Cybercrime Inc.

From Carder Forums to Nation-State Franchises ~ How the Verizon DBIR Documented the Industrialization of the Criminal Underground ~ 2008-2026

The DBIR (Databreach Investigation Report) is not merely an annual threat report. Across 18 editions, it is an unintentional longitudinal business history of one of the world's fastest-growing industries — one that operates without regulation, pays no taxes, and has achieved the organizational maturity of a Fortune 500 supply chain. The story the data tells, year by year, is not one of escalating chaos. It is one of escalating rationality.

Here is a number that should recalibrate how you think about the early history of cybercrime: 91%.

That is the percentage of all compromised records in Verizon's inaugural Data Breach Investigations Report — covering investigations from 2004 through 2007 — that were linked to organized criminal groups. Not individual hackers. Not disgruntled insiders. Not curious teenagers in basements. Criminal organizations, operating with defined structure, shared infrastructure, and a clear profit motive, were behind nine out of ten records stolen in those early years of documented breach data.

The mythology of the lone hacker — gifted, antisocial, motivated by curiosity or notoriety — was already obsolete by the time Verizon's investigators started systematically cataloging what they were seeing in the field. The reality those investigations revealed was considerably less cinematic and considerably more alarming: a functioning criminal market, already organized, already scaling, already adapting to competitive pressure the same way any other industry does.

What the Verizon DBIR has documented across 18 annual editions is not a story of escalating chaos. It is a story of escalating rationality. This is Part One of that story — how the criminal ecosystem moved from opportunistic hacking to organized industry between 2008 and 2013, and what the data captured, almost in real time, as the transformation unfolded.

Before There Was a Name For It

The U.S. Secret Service appendices that accompanied the early DBIR editions are among the most underread documents in cybersecurity history. Written by the investigators who were simultaneously pursuing the perpetrators whose data appeared in the adjacent pages, they provide something the breach statistics alone cannot: context about what the underground actually looked like from the inside.

The 2010 DBIR's appendix on online criminal communities — co-authored by USSS analysts — opened with a deliberate corrective. There was no monolithic "computer underground." What existed was a diverse ecosystem: Eastern European carder forums where stolen payment card data changed hands, IRC channels where malware was traded, exclusive invitation-only communities where professional criminals with a decade of experience networked with contacts across multiple continents, and open forums populated largely by curious amateurs who had no idea what they'd wandered into.

What unified this diversity was not technical sophistication. What unified it was organizational logic. The two hallmarks the USSS identified as distinguishing effective online criminal groups were, verbatim: "organizational structure and access to a well-developed criminal infrastructure." Not zero-days. Not advanced malware. Structure and infrastructure.

By the time the first DBIR was published in 2008, the percentage of breaches tied to known organized crime had doubled every year during the preceding 2004–2007 period. The trend did not begin with the DBIR. The DBIR merely started documenting it.

The First Ledger

The 2008 DBIR's investigators had worked 500 cases over four years. They had seen 230 million records compromised. What they documented was not a threat landscape in formation — it was one already structured around payment card data as its primary currency, with financial sector organizations and retailers as the primary targets, and external actors responsible for 73% of breaches while insiders accounted for just 18%.

That insider figure is worth pausing on. In 2008, conventional wisdom in boardrooms and risk committees held that the primary threat was from within — disgruntled employees, privileged users going rogue, trusted insiders who knew where the valuable data lived. The DBIR's first edition flatly contradicted this. The threat was predominantly external, and it was predominantly organized. That finding would survive every subsequent edition of the report essentially unchanged.

The human face of organized cybercrime in this period had a name: Albert Gonzalez. In May 2008, the USSS arrested Gonzalez and eight co-conspirators for hacking into the wireless networks of TJX, BJ's Wholesale Club, OfficeMax, Barnes & Noble, and several others. The defendants represented the United States, Estonia, Ukraine, China, and Belarus — a genuinely international criminal operation operating across borders as fluidly as any multinational corporation. Gonzalez would later be linked to the Heartland Payment Systems breach, in which more than 130 million credit card accounts were compromised and routed to a command-and-control server managed by a connected international group. In March 2010, he was sentenced to 20 years — the longest sentence for a cybercriminal at that time.

Gonzalez was not an anomaly. He was a data point illustrating something the early DBIR was already capturing in aggregate: that the criminal operations behind major breaches were coordinated, international, and organized around the same supply chain logic that governs legitimate commerce. Someone found the vulnerability. Someone else exploited it. Someone else moved the data. Someone else sold it.

Market Correction

The second DBIR, published in 2010 and covering 2008 data, documented 285 million records compromised in a single year — more than the previous four years combined. It was a staggering number, and it triggered something that any economist would recognize immediately: a supply glut and a price collapse.

Stolen magnetic-stripe card data — "dumps" in criminal parlance — had commanded between $10 and $16 per record on underground forums in mid-2007. By 2009, with hundreds of millions of records flooding the market, the price had dropped to under $0.50 per record. That is a decline of more than 97% in roughly two years.

The criminal response to this market condition is, in retrospect, the clearest early evidence that the people running these operations were not simply hackers who had gotten lucky. They were operators who read market signals and adapted accordingly.

The answer to oversupply and price collapse, if you are a rational economic actor, is to move upmarket. And that is precisely what happened. The big money shifted to PIN data — card numbers captured together with the associated personal identification number. PIN fraud enables direct withdrawal from checking and savings accounts, is substantially harder for consumers to dispute, and places more of the evidentiary burden on the victim. It is, from a criminal business perspective, a better product.

Capturing PIN data at scale required new tooling. The solution that emerged — memory-scraping malware — extracted card and PIN data directly from the RAM of point-of-sale systems at the moment of transaction, before encryption could obscure it. The technique had been theoretically identified before this period but considered impractical to execute reliably at volume. The economic incentive provided by high-margin PIN data funded the engineering work to make it practical.

