Cyber Observatory CRIF
- Over 2.200.000 alerts sent regarding data exposure on the dark web
- Iran rises from 124th to 3rd position globally for compromised e-mail addresses,
- AI upgrades attacks, among which omni-phishing campaigns stand out
- Compromised business accounts score +12,7%, making up almost 10% of the total
Bologna, 28 May 2026 – In 2025 the cyber risk ecosystem has undergone a profound transformation, led by new geopolitical scenarios, increasingly automated attack techniques and an enrichment of data exchanged on the dark and public web. Compared to the previous year, the number of alerts sent regarding data exposure on the dark web has seen a +5,8% rise, reaching over 2.200.000 cases in 2025. On the open web, instead, the number of alerts stood at 55.000, decreasing by 6,6% compared to 2024.
Compared to 2024, the data found on the dark web was more complete, leading to a + 22% increase in average alert severity. Such an increase is mainly due to the detection of more complex and dangerous combinations, associating email addresses with passwords and precise references to compromised accounts.
These are some of the findings of CRIF’s Cyber Observatory, which aims to analyse the vulnerabilities of individuals and organizations to cyber-attacks and interpret emerging trends related to data exchanged in Open Web and Dark Web environments.
The evolution of the global geopolitical scenario is also reflected on the rise of cyber threats: one emblematic case is Iran, rising from the 124th position to the third in the compromised e-mail addresses global ranking.
The impact of Artificial Intelligence on cybercrime
The Observatory confirms that cyberattacks are not only on the rise but also becoming increasingly more difficult to identify and counter, thanks to the availability of an unprecedented amount of data and ever more sophisticated compromising techniques. Among rising threats, we find smishing[1] campaigns, which in Italy have become exceptionally believable: from fake messages related to unpaid motorway fees, to messages about fake mail delivery issues, all conceived to steal personal data and payment information. Alongside smishing, phishing[2], vishing[3] and spear phishing[4] are becoming more effective thanks to Artificial Intelligence, capable of generating impeccable e-mails and deepfake audio and video, favoring structured approaches like omni-phishing, which combines multiple channels to make scams look more credible. At the same time, the risk of account takeover[5], is on the rise, favored by the combination of stolen credentials and hyper-personalized social engineering. To complete the picture, we see the fast proliferation of stealers-as-a-service[6], capable of acquiring full data packets, which are extremely valuable for the criminal market, and exposing users to significant risk.
The refinement of cybercriminals’ strategies, combined with Artificial Intelligence, fosters the circulation of extremely detailed data combinations on the dark web, which usually include additional business information. Indeed, though the quantitative analysis of the domains associated with e-mail accounts exposed on the dark web shows a stark prevalence of personal accounts (almost 90,2% of the total), in 2025 compromised business accounts have increased by +12,7% (9,8% of the total). This trend suggests that private users continue to pay limited attention to online security, and that conversely, businesses, while increasingly adopting security measures, are still vulnerable and very much targeted.
The most exposed data combinations
The most exposed and vulnerable categories of data on the dark web are passwords, e-mail addresses, usernames, residential addresses and full names. Data related to phone numbers, personal identifiers and credit cards are also commonly exposed and at risk of being compromised.
Analysing the most frequently exposed data combinations in 2025 reveals that the combination of credit card numbers and full name is found in 94,2% of cases, which is particularly worrying due to the major risk of financial fraud. The combination of password and email address remains extremely common, with the first appearing next to the second in 91,5% of cases. The combination of username and password, which accounts for 85,2% of cases, is mainly related to corporate accounts, underlying potential vulnerabilities in companies. Data confirms account theft is still a primary goal for hackers, underlying the necessity to adopt safe practices for password management, such as using a different password for each account, changing passwords frequently and employing a password manager.
Another valuable piece of information for cybercriminals is the full residential address, associated with phone numbers in 44,5% of cases. In addition, the high incidence of the combination of passport numbers and first name and surname (64,6%), and, though less common, passport number and full residential address (57,5%), broadens the risk of identity theft, impersonation and advanced profiling.
|
Top data combinations |
|
2025 |
% vs 2024 |
|
Credit card number + first and last name |
|
94,2% |
+100,0% |
|
E-mail + password |
|
91,5% |
+2,2% |
|
Username + password |
|
85,2% |
-2,6% |
|
Passport number + first and last name |
|
64,6% |
+100,0% |
|
Passport number + full residential address |
|
57,5% |
+100,0% |
|
Full residential address + telephone number |
|
44,5% |
-32,1% |
|
Telephone number + first and last name |
|
44,8% |
-15,2% |
Data Souce Provider: Cyber CRIF Observatory
Most frequently found accounts on the dark web
A qualitative analysis of the contexts in which data circulates showed that, excluding e-mail services, usernames found on the dark web are mostly associated with online services (53,7%), followed by accounts related to popular social networks (15%) and web sites (10,4%). In fourth place we find the theft of accounts associated with gaming (5,9%), increased by 22,9%, followed by governmental services (5,2%), while e-commerce platforms occupy 6th position (5%).
|
|
Most frequently found accounts |
|
2025 |
Var% vs 2024 |
|
1 |
Online services |
|
53,7% |
+56,6% |
|
2 |
Social Networks |
|
15,0% |
-37,2% |
|
3 |
Web sites |
|
10,4% |
+4,0% |
|
4 |
Gaming |
|
5,9% |
+22,9% |
|
5 |
Governmental services |
|
5,2% |
-24,6% |
|
6 |
E-commerce platforms |
|
5,0% |
-35,1% |
|
7 |
Financial services |
|
4,7% |
+9,3% |
Data Source Provider: Cyber CRIF Observatory
Stolen credentials can be used for a range of activities, including accessing victims' accounts, misusing services, sending messages with requests for money or phishing links, distributing malware or ransomware, and generally extorting or stealing money. For this type of data theft, the "human factor" plays a significant role: user negligence is one of the most common causes, as are weak passwords or passwords used across multiple accounts.
In addition to this dynamic, Account Takeover attacks (ATO) are expanding, striking not only traditional accounts, but messaging services such as WhatsApp as well. Another commonality across certain account types (such as social networking, streaming and gaming platforms) is the willingness of users to give their credentials out to seemingly innocent services that offer freebies or extra features, when in fact often this is a simple credential-harvesting tool.
[1] Smishing: Cyber fraud through SMS or messaging apps such as WhatsApp.
[2] Phishing: Cyber fraud aimed at stealing personal information through deceptive e-mails.
[3] Vishing: Cyber fraud using phone calls or voice messages to steal data from specific victims.
[4] Spear phishing: Cyber fraud using personalized messages to steal data from specific victims
[5] Account takeover: Unauthorized login to a digital account to take it over or steal data.
[6] Stealer-as-a-service: malware used to steal information, such as credentials and financial data.