United States organizations and individuals lost $20.877 billion to cybercrime in 2025, marking the first time annual losses have exceeded the $20 billion threshold and representing a stark 26% increase from the prior year. This $20.9 billion figure encompasses reported losses across multiple attack vectors: investment fraud schemes ($8.6 billion), cryptocurrency scams that hit a record $11.36 billion, ransomware operations, and credential-based intrusions. The staggering scale reflects not just the sophistication of modern attacks, but a fundamental shift in how cybercriminals operate and the expanding surface area of digital vulnerability across industries. What makes these numbers particularly alarming is their incompleteness.
Law enforcement estimates that only about one in four scam victims actually file reports, which means the true cost of cybercrime is “several times higher” than the reported $20.9 billion. A company that discovers a breach through internal monitoring but never reports it to authorities, a small business that pays ransomware demands quietly to avoid publicity, an individual who loses money to a cryptocurrency scam and assumes nothing will come of reporting it—all of these contribute to a vastly larger hidden cost that official statistics fail to capture. The acceleration is relentless. Global data breaches rose 3% month-over-month in January 2026 alone, with organizations worldwide now experiencing roughly 2,090 attacks per week on average—a 17% increase from the prior period. This is not a plateau; it is a narrowing margin between an organization’s defensive capabilities and the sheer volume of intrusion attempts it faces.
Table of Contents
- What Types of Cybercrime Are Driving the $20 Billion Loss?
- Ransomware Remains the Breach Epidemic
- The Attack Methodology Shift: Stolen Credentials Now Dominate
- Why Healthcare Remains the Most Expensive Breach Target
- The Reporting Gap: Real Losses Are Likely Three to Four Times Higher
- The Attack Volume Explosion
- January 2026 Data Breach Surge Signals Continuing Escalation
- Frequently Asked Questions
What Types of Cybercrime Are Driving the $20 Billion Loss?
The $20.9 billion total is not monolithic. Cryptocurrency scams have emerged as the largest single category, reaching $11.36 billion in 2025 losses. These range from sophisticated phishing campaigns impersonating legitimate exchanges, to pump-and-dump schemes, to outright theft of wallet credentials. Investment fraud, a broader category that includes romance scams, advance-fee schemes, and fake investment platforms, accounts for $8.6 billion.
The remainder spans ransomware payments, business email compromise (BEC) attacks, tech support scams, and other vectors. The dominance of fraud-based losses—as opposed to ransomware alone—reveals that attackers are increasingly relying on social engineering and credential compromise rather than sophisticated zero-day exploits. This distribution matters because it highlights a vulnerability that no firewall can completely patch: human judgment. A sophisticated encryption exploit can be remediated through software updates; a victim who believes they are transferring money to a legitimate investment platform because the email looks authentic and the call center representative sounds convincing presents a fundamentally different problem. The prevalence of cryptocurrency scams suggests that criminals have identified a particularly effective vector: assets that are irreversible, pseudonymous, and largely unrecoverable once stolen.
Ransomware Remains the Breach Epidemic
Ransomware operations represent 44% of all breaches in 2025, though they do not account for the largest share of total financial losses when measured in dollars. This discrepancy is revealing: ransomware is widespread and remains highly lucrative, but many victims pay demands in the thousands to tens of thousands of dollars range. In contrast, a single sophisticated investment fraud scheme or cryptocurrency theft can easily exceed millions. Nonetheless, 44% prevalence means that nearly half of all detected breaches involve extortion, encrypted files, and the decision to either pay for decryption keys or lose data access entirely.
The limitation in the ransomware narrative is that payment statistics are incomplete. Organizations often cannot disclose whether they paid a ransom due to insurance policies, regulatory agreements, or internal policy prohibitions on discussing incidents. This means the actual revenue flowing to ransomware operators is likely significantly higher than any single estimate, and the breach count may undercount incidents where organizations do not discover encryption attempts until well after the attacker has already exfiltrated sensitive data. A sophisticated modern ransomware operation often includes data theft alongside encryption, creating dual leverage: pay or both your files and your sensitive information will be published.
The Attack Methodology Shift: Stolen Credentials Now Dominate
Attackers have largely abandoned the traditional “hacking in” approach that dominated early-2000s security narratives. Only 26% of breaches are now attributed to external hacking—that is, direct exploitation of unpatched systems, zero-day vulnerabilities, or network reconnaissance and lateral movement. Instead, the majority of breaches now stem from compromised credentials: stolen usernames and passwords, often harvested from previous breaches, credential-stuffing attacks, phishing campaigns, or insider access sold on darknet forums. This shift represents both a strategic victory and a strategic failure on the part of defenders.
Organizations have hardened external attack surfaces substantially; patching cycles are faster, vulnerability disclosure is more mature, and intrusion detection systems are more sophisticated. But the price of that security has been increased reliance on remote access, cloud services, and identity management platforms—all of which are effective targets if an attacker possesses valid credentials. A stolen Active Directory password from an employee at a healthcare provider, a compromised API key from a cloud-storage service, or a social-engineered contractor credential can grant access equivalent to being inside the network perimeter. Once inside, the attacker often encounters environments where lateral movement is straightforward and data exfiltration is trivial.
Why Healthcare Remains the Most Expensive Breach Target
The healthcare sector continues to bear the highest cost per breach incident at $11.2 million on average, a position it has held for 15 consecutive years. This consistency is not accidental. Healthcare organizations operate under regulatory requirements (HIPAA, state privacy laws) that impose significant liability and notification costs for breach disclosure. They hold data—medical records, insurance information, genetic information—that remains valuable for years and is difficult for individuals to change (unlike a compromised email address or credit card number, a person’s medical history is permanent and irreplaceable).