The DBIR's note on this in the companion reference to the early reports is precise: the technique "had previously been considered theoretically possible but practically difficult. The high value of PIN data provided the economic incentive to make it work at scale." Criminal R&D, funded by criminal revenue, solving a technical problem created by market conditions. This is not hacker behavior. This is product development.

The Service Economy of Crime

By the time the 2010 DBIR was published, the USSS appendix on criminal communities documented an underground marketplace that had developed a service infrastructure sophisticated enough to make a legitimate SaaS company envious.

Pricing had tiered and specialized. Basic card data with CVV2 information sold for $1 to a few dollars per unit, depending on card type and quality guarantees. "Full-info" records — card number plus the cardholder's Social Security number, date of birth, and mother's maiden name — commanded $10 and up. Physical card track data, usable for manufacturing counterfeit cards, started at $15. Volume discounts were standard. Some vendors offered replacement guarantees for invalid data; others operated all-sales-final. The market had SKUs, pricing tiers, and customer service policies.

Beyond the data itself, what had emerged was a service layer that criminal operators could purchase the way a startup buys infrastructure. The most illuminating example documented in the 2010 DBIR: antivirus-checking services. Criminal groups had purchased subscriptions to dozens of commercial antivirus and security software products and made them available — for a fee — so that malware developers could verify their payloads were undetectable before deployment. This is criminal quality assurance infrastructure. Someone built it, others paid for it, and the market was better for it — if you were a criminal.

Affiliate programs were also documented explicitly. Established criminal operations recruited participants who would make their botnet infrastructure available to schemes like "software loads" — mass malware installations — in exchange for a percentage of proceeds. The 2010 DBIR noted that some of these affiliate programs openly advertised on underground forums. The affiliate model, which would later become the defining structural innovation of Ransomware-as-a-Service, was already operational in 2009 and 2010, applied to spam infrastructure and credential theft.

The scale of individual criminal profit had shifted dramatically. The USSS observed that a decade prior, $10,000 in annual earnings was considered a successful criminal operation. By 2010, experienced cybercriminals were linked to schemes generating millions. Some were known or believed to have received advanced technical education at prestigious foreign universities and were applying academic cryptography knowledge to attacking encryption systems protecting financial data.

The USSS wrote in the 2010 DBIR appendix: "Crime has been a business for a very long time. This is just the same old story played out on a different (digital) stage." Stating it so plainly was, at the time, a minority view. The framing that dominated public discourse still cast cybercriminals primarily as technical outliers — gifted individuals exploiting a domain that legitimate institutions hadn't caught up with. What the forensic data was showing was something else entirely.

Three Kinds of Criminals

By 2013, the DBIR data had matured to the point where the threat landscape could be usefully classified into three distinct adversary categories — a taxonomy that became foundational to enterprise threat modeling and remains in use today.

The 2014 DBIR (covering 2013 data) identified: financially motivated criminals, hacktivists, and state-affiliated espionage actors. Each operated differently, targeted differently, and required a different organizational response.

Financially motivated criminals — the ones this article is primarily about — were characterized by moderate sophistication, wide targeting nets, and opportunistic selection of victims. Their primary targets were payment cards, credentials, and any other data with clear conversion value. Three-quarters of attacks in the 2013 dataset were opportunistic rather than targeted; the victim organization's specific identity was largely irrelevant. Weak security made you a target. Good security made you expensive. The math was simple.

The 2011 DBIR had already documented the dominance of this group with crisp economy: "Organized criminal groups were once again behind the lion's share — 83% — of all breaches. Most data thieves are professional criminals deliberately trying to steal information they can turn into cash." The 2012 DBIR put external actors at 98% of breaches and 99%+ of records, with financial motivation running at 96%.

The 2012 DBIR also documented something new that the 2013 edition would develop further: the emergence of a cybercrime-as-a-service market. In the Netherlands, "booter" websites — services that would execute DDoS attacks against any target for a fee — had made denial-of-service capability available to anyone willing to pay, with no technical knowledge required. This was not yet the industrialized service ecosystem that ransomware-as-a-service would eventually represent, but the structural logic was identical: commoditize capability, sell access to it, take a margin.

State-affiliated espionage actors were the third category, and their 19% share of breaches in the 2013 data surprised many observers — including, the DBIR authors noted, themselves. These actors operated with substantially greater sophistication and patience than financially motivated criminals, and they targeted a different class of data: intellectual property, strategic intelligence, trade secrets. Importantly, they targeted organizations of all sizes. The 2013 DBIR specifically noted that espionage campaigns reached organizations with no IT staff whatsoever. If your supply chain touched something a nation-state wanted, company size provided no protection.

The state-actor thread is worth noting here, even though it becomes central to a later chapter of this story. In 2013, the categories were relatively clean. Financial criminals operated separately from state actors, with different methods, different targets, different objectives. That cleanliness would not persist.

By 2013, the criminal ecosystem documented in the DBIR had achieved functional market maturity. It had established pricing mechanisms and specialty product tiers. It had developed service infrastructure — tooling, checking services, affiliate networks — that reduced the barriers to entry for less sophisticated operators. It had demonstrated the capacity for rapid market adaptation, most clearly in the pivot from bulk card data to high-margin PIN data when oversupply collapsed margins. It had generated sufficient capital to reinvest in tooling and expertise. And it had developed the early structural innovations — affiliate programs, commodity access — that would eventually scale into the Ransomware-as-a-Service model that dominates the current landscape.

What it had not yet found was its breakout product.

Ransomware had first appeared in the DBIR dataset in 2008. By 2013, there was just enough data to mention it in a single paragraph. The 2013 DBIR noted that criminals were accessing victim networks via Remote Desktop Protocol — using unpatched vulnerabilities or weak passwords — altering backup configurations before deploying ransomware to ensure maximum leverage. The technique was noted as an emerging concern for small and medium businesses.

