“Cybercrime is the fastest-growing crime category” is one of those phrases that’s been technically true for so long it’s lost its sting. Underneath the headline number, the actual composition of the cybercrime economy has shifted meaningfully in 2026. Here’s the picture as we read it from public reporting, our own tracker data, and the firms that publish recurring numbers.
Ransomware: still the headline, smaller percentage
Reported ransomware payment volume in 2025 came in below 2024 according to Chainalysis, continuing a trend that started after the LockBit takedown. The drop isn’t because ransomware is going away, claim counts on leak sites are up, but because more victims are refusing to pay and paying victims are paying less per incident.
The new normal: more attacks, lower per-attack revenue, more pressure on operators to extract value through data leaks and harassment when encryption alone doesn’t get paid. Hospital and education-sector attacks remain disproportionate because those victims often pay regardless of policy.
Business email compromise: the quiet giant
BEC losses reported to the FBI’s IC3 continue to dwarf ransomware. The 2025 IC3 report logged $2.9 billion in adjusted BEC losses against $1.0 billion in ransomware. The scale is consistent year-on-year and the operator pool is more diffuse than the ransomware ecosystem, fewer named groups, more freelance affiliates.
The structural reason BEC outscales ransomware: average per-incident take is higher, attacker overhead is lower, no encryption-key handling, and the “did the wire transfer go through” feedback loop is faster than “will the victim decide to pay.” It is, in cold operational terms, a better business.
Stealer logs and credential markets
Stealer-log marketplaces have become the connective tissue of the rest of the cybercrime economy. Initial access for ransomware affiliates, account-takeover material for BEC, raw inventory for romance scammers, much of it traces back to a stealer log purchased on a Telegram channel for under twenty dollars.
The volume in 2026 is staggering: tens of millions of fresh logs per month across the major sources (Lumma, Vidar, RedLine and successors). Most never get used. The ones that do are the difference between a target and a victim.
Romance scams and pig-butchering
The fastest-growing fraud category. The Federal Trade Commission’s 2025 numbers put romance-scam-related crypto investment fraud above $5 billion in reported losses, with under-reporting estimated at three to five times the reported figure. Most of the operations run from compounds in Southeast Asia where trafficked workers are forced to run scripts. The combined human-rights and financial harm is uniquely bad.
DDoS-for-hire and small-fish ecosystems
The booter and stresser ecosystem rebuilt after the 2022-2023 takedowns. Aggregate volume is back to pre-takedown levels but distributed across a larger number of smaller operators. The ecosystem feeds extortion attacks, gamer-on-gamer harassment, and political activism-adjacent attacks. Per-incident revenue is small; aggregate volume is meaningful.
What the numbers tell defenders
If you allocate security budget by news headlines, you over-fund ransomware defence. If you allocate by actual loss exposure, BEC defence and identity-and-access controls dominate the spend. Account takeover, stolen-credential resilience, and outbound wire-transfer controls are the highest-ROI investments for most enterprises.
For consumers, the same data points to identity protection, credit freezes, and SIM-swap resilience as the highest-impact controls. The ransomware story is dramatic. The fraud story is bigger. Plan accordingly.