The Europol 2025 Internet Organised Crime Threat Assessment (IOCTA) report reveals how stolen data fuels the digital underworld, powering a criminal ecosystem that spans from online fraud and ransomware to child exploitation and extortion.
The report paints a stark picture of a cybercrime economy built on access—access to your systems, your identity, and your most sensitive information.
From phishing to phone scams, and from malware to AI-generated deepfakes, cybercriminals use a constantly evolving toolkit to compromise systems and steal personal information. These stolen credentials and data sets are then sold, resold, and repackaged by data and access brokers operating across dark web forums, encrypted channels, and subscription-based criminal marketplaces.
Social engineering
The report highlights a rise in the use of generative AI, including Large Language Models, to supercharge social engineering attacks. Criminals now tailor scam messages to victims’ cultural context and personal details with alarming precision. Child sexual exploitation perpetrators are also using AI to scale up grooming attempts and make coercion attempts more effective.
Data as a commodity
Cybercriminals no longer need technical skills to succeed. Crime-as-a-service platforms now offer everything from stolen data to step-by-step fraud tutorials. Access credentials to remote services, compromised corporate networks, and even personal logins are sold in bulk.
Ecosystems of fraud-related data
Dark web platforms cater to a broader range of cybercriminals. The commonly traded commodities that are most often used to facilitate fraud include compromised credit card data and account login credentials for web services (e.g. streaming, online shopping environments and adult content sites)
Automated vending carts (AVCs) are marketplaces specifically used for the sale of compromised card details. These automated websites allow buyers to search through listings based on various factors and purchase items without interacting with a vendor. Data sets are typically advertised using samples, with the full set becoming available upon purchase. Carding marketplaces also offer card-testing services for criminals who have harvested or purchased unverified dumps of credit card information.
Anti-detection solutions such as VPNs, BPH and money laundering services, as well as subscription- based access to phishing and exploit kits and infostealers, are readily available. Manuals, guidelines and tutorials, as well as individual coaching sessions, are also available. These are often related to operational security and explain how to carry out online fraud schemes.
The prices charged depend on the commodities and can vary significantly based on the compromised entity’s sector, size, revenue, geographical location, access type, level, and persistence, and the exclusivity of the offer. High-revenue companies in Europe and North America are in high demand.
New threats
Initial access brokers and ransomware groups continue to exploit known system weaknesses and manipulate human behavior.
Even popular error messages and CAPTCHA boxes are being mimicked in a tactic known as “ClickFix” to trick users into installing malware themselves.
While encryption protects users’ privacy, the criminal abuse of end-to-end encrypted (E2EE) apps is increasingly hampering investigations. Cybercriminals hide behind anonymity while coordinating sales of stolen data, often with no visibility for investigators.
Recommendations
To counter the threats, the report calls for coordinated policy responses at EU level, including lawful access solutions for E2EE, harmonised rules on data retention, and urgent efforts to boost digital literacy—especially among young people.
The IOCTA 2025 draws on operational insights from the thousands of investigations Europol supports each year, particularly through its European Cybercrime Centre (EC3) and its Economic and Financial Crime Centre (EFECC), with contributions from Member States, and private sector partners. It builds on the EU Serious and Organised Crime Threat Assessment (SOCTA) and sheds light on a criminal landscape where data is power—and everyone’s data is at risk.
Methodology
Input for this report was collected from analysis of cases supported by the Europol European Cyber Crime Centre (EC3), interviews with Europol operational team experts, and input from members of Europol EC3 Advisory Groups4.
The report is also informed by other Europol intelligence analysis products, in particular the EU Serious and Organised Crime Threat Assessment (EU-SOCTA) 2025. Where relevant, open-source information has been used as a complementary data source.
Further reading
Steal, Deal and Repeat – How cybercriminals trade and exploit your data – IOCTA 2025. Report (PDF). June 12, 2025. The Internet Organised Crime Threat Assessment (IOCTA), Europol
Why it matters
“You can’t defend what you don’t understand,” said Edvardas Šileris, Head of Europol’s European Cybercrime Centre. “Europol’s IOCTA 2025 report sheds light on the hidden economy of stolen data that powers today’s most dangerous cyber threat, giving law enforcement, policymakers, and industry the intelligence needed to act decisively.”