Nine years later, the 2022 DBIR would look back at that paragraph and observe, with characteristic restraint, that had they known what would still be true nine years later, they could have saved some time by simply copying and pasting it.

The product that would transform cybercrime from an organized industry into a global economic force was already in the data. It just hadn't found its market yet.

Sources: All statistics drawn from the Verizon Data Breach Investigations Reports, 2008 through 2014 editions. The 2008 and 2009 reports are documented in the companion DBIR_2008_2009_Reference.md. The 2010, 2011, 2012, and 2014 DBIR editions are cited directly. USSS appendix quotations appear in the 2010 and 2011 DBIR editions.

Part Two: The Product-Market Fit (2015–2022)

Every industry has a product-market fit moment — the point at which a product so perfectly addresses a real market need that growth stops requiring effort and starts requiring management. For the cybercriminal ecosystem, that moment arrived in the form of ransomware. Not immediately, and not all at once. But the arc, documented almost in real time across successive DBIR editions, is one of the clearest narratives in nearly two decades of breach data: a marginal criminal tool became the dominant business model of the most prolific crime wave in history.

The 2013 DBIR gave ransomware a single paragraph. By 2018, it was the most prevalent malware variety in the entire dataset. By 2026, it was present in 48% of all confirmed breaches. The trajectory wasn't luck. It was product development.

The Problem Ransomware Solved

To understand why ransomware succeeded where so many other criminal schemes plateau, you have to understand the central problem of financially motivated cybercrime: monetization.

Stealing data is one thing. Converting it to cash is another thing entirely, and for most of cybercrime's history it was the hard part. Stolen payment card data required buyers, distribution infrastructure, underground forum relationships, and either sophisticated cashing-out operations or resale to middlemen who took their own margins. As Part One of this series documented, the price of bulk card data collapsed from $10–$16 per record in 2007 to under $0.50 by 2009 precisely because the supply chain worked too well — too many records, too fast, saturating a market with finite absorption capacity. The 2011 DBIR noted that criminals were shifting from wholesale data sales to direct fraud, manufacturing counterfeit cards and making ATM withdrawals themselves, because the wholesale business model had become inefficient.

Stolen credentials had their own monetization challenges. Account takeover fraud required human involvement at scale. Business email compromise was lucrative but labor-intensive and increasingly well-detected. Intellectual property theft, prized by state actors, had essentially no direct criminal monetization path without either nation-state backing or an extraordinarily sophisticated end buyer.

The 2013 DBIR had noted ransomware as an emerging tactic used against small businesses, accessed via RDP using unpatched vulnerabilities or weak passwords, with backups quietly sabotaged before encryption was triggered. Its potential was acknowledged but not yet quantified. What the report could not have fully anticipated was how cleanly ransomware short-circuited every monetization problem that had constrained criminal revenue for the previous decade.

The 2018 DBIR laid out the logic with unusual clarity, analyzing ransomware from the attacker's perspective:

It can be used in completely opportunistic attacks, requiring no target research. It doesn't require monetizing stolen data — the victim pays directly. It can be attempted with little risk or cost to the attacker. It can be deployed across multiple devices simultaneously, increasing leverage and commanding larger payouts. And it is fast: no extended dwell time, no patient exfiltration, no waiting for market conditions.

This is what product-market fit looks like. Every friction point in the prior monetization model — the buyers, the markets, the middlemen, the fraud operations — was simply removed. The victim became the payer. The criminal became the direct recipient.

The Ascent, By the Numbers

The DBIR data captures the ransomware ascent with unusual precision. It ranked as the 22nd most common malware variety in the 2014 DBIR. By the 2017 DBIR it had climbed to fifth. The 2018 DBIR reported it as the most prevalent malware variety in the entire dataset, showing consistent year-over-year growth from 2012 through 2017 across a chart that looked less like a security trend and more like an adoption curve for a successful consumer product.

The 2017 DBIR documented an important structural shift that accompanied the volume growth: the move from individual consumer targets to organizations. Early ransomware campaigns had primarily targeted individual users — home computers, personal files, relatively modest ransoms. By 2016 and 2017, the model had pivoted toward organizational targets. Public administration organizations were the top industry target, with healthcare second and financial services third. The ransom math was obvious: an organization's operational disruption created leverage that no individual user's encrypted photo library could match. Encrypting a file server or database, the 2018 DBIR observed, was considerably more damaging than encrypting a single user device — and the 2018 data showed servers increasingly appearing as the targeted asset class, alongside user devices.

This organizational pivot also reflected a change in criminal operational sophistication. Rather than spray-and-pray campaigns against individual home users, successful organizational ransomware attacks of this period required gaining network access, moving laterally to identify and compromise high-value systems, sabotaging or isolating backups, and deploying encryption at scale. The 2022 DBIR's historical retrospective on deployment vectors reflected what was true throughout this period: 40% of ransomware incidents involved desktop sharing software — predominantly RDP — and 35% involved email as the initial vector. The tools were not exotic. Default and weak passwords on internet-exposed remote access services, combined with phishing email delivery of downloaders, remained the dominant entry points year after year.

The 2022 DBIR quoted the 2013 edition on this exact point, noting that the 2013 description of criminals using RDP with unpatched vulnerabilities or weak passwords to gain initial access could have been copy-pasted directly into the 2022 report without alteration. The authors expressed appropriate resignation.

The Franchise Model Arrives

The 2017 DBIR documented the structural innovation that would transform ransomware from a growing criminal tool into a scalable criminal industry: Ransomware-as-a-Service.

The mechanics were straightforward. Ransomware operators developed tooling — malware, command-and-control infrastructure, payment processing systems, victim negotiation portals — and licensed access to affiliates in exchange for a revenue share, typically a percentage of ransom payments. Affiliates handled the operational work: gaining initial access, deploying the payload, managing victim communication. The operators provided the product; the affiliates provided the distribution.