Ransomware operators have targeted healthcare specifically because hospitals cannot easily shut down systems without threatening patient safety, creating psychological pressure to pay demands. The practical implication is that a healthcare organization must spend disproportionately on security controls and incident response precisely because the consequences of failure are so expensive. A breach affecting 50,000 patient records can trigger millions in notification costs, regulatory fines, legal liability, and reputation damage. This creates a compounding disadvantage: smaller healthcare providers often lack the budget to implement advanced security measures, yet they are targeted with equal frequency to larger competitors. The $11.2 million average cost per incident is an average; many smaller breaches cost less, but a single severe incident can destroy an organization’s finances.
The Reporting Gap: Real Losses Are Likely Three to Four Times Higher
The estimate that only one in four scam victims report incidents to law enforcement is not merely a statistical curiosity—it fundamentally undermines the credibility of the $20.9 billion total. If the reported figure represents roughly 25% of actual losses, the true cost approaches $80 billion or higher. This underreporting is driven by rational and irrational incentives: embarrassment, distrust of law enforcement, skepticism that reporting will result in recovery, fear of retaliation, lack of awareness of reporting mechanisms, and the simple friction of filing reports.
For businesses, underreporting is often driven by insurance policies (some insurers reduce coverage if incidents are not reported quickly, but some organizations delay reporting for the sake of incident response and legal strategy), concern about regulatory scrutiny, fear of customer backlash, and the reality that many businesses prefer to absorb losses quietly rather than face public disclosure. A company that experiences a $500,000 cryptocurrency theft may simply write it off on taxes rather than file a report and risk investor confidence. This hidden cost structure means that cybersecurity budgets based on published statistics are fundamentally undersized for the actual risk environment.
The Attack Volume Explosion
The week-over-week attack frequency of approximately 2,090 attacks per organization globally represents an average that obscures significant variation. Large targets—financial institutions, Fortune 500 companies, government agencies—experience orders of magnitude more attacks. Mid-market organizations typically experience hundreds of attacks daily. The 17% increase in this frequency from the prior measurement period indicates accelerating attack operations, likely driven by commodity malware, automated vulnerability scanning, and the proliferation of cheap or free attack infrastructure available on the darknet.
This frequency metric is important because it decouples from breach counts in revealing ways. Not every attack succeeds; in fact, the vast majority fail. But a 17% increase in attack frequency creates mounting pressure on security teams, increases the statistical likelihood of a successful breach over time, and drives alert fatigue among security operators who must distinguish signal from noise. An organization experiencing 2,090 attacks per week cannot realistically investigate every incident; the cost of doing so would exceed the cost of suffering a breach. This creates a deliberate risk calculus where organizations must accept that some attacks will succeed and focus resources on detecting the most damaging breaches rather than preventing all intrusions.
January 2026 Data Breach Surge Signals Continuing Escalation
The 3% month-over-month increase in global breaches in January 2026 continues a trend that accelerated through 2025. While 3% might seem modest, it represents a compounding escalation when measured over quarterly or annual periods. If this rate holds, it suggests approximately 36% year-over-year growth in breach incidents, which would dramatically exceed the growth in cybersecurity investment or defensive capability.
The surge reflects both increased attacker activity and increased detection capability—organizations are discovering breaches they might have previously missed—but the net result is that breach statistics remain on an upward trajectory. The January 2026 data is particularly significant because it demonstrates that the $20.9 billion figure for 2025 was not an anomaly but rather the beginning of a new baseline. Organizations that budgeted for cybersecurity in 2024 based on 2023 losses, or that delayed security investments assuming the growth rate would plateau, now face a materially different risk environment. The credential-based attack methodology, the ransomware prevalence, and the investment fraud and cryptocurrency scam losses are not temporary phenomena; they represent the sustained operating model of modern cybercriminals.
Frequently Asked Questions
How much of the $20.9 billion comes from ransomware payments?
Ransomware represents 44% of all breaches, but does not account for the largest share of total financial losses by dollar amount. Cryptocurrency scams ($11.36 billion) and investment fraud ($8.6 billion) together exceed the total ransomware losses, though the proportion of losses attributable to ransomware specifically is not broken out in the published statistics.
Why is healthcare so expensive to breach?
Healthcare organizations hold data (medical records, insurance information) that remains valuable indefinitely, operate under HIPAA and state privacy regulations that impose significant notification and liability costs, and are targeted by ransomware operators who exploit the fact that hospitals cannot easily shut down systems without threatening patient safety.
Are these losses increasing faster than security budgets?
Yes. The 26% increase in losses year-over-year, combined with a 17% increase in attack frequency and the 3% month-over-month growth in breaches in early 2026, suggests that the rate of attack acceleration is outpacing defensive capability improvements and budget growth in most organizations.
What percentage of breaches now result from external hacking versus credential compromise?
Only 26% of breaches are attributed to external hacking (direct exploitation of vulnerabilities or network reconnaissance). The majority now result from compromised credentials, including stolen passwords, phishing campaigns, and insider access sold on darknet forums.
Why do only one in four scam victims report incidents?
Victims often lack awareness of reporting mechanisms, distrust that reports will result in recovery, feel embarrassed, or fear retaliation. For businesses, underreporting is driven by insurance policy considerations, regulatory concerns, fear of customer backlash, and the decision to absorb losses quietly to avoid public disclosure.
What is the outlook for 2026?
Current data from January 2026 shows a 3% month-over-month increase in breaches and a 17% increase in attack frequency. If these trends continue, 2026 could see a significant escalation in both breach incidