The State of Cybercrime 2026
From Prediction to Execution - Explore the State of Cybercrime 2026 insights on autonomous adversaries, AI-driven attacks, identity threats, macOS infostealers, ransomware, and geopolitical cyber risk.
Updated April 29, 2026
A special message from KELA’s CEO, Davidi Carmiel: In ‘The State of CyberCrime 2025' report, we warned about the "Autonomous Shift." As we release the State of Cybercrime 2026, the data confirms a sobering reality: those predictions weren't just accurate—they were conservative. The "Autonomous Adversary" is no longer a roadmap item; it is the primary fuel powering the engine of global cybercrime. For executives, the message is clear: the gap between human-speed defense and machine-speed attack has reached a breaking point.
Did We Get It Right? 2025 Predictions vs. 2026 Ground Truth
Last year, our KELA Cyber Intelligence Center (CIC) identified three "Pivots" that would define the landscape. Here is how they transitioned from theory to reality:
2025 Prediction | 2026 Ground Truth |
Agentic AI: Attackers will use autonomous agents to move faster than SOC teams. | CONFIRMED: Breakout times have collapsed to 27 seconds. AI agents now orchestrate 90% of the intrusion lifecycle for elite groups. |
Deniable Proxy Ecosystem: State actors will mask sabotage as "hacktivism." | CONFIRMED: A 400% surge in coordinated "proxy" attacks. Geopolitics is now the #1 driver of cyber risk mitigation. |
The Identity Drain: Credentials will replace vulnerabilities as the top entry point. | CONFIRMED: 2.86 Billion credentials were weaponized in 2025 alone. Identity has officially replaced the network perimeter. |
As a Senior Cyber Security Executive, What’s in Store for 2026?
This year, we can expect the Industrialization of Cybercrime. It is no longer a service industry; it is evolving to be a fully automated one.
- The "Vibe Coding" Security Hangover: As developers use AI to "vibe code" applications at 10x speed, they are inadvertently creating a wave of unmanaged, non-deterministic vulnerabilities. 2026 will see the first major breaches caused by "AI-generated technical debt."
- The Death of the Mac Safe Haven: With a 7,000% surge in macOS infostealers, the executive and developer endpoint—historically the most privileged and least monitored—is now the highest-value target.
- Availability Sabotage: Ransomware has evolved. It is no longer just about the ransom; it is about "Operational Halt." In 2026, the goal is to cripple supply chains to create geopolitical leverage, with 7,549 victims already documented.
Strategic Imperatives for 2026 & 2027
To survive the era of the Autonomous Adversary, your defense strategy must shift from Prevention to Resilience. Using our The State of CyberCrime 2026 Report, here are my recommendations to leaders defining their 2026 and beyond strategies:
If your detection window is measured in hours or days, you are already too slow for an AI Threat breakout.
- Transition from "AI-assisted summaries" to Autonomous SOC Workflows where AI agents handle Tier-1 response without human intervention.
Passwords are effectively dead. Attackers are stealing session cookies to bypass MFA at an industrial scale.
- Implement Continuous Trust Authentication and behavioral biometrics. Treat every AI agent in your environment as a "First-Class Identity" with its own restricted privilege set
- Filling the missing Pre-Breach Intelligence gaps in your Cyber Threat Intelligence strategy, anticipation is the new advantage, not faster breach detection.
Geopolitical fragmentation means you can no longer rely on a centralized global security model.
- Invest in Sovereign-Ready Cloud architectures and modular data localization to protect operations from becoming collateral damage in regional conflicts.
- However you manage external threat exposure, it must move at the speed of business, and outpace attackers. Leverage EASM and TPRM platforms that operate continuously, and autonomously - manual intervention is now an anchor on your team's ability to be effective.
Ask yourself these questions
Report Insights | The Facts | Ask Yourself This… |
The Velocity Gap: AI-driven "Agentic" kill chains have rendered human-speed detection windows obsolete. | 27 Seconds: The new baseline for an adversary to move from initial access to lateral movement. (crowdstrike report from Jan 2026) | "If an autonomous agent breached my perimeter today, what automated controls are in place to stop lateral movement in under 30 seconds?" |
The Identity Drain: Attackers are no longer "breaking in"; they are logging in using credentials harvested at scale. | 2.86 Billion: The number of compromised credentials tracked by KELA CIC in 2025. | "With nearly 3 billion credentials in circulation, how is my team identifying compromised employee identities before they are used to log into my environment?" |
The Mac Safe Haven Myth: The most privileged users (Execs/Devs) are now the primary targets of professionalized malware. | 7,000% Surge: The year-over-year increase in macOS-specific infostealer infections. | "My executives and developers often hold the 'keys to the kingdom' on Macs—how am I monitoring those specific endpoints for session-hijacking tools?" |
Industrialized Extortion: Ransomware has evolved from simple data theft into systemic "Availability Sabotage." | 45% Volume Growth: 7,549 victims claimed by 147 active groups globally in 2025. | "As ransomware groups shift focus toward halting operations rather than just stealing data, what is my 'Mean Time to Disconnect' to save my production line?" |
The Deniable Proxy: Geopolitics is driving a surge in state-sponsored sabotage masked as ideological hacktivism. | 400% Surge: The increase in coordinated proxy attacks used for plausible deniability. | "How much visibility does your team have into 'hacktivist' activity that might actually be a precursor to a state-sponsored disruption of your supply chain?" |
Final Words
The findings in the State of Cybercrime 2026 represent more than just a data retrospective; they are a call to action for every leader operating in an increasingly autonomous threat landscape.
As we move into a year defined by machine-speed execution and the "Deniable Proxy" ecosystem, the ability to anticipate threat actor behavior before it manifests in your network is no longer a luxury—it is a requirement for operational survival.
"I am incredibly proud of our teams' efforts to produce this annual report. Our mission at the KELA Cyber Intelligence Center remains unchanged: to provide the ground-truth intelligence that empowers the global security community.
I hope you find the same strategic value in this year’s analysis as leaders found in 2025—using these insights to anticipate, act, and avoid the threats we face in 2026 and beyond.