This model solved a problem that had limited criminal scaling at least as much as the monetization challenge: specialization. Writing production-quality ransomware capable of evading enterprise defenses, encrypting large environments reliably, and maintaining payment infrastructure required genuine technical sophistication. Gaining initial access to organizational networks at volume — finding open RDP instances, running phishing campaigns, purchasing stolen credentials — required different skills and infrastructure. The RaaS model allowed these to be separated, enabling specialists in each function to operate at maximum efficiency within a larger criminal supply chain.

The 2017 DBIR also documented the first wave of operational innovation that accompanied the RaaS model's emergence: master boot record locking and full disk encryption, making recovery without payment far more difficult; execution-timing tricks and behavioral evasion techniques designed to defeat sandbox analysis; time-limited ransoms that increased with delay; even, in one documented case, options to decrypt files for free if the victim infected two additional organizations. "Multi-level marketing at its finest," the DBIR team observed dryly.

The sophistication of this experimentation is worth noting. These were not random feature additions. They were the product of operators analyzing what was and wasn't working, adjusting ransom demand mechanics, testing evasion techniques against deployed defenses, and iterating toward the configuration that maximized payment rates. It was, in the most literal sense, product development.

The Warning Shot: WannaCry and NotPetya

In May 2017, a piece of ransomware called WannaCry spread to more than 300,000 systems across 150 countries in a matter of days, exploiting an NSA-developed vulnerability in the Windows SMB protocol that had been leaked by the Shadow Brokers the previous month. It demanded $300 per infected machine. It never actually worked — a code flaw, likely intentional, meant it could not identify which victims had paid, making decryption effectively impossible. WannaCry was later attributed to North Korea's Lazarus Group.

In June 2017, a second worm called NotPetya spread via the same vulnerability, initially appearing to be ransomware but quickly revealing its actual purpose: it deliberately destroyed the Salsa20 encryption key used to lock files, making recovery impossible even in principle. There was no functional ransom mechanism. NotPetya was sabotage dressed as ransomware, attributed to Russian military intelligence, and it caused an estimated $10 billion in damage across shipping, pharmaceutical, and infrastructure companies before it was contained.

The 2018 DBIR's USSS appendix addressed both directly: "2017 blurred some of the distinctions previously made between cybersecurity threats. North Korea and Russia were responsible for the WannaCry and NotPetya global attacks, respectively, which had more in common with criminal ransomware campaigns than the sort of nation-state cyberattacks previously encountered."

This was a significant statement from the agency responsible for investigating financial cybercrime, and it deserves to be read carefully. Nation-states had borrowed the operational aesthetics of criminal ransomware to deploy weapons-grade destructive tools against economic and infrastructure targets. The direction of capability diffusion was also noted: newer actors were rapidly developing sophisticated capabilities by leveraging tools and services available through existing criminal networks. The USSS assessed that the most significant ongoing financial threat remained the transnational network of Russian-speaking cybercriminals from Eastern Europe — but that network's techniques were now being adapted and deployed by state actors, and those state actors' leaked tools were being incorporated back into criminal operations.

The pipeline between criminal and state capability was beginning to run in both directions. The 2017 data, visible in the 2018 DBIR, was the first clear documentation of this dynamic in the breach record. It would not be the last.

The Second Innovation: Double Extortion

For several years after RaaS became established, the primary defense organizations mounted against ransomware was the backup. If you had reliable, tested, offline backups, you could recover without paying. Ransomware operators addressed this — the 2013 DBIR had documented the backup-sabotage technique — but the backup arms race generally favored defenders who implemented it properly.

Then, in late 2019, a ransomware group called Maze attacked the facility services company Allied Universal. When the victim declined to pay the roughly $2 million ransom, Maze released approximately 700 megabytes of stolen internal files publicly. The threat had been explicit: pay or we publish what we took before we encrypted it.

The 2020 DBIR documented the timeline with precision: before the end of 2019, criminals behind at least four ransomware families had begun exfiltrating internal files before triggering encryption, threatening public disclosure as additional leverage.

The 2021 DBIR described the aftermath: "This began with the Maze Group, and as they enjoyed success, other groups jumped onto the bandwagon. Now it has become commonplace, with many of the Ransomware groups having developed infrastructure specifically to host these data dumps." Purpose-built data leak sites — "name and shame" portals where victim organizations were publicly listed alongside samples of stolen data — became standard operational infrastructure for serious ransomware operators within roughly eighteen months.

The significance of this innovation cannot be overstated. It invalidated the backup defense in a single move. An organization with perfect backup posture could still recover operationally — but now faced the separate, distinct threat of sensitive data exposure, regulatory notification requirements, customer notification obligations, and the reputational consequences of stolen documents appearing on public leak sites. The attack surface had expanded from availability to confidentiality without the attacker needing to change anything about the initial compromise.

Double extortion also, notably, began converting ransomware incidents into confirmed data breaches for VERIS classification purposes. The 2020 DBIR had carefully noted that its ransomware data through October 2019 didn't yet fully reflect the shift — cases were documented just as the technique was emerging. By 2021 and 2022, ransomware's presence in breach counts (not just incident counts) had expanded substantially as a result.

The Criminal Business Case, Quantified

The 2022 DBIR included one of the most analytically distinctive appendices in the report's history: an examination of ransomware economics from the attacker's perspective, using criminal forum data, phishing simulation results, and ransomware payment records to model what the business actually looked like on the other side of the transaction.

The cost structure analysis revealed a bifurcation that had significant implications for defense strategy. Larger, more capable criminal operations — those targeting higher-value organizations for larger payouts — invested in professional intrusion services, at costs that could reach $100,000. These groups were operating as full criminal enterprises with internal staff and significant operational overhead. They were going after riskier, bigger-payout targets to justify that overhead.

