limit long-term business impact.
The IBM X-Force Threat Intelligence Index 2026 concludes that AI has become a force multiplier in offensive cybersecurity, even though it has not changed the core mechanics of attacks. Threat actors still exploit unpatched vulnerabilities, stolen credentials and misconfigurations, but AI has increased the speed, scale and efficiency of those operations. Generative AI is already being used to refine phishing campaigns, improve social engineering realism and accelerate malicious code development, while defenders apply AI to analyze telemetry and speed detection.
AI’s near-term impact lies in compressing decision cycles and enabling attackers to experiment and adapt in real time during intrusions. As multimodal models mature, adversaries are expected to automate more complex tasks such as reconnaissance, privilege escalation and lateral movement, creating faster and more adaptive campaigns. Perhaps most significantly, AI is lowering the barrier to entry, allowing less experienced groups to execute operations that once required advanced expertise. Because attackers operate with fewer governance constraints, they may adopt and weaponize new capabilities more quickly than enterprises can integrate AI into mature, well-instrumented defenses.
The IBM X-Force Threat Intelligence Index 2026 shows North America as the most affected region in 2025, accounting for 29% of incident response cases, followed by Asia-Pacific at 27% and Europe at 25%. The Middle East and Africa represented 10%, while Latin America accounted for 9%. The distribution reflects economic concentration, rapid digital expansion and persistent geopolitical pressures that shape regional risk.
In North America, attackers most often exploited public-facing applications and valid local accounts, with credential harvesting driving 43% of impacts. Manufacturing was the most targeted sector, followed by wholesale and finance. Asia-Pacific saw heavy reliance on exploiting public-facing applications and valid accounts, with malware frequently deployed and manufacturing representing 65% of incidents. Europe mirrored similar patterns, with the exploitation of internet-facing applications leading to initial access and credential harvesting, particularly affecting finance and professional services.
In the Middle East and Africa, the exploitation of public-facing applications and phishing were the primary entry points, with the finance and energy sectors equally targeted. Latin America showed a more even spread of initial access vectors, including public-facing applications, valid accounts, remote services and supply chain compromise, with credential harvesting the leading impact and finance and energy most affected. Across all regions, attackers consistently prioritized credentials, data access and system persistence, underscoring the need for region-specific intelligence and stronger cyber resilience strategies.
The IBM X-Force Threat Intelligence Index 2026 makes clear that attackers continue to scale their operations by exploiting long-standing weaknesses in identity, access control and credential management rather than relying on novel techniques. Even as tooling and automation advance, breaches still hinge on unpatched vulnerabilities, misconfigurations and stolen credentials. More than half of disclosed vulnerabilities required no authentication, enabling attackers to gain footholds without bypassing identity controls. Once inside, they focus on credential harvesting, privilege escalation and lateral movement across hybrid and cloud environments. The growing exposure of AI chatbot credentials, along with a nearly fourfold rise in major supply chain and third-party breaches over five years, underscores how compromised identities and over-trusted integrations amplify systemic risk.
To respond, organizations must prepare for AI-accelerated attacks that move faster and adapt in real time. That requires shifting from reactive defense to proactive, AI-informed security grounded in strong risk management and business context. Identity should be treated as critical infrastructure, with centralized governance across human and machine identities, continuous risk-based access controls and AI-driven identity threat detection. Security teams must embed authentication and authorization directly into applications and APIs, continuously test for insecure code, weak credentials, misconfigurations and missing patches, and conduct regular penetration testing across the full technology stack.
AI platforms and agentic workflows demand the same rigor as other enterprise systems, including strong authentication, governance, model oversight and monitoring for abnormal access or credential exposure. Organizations should also monitor their external attack surface for exposed assets and stolen credentials, while strengthening data security through encryption, access controls and data loss prevention. As AI expands the enterprise attack surface, resilient identity management, disciplined configuration and proactive vulnerability management become the foundation for maintaining trust and reducing risk.