Smaller operators, however, had industrialized access procurement to the point where most initial access cost less than a dollar — primarily because email remained the dominant attack vector, and bulk email access was extraordinarily cheap. The 2022 analysis described the small-time ransomware criminal as "less of a techie and more of a manager" — purchasing access products, running phishing campaigns with commodity tools, and deploying well-documented RDP-based techniques against targets identified through automated scanning.

This cost structure made ransomware, at volume, an extraordinarily efficient criminal operation. The 2022 simulation — modeling 500 ransomware actors running 300 incidents each — found that only 1.4% showed a net loss. The median simulated profit after 300 incidents was $178,465. The top simulated earner cleared $3,572,211. Sixty percent of individual ransomware incidents generated no profit, but the ones that did generated enough to make the overall operation highly lucrative even at modest success rates.

The 2022 DBIR called this accurately: ransomware was more lottery than business. Individual incidents were low-probability, variable-payout events. But at volume — which the RaaS affiliate model made structurally easy to achieve — the law of large numbers converted a low hit rate into a reliable revenue stream.

The Supply Chain Matures: Initial Access Brokers

By 2022, the division of criminal labor that had been emerging since the early affiliate model of 2009 and 2010 had reached a genuinely sophisticated form. The Initial Access Broker had become a defined and documented node in the ransomware supply chain.

IABs specialize in the initial compromise phase: finding vulnerable systems, gaining initial access through credential theft, phishing, or vulnerability exploitation, and then selling that access — via criminal marketplaces — to ransomware operators who prefer not to perform their own target acquisition. The separation is operationally rational: gaining initial access at volume is a different skill set from lateral movement, privilege escalation, and ransomware deployment. Why perform functions you're not optimized for when you can outsource them to a specialist?

The 2026 DBIR would later document the IAB marketplace in considerable detail — regular user account access selling for around $700, administrative accounts for approximately $1,300 per account, VPN access representing 44% of IAB offerings, followed by various remote desktop applications. The market had pricing tiers, access type categories, and competition among suppliers. The 2026 DBIR observed, without quite recommending it, that it had expected privileged account prices to be higher.

The 2022 DBIR documented the attack path from IAB to ransomware deployment: 40% of ransomware incidents used desktop sharing software as the delivery mechanism; 35% used email. The specific channels changed year to year as defenders and attackers adapted, but the overall pattern — compromised remote access credentials as the dominant entry point — remained consistent from the first 2013 ransomware paragraph through every subsequent edition.

The Scale of the Problem by 2022

By the time the 2022 DBIR was published, ransomware had posted an increase as large as the combined growth of the prior five years in a single year, reaching roughly 25% of all confirmed breaches. The 2023 DBIR reported it holding steady at 24%, described by the authors as "ubiquitous among organizations of all sizes and in all industries" and appearing as a top-three action in 91% of industry verticals they analyzed. The section header read: "Ransomware... seriously, we're still doing this section?"

They were, and would continue to be. The 2025 DBIR would report ransomware in 44% of breaches. The 2026 DBIR would raise that to 48%.

But by 2022, something else was beginning to happen in the data. Something that, read carefully, suggested that the ransomware economy's most extraordinary growth phase might be approaching its limits — and that criminal adaptation, always the ecosystem's most reliable characteristic, was already underway.

The 2023 DBIR noted that ransomware's overall costs to victims were increasing even as the ransom amounts being paid were not — suggesting that smaller organizations, with less financial cushion and greater technical debt, were increasingly among the victim population, paying smaller individual ransoms but absorbing proportionally larger recovery costs. The model was optimizing toward volume at the low end of the market, which meant a different set of victims and a different risk profile for defenders than the high-profile, high-ransom campaigns that dominated security news coverage.

This was not a sign that the market was failing. It was a sign of market maturation — the natural movement of a successful business model toward saturation of its most lucrative segments and expansion into adjacent ones.

Something else was also shifting at the boundary between criminal and state operations. The categories that had been relatively distinct in 2013 — financially motivated organized crime, ideologically motivated hacktivists, strategically motivated state actors — were beginning to blend in ways the data was capturing but not yet fully able to explain. The 2021 DBIR had noted that state-sponsored actors had shown financial motivation in a meaningful percentage of breaches since 2015. The 2022 DBIR noted that destructive malware — functionally indistinguishable from ransomware but lacking any payment mechanism — was appearing with increasing frequency, blurring "the distinctions between politically and financially motivated cybercrimes."

That blurring had a direction. It was not criminal groups becoming more state-like. It was states learning to operate like criminal enterprises — and in some cases, states were the criminal enterprises.

Sources: All statistics drawn from the Verizon Data Breach Investigations Reports, 2013 through 2022 editions. The 2017, 2018, 2020, 2021, and 2022 DBIR editions are cited directly. The 2022 DBIR Appendix E (ransomware economics simulation) and USSS appendix are cited directly. The DBIR_2013_2024_Reference.md companion file is cited for 2013 data context.

Part Three: The Franchise Goes Global (2023–2026)

In June 2025, the 2026 Verizon DBIR's month-by-month threat timeline carried a header for its entry that deserves to be read carefully: "Blurring state and criminal lines: The distinction between financial extortion and state-sponsored data collection vanished."

Not blurred. Not narrowed. Vanished.

That word choice — from an organization that measures its language as carefully as it measures its data — is the most compressed summary of where the criminal ecosystem stands at the close of nearly two decades of documented breach history. The story that began with organized criminal groups dominating payment card theft in 2008, evolved through the professionalization of ransomware-as-a-service between 2015 and 2022, has arrived at a destination that no analyst would have predicted with confidence in the early years of the DBIR: the effective merger, in operational terms, of criminal enterprise and nation-state activity.

This is Part Three of that story — how the criminal ecosystem reached market maturation, how it responded when the economics began to turn against it, and what happens when a sovereign state decides that running a criminal organization is good foreign policy.

Reading the Market Signals

Every industry that achieves genuine scale eventually confronts the same problem: the easy growth is gone. The low-hanging fruit has been picked. The most lucrative customers have been targeted. Margins compress. Competitors multiply. The operators who thrived in the growth phase find that the same tactics produce diminishing returns.

By 2023 and 2024, the DBIR data was showing exactly these dynamics in the ransomware economy — not as a collapse, but as the unmistakable signature of a maturing market.

The headline number from the 2026 DBIR is that ransomware was present in 48% of all confirmed breaches in 2025 — a figure that represents extraordinary penetration of an attack type that didn't merit dedicated analysis until 2013. But the more analytically interesting data was what was happening to ransomware's revenue side.

In 2022, approximately 50% of ransomware victims refused to pay. By 2024, that figure had reached 64%. By 2025, it had climbed further to 69%. The 2025 DBIR reported the median ransom paid in calendar year 2024 at $115,000 — down from $150,000 in 2023. The upper tail of the distribution had also contracted sharply: 95% of ransoms in 2024 were under $3 million, compared to a $9.9 million ceiling in 2023.

The 2026 DBIR stated the diagnosis plainly: "Our dataset reveals a market in decline, albeit a slow decline, where there is rampant commoditization and the numerous actors involved are desperately trying to scale to cover their margin compression."

The free market, operating on criminals, was producing the outcomes Econ 101 would predict. Increased supply of ransomware attacks had compressed prices. Improved defensive postures among victims had reduced the payment rate. Law enforcement pressure — real, sustained, and increasingly coordinated internationally — was elevating operational risk. The model that had made ransomware-as-a-service the most successful criminal business innovation in cybercrime history was producing lower returns per transaction. And the rational criminal response to margin compression is volume expansion.

Rebranding More Often Than Startups

Before examining the volume response, it is worth documenting how the criminal ecosystem handled law enforcement pressure — because the pattern reveals something important about structural resilience.

Operation Cronos, a coordinated international law enforcement action in February 2024, dealt what was described as a significant blow to the LockBit ransomware group. It seized LockBit's infrastructure and affiliate panel, obtained source code, communications, victim details, and decryption keys, and seized approximately 2,200 bitcoin. Within days, a new LockBit leak site appeared and new attacks were being claimed. By December 2024, the Department of Justice had indicted a LockBit developer and LockBit was advertising version 4.0 for 2025.

Operation PHOBOS AETOR in February 2025 dismantled the 8Base/Phobos ransomware infrastructure in Thailand. The group's affiliates, according to the 2026 DBIR's timeline, rapidly pivoted to new Malware-as-a-Service models. In March 2025, law enforcement seized the Garantex crypto exchange — which had reportedly processed $96 billion in illicit transactions — but within months, successor infrastructure was in operation.

The pattern is consistent across nearly every major enforcement action documented in the 2025 and 2026 DBIR timelines. Criminal infrastructure is disrupted, seized, or indicted. The operators rebrand, the affiliates scatter and regroup, the tooling reappears under a new name. The 2026 DBIR noted that ransomware groups "rebrand more often than Silicon Valley startups" — and unlike Silicon Valley startups, they don't need investors, regulatory approval, or name recognition among legitimate customers.

The resilience is structural, not incidental. RaaS affiliate networks are deliberately decentralized. The developer of the core tooling is a separate actor from the operator running the infrastructure, who is separate from the affiliates conducting intrusions, who are separate from the negotiators managing victim communication. Disrupting one node disrupts the network but does not destroy it. A single arrest severs one link; the chain reconstructs around the gap.

The Volume Response: Mass Exploitation as Business Strategy

The criminal response to margin compression is documented most clearly in the shift toward mass exploitation — moving from targeted intrusion into individual organizations toward vulnerability campaigns that compromise hundreds or thousands of victims from a single discovered flaw.

The 2024 DBIR, covering 2023 data, recorded a 180% increase in vulnerability exploitation as an initial access method — nearly tripling in a single year. The defining event was the Cl0p ransomware group's exploitation of a SQL injection zero-day in Progress Software's MOVEit file transfer platform. CISA estimated more than 8,000 organizations globally were compromised. The 2024 DBIR identified 1,567 breach notifications tied to MOVEit by timing and description alone, with education the hardest-hit sector at roughly half of impacted organizations.

The Cl0p/MOVEit campaign is worth examining structurally, not just statistically. Cl0p did not, in the majority of cases, deploy encryption. They exfiltrated data and demanded payment for non-disclosure — a pure extortion model with no encryption overhead. Victims with perfect backup posture were equally exposed as victims with none. The attack required no persistent access, no lateral movement across individual networks, no customization per victim. The zero-day was the product; the exploitation was the distribution mechanism; the extortion was the checkout.

The 2024 DBIR noted that combined ransomware and pure extortion accounted for 32% of all breaches that year, with traditional encryption-based ransomware at 23% and pure extortion (without encryption) at 9%. That 9% figure — non-existent as a meaningful category in earlier DBIR editions — reflects the Cl0p model's influence on the broader market. If encryption is optional, and extortion works without it, why carry the operational overhead of deploying and managing an encryption payload?

The infostealer-to-ransomware pipeline, documented in the 2025 and 2026 DBIR editions, represents the other face of the volume strategy. Infostealers — malware designed to harvest credentials from infected endpoints at massive scale — feed IAB marketplaces that supply ransomware operators with pre-validated organizational access. The 2026 DBIR found that small organizations experienced a median of seven credential leakage events annually; larger organizations experienced around 20. Of organizations that became ransomware victims and had experienced credential leakage events, 50% had a leakage event occur within 95 days prior to the ransomware attack.

This is not a coincidence or a correlation artifact. It is a documented supply chain operating on measurable timing. The infostealer harvests credentials. The IAB markets the access. The ransomware operator purchases it and converts it to a ransom event. The pipeline is industrial in its regularity.

Espionage Surges Into the Dataset

While the ransomware economy was experiencing its peculiar combination of record prevalence and declining unit economics, a different story was developing in the motives data — one that the 2025 DBIR described with considerable restraint and a gesture at the global political environment.

Espionage-motivated breaches in the 2025 DBIR dataset had increased by 163% compared to the prior period. The DBIR authors acknowledged the honest complication: they had added data contributors who specialize in espionage cases, which affected the numbers. But they were also clear that much of the growth was traceable to publicly documented espionage campaigns — Salt Typhoon's penetration of major U.S. telecommunications companies (including Verizon itself, which the 2025 DBIR disclosed and noted with characteristic understatement), Volt Typhoon's years-long pre-positioning in U.S. critical infrastructure, various Chinese APT groups operating across government, defense, and industrial sectors globally.

The 2025 DBIR noted that state-sponsored actors accounted for 15% of external actor varieties. Their motives, however, were not cleanly siloed into espionage. The same actors needed to fund their operations, which manifested as financial motivation in a meaningful percentage of their activity. They needed to commandeer infrastructure for future operations, which manifested as secondary motivation. The 2025 DBIR's formulation: these actors will "use those spoils to further more Espionage in the future, but we digress."

The digression is actually the point. When state-sponsored actors operate with financial motives to fund espionage objectives, the clean categories of the 2013 DBIR taxonomy — financial criminals here, state actors there — have lost their explanatory power. What the data is showing is not two distinct populations behaving differently. It is a single operational ecosystem in which the same techniques, the same infrastructure, the same credential marketplaces, and in some cases the same actors serve both profit and geopolitical objectives simultaneously.

The North Korean IT Worker: When the State Is the Criminal Enterprise

If the blurring of financial and espionage motivation represents the gradual erosion of the criminal/state boundary, the North Korean IT Worker program documented in depth by the 2026 DBIR represents its complete dissolution.

The structure is unlike anything previously documented in the DBIR's 18-year run. DPRK operatives use stolen identities — the 2026 DBIR estimated approximately 15,000 possible stolen identities in use, with a typical ITW maintaining three to five simultaneously — to obtain legitimate remote employment at technology companies. They operate from regionally hosted laptop farms run by local accomplices, allowing them to pass technical interviews, perform job functions, and collect salaries without requiring physical presence in the hiring country.

Some of these workers were, by all accounts, good at their jobs. Several were described as high performers. Some used their legitimate access to steal proprietary source code, then leveraged the threat of public disclosure — the same double-extortion logic documented in the civilian ransomware market since 2020 — to demand additional payment from their employers. Proceeds moved through the PRC financial system and ultimately funded the DPRK government's programs, according to U.S. law enforcement filings cited by the 2026 DBIR.

In March 2025, North Korea officially launched Research Center 227 — a dedicated unit focused on developing AI-driven offensive hacking capabilities. The ITW program and Research Center 227 together represent something qualitatively different from everything the earlier DBIR editions documented: a state whose strategic foreign policy instrument is a criminal organization that earns its operating budget through legitimate employment fraud, extortion, and cryptocurrency theft, while simultaneously building AI-enabled offensive cyber capabilities.

The 2026 DBIR's targeted industries for ITW campaigns span blockchain/Web3, full-stack development, frontend engineering, and increasingly AI-focused roles — following market trends in remote employment with the same labor market intelligence that any sophisticated recruiter would apply. The criminal enterprise is tracking the job market.

The 2026 DBIR's assessment on scope was appropriately hedged: "Our rough analysis suggests the figure could be in the low thousands, though this estimate carries considerable uncertainty." Organizations are not required to publicly disclose that they accidentally hired a North Korean IT worker, which means the visible dataset almost certainly undercounts the actual population.

The Texture of the Current Landscape

The 2026 DBIR Wrap-up's month-by-month chronicle of 2025 events reads less like a security threat landscape and more like a dispatch from a world in which the categories we used to organize the threat — criminal, state, espionage, financial, hacktivism — have been rendered taxonomically insufficient by the actors themselves.

February: The Akira ransomware group exploited unsecured webcams to move laterally and encrypt VMware ESXi shares while remaining invisible to Windows-based endpoint detection systems. North Korea launched Research Center 227.

March: A cascading breach of GitHub Actions exposed secrets for more than 23,000 repositories. Law enforcement seized Garantex. China-nexus group UNC3886 demonstrated it had maintained persistent network access to a target for four years.

June: Operation Endgame disrupted Lumma Stealer and DanaBot infrastructure across 1,300 domains. Developers restored MaaS operations within days. The distinction between financial extortion and state-sponsored data collection vanished.

August: MITRE revealed LameHug, an APT28 experiment using a large language model to generate polymorphic malware code on demand. ShinyHunters launched a supply chain campaign that pivoted through compromised OAuth tokens into the Salesforce instances of Google, Zscaler, and Cisco. PromptLock malware emerged — described as the first AI-powered ransomware to generate cross-platform encryption scripts dynamically via local LLMs.

The AI question deserves a careful answer, because it sits at the boundary between evidence and speculation in a way the DBIR archive has always been disciplined about. The 2024 DBIR found essentially no confirmed AI-enabled attacks in incident data — criminal forum mentions of GenAI "barely breaching 100" across two years. The 2025 DBIR found measurable evidence of state-sponsored actors using AI platforms to augment phishing and coding activities, and documented an increase in AI-written malicious emails. The 2026 DBIR's timeline documents specific instances — APT28's LameHug experiment, PromptLock — that are either confirmed or strongly assessed events.

The honest read of the DBIR data on AI is that the transition from "theoretically possible" to "actively deployed" has been happening, is ongoing, and is being driven primarily by state actors with the resources to experiment at the capability frontier. This is precisely the pattern observed with memory-scraping malware in 2008 and 2009: a technique theoretically possible, economically justified by target value, and made practically viable by sufficient investment. The economics of AI-assisted attack development are not yet driving mass criminal adoption. They are, however, clearly attracting state-level investment — and as the RaaS model demonstrated, state-developed techniques have a way of diffusing into the broader criminal ecosystem.

What Eighteen Years of Data Actually Tells Us

The arc from 2008 to 2026, read as a single continuous document, is a story about organizational learning. Not organizational learning on the defender side — though there has been some — but on the adversary side, where the learning has been faster, more disciplined, and more consequential.

In 2008, organized criminal groups were responsible for 91% of compromised records and had already developed functioning markets, service infrastructure, and affiliate networks. In 2026, those same structures — more sophisticated, more resilient, better funded, and increasingly entangled with state objectives — produce breaches in nearly half of all investigated incidents. The DBIR's own data, across 18 editions and the cumulative examination of well over a million security incidents, tells a story of an adversary ecosystem that adapted to every defensive response it encountered, absorbed every law enforcement disruption it experienced, and continued to innovate toward greater efficiency of criminal extraction.

The 2026 DBIR's description of the ransomware market as one characterized by "rampant commoditization" and actors "desperately trying to scale to cover their margin compression" is the most honest and useful framing of the current state: a mature criminal industry experiencing the economic pressures of saturation, responding with volume, product diversification, and — in the most sophisticated cases — vertical integration with state power.

The question for defenders in this landscape is not whether to fear nation-state attackers or financially motivated criminals. It is how to build organizations resilient enough to resist the commoditized criminal attack that uses the same techniques as the nation-state actor, distributed through the same infrastructure, enabled by the same credential theft pipeline, and monetized through the same extortion model — regardless of whose geopolitical agenda it ultimately serves.

What to Do With All of This

The DBIR archive, read in its entirety, is emphatic on the practical implications. Across 18 editions, the specifics of which attack type dominates any given year matter less than the persistent underlying mechanics. Here is what the evidence says, concretely:

Monitor credential exposure before you have a ransomware problem. The 95-day window between credential leakage events and ransomware victimization is actionable lead time. Organizations with dark web monitoring and identity threat intelligence programs can interrupt the IAB pipeline at its early stages. Small organizations experience a median of seven credential leakage events per year. Large organizations experience around 20. None of those events are neutral.

Treat your vulnerability prioritization as a business decision, not a technical one. The 2024 DBIR's finding that attackers scan CISA KEV vulnerabilities within a median of five days while organizations take a median of 55 days to remediate 50% of critical ones is the defining security math problem of the current era. CVSS scores alone are insufficient for prioritization. KEV membership, exploitation-in-the-wild evidence, and software prevalence in your environment must all weigh in the decision.

Extend your insider threat program to your hiring process. The North Korean ITW threat is documented, characterized, and actionable. Identity verification through multiple touchpoints during hiring, enhanced scrutiny for remote technical roles, background check rigor calibrated to access level, and insider threat program awareness of this specific vector are not optional enhancements. They are responses to a documented, ongoing, state-sponsored program operating at scale.

Treat non-payment of ransom as a shared defense. The 69% non-payment rate in 2025 is market pressure on criminal economics. Each organization that invests in tested recovery capability — offline backups, rehearsed incident response playbooks, clear decision-making authority before the event — contributes to the market dynamic that is demonstrably compressing criminal revenue. This is one of the few documented cases where collective defense behavior is producing measurable results in the adversary's economics.

Assume the categories are broken. The 2013 DBIR gave practitioners a clean taxonomy: financial criminals, hacktivists, state actors. By 2026, that taxonomy is descriptively inadequate. The actor using ransomware tooling obtained from a criminal marketplace to fund espionage objectives while posing as a legitimate remote employee is not classifiable under 2013 categories. Threat models that still use those categories are threat models designed for a world that no longer exists.

The Last Word

The DBIR's 2010 edition — back when the report was still finding its voice and the Secret Service appendix was one of its most distinctive features — stated the foundational truth that has held across every subsequent edition: "Crime has been a business for a very long time. This is just the same old story played out on a different (digital) stage."

Eighteen years later, the stage has expanded to encompass sovereign governments operating criminal enterprises, AI-assisted malware development at the intelligence agency level, and credential marketplaces that function with the efficiency of commodity exchanges. The story has not changed. The production values have improved considerably.

What the DBIR data has documented, year by year, is the evolution of an adversary that takes markets seriously, respects supply chain logic, responds rationally to economic pressure, and learns from its failures faster than most of its targets learn from their own. Defenders who understand that — who model the adversary as a rational economic actor embedded in a functioning market rather than as a collection of technical threats to be enumerated and blocked — are working from a more accurate picture of what they are actually defending against.

The picture the DBIR has been drawing, one year at a time since 2008, is now complete enough to see clearly. It is not a pleasant picture. It is, however, an accurate one. And accuracy, in security as in all else, is where defensible strategy begins.

Sources: All statistics drawn from the Verizon Data Breach Investigations Reports, 2023 through 2026 editions. The 2025 and 2026 DBIR editions are cited directly, including the 2026 DBIR Wrap-up timeline and the deep-dive on North Korean IT Workers. The DBIR_2013_2024_Reference.md companion file is cited for 2024 data. 2025 DBIR references to espionage growth, Salt Typhoon, and ransom payment decline are cited directly from those report editions.

Jonathan Brown is a cybersecurity researcher and investigative journalist at bordercybergroup.com.

If you would like to support our work, providing useful, well researched and detailed evaluations of current cybersecurity topics at no cost, feel free to buy us a coffee! https://bordercybergroup.com/#/portal/support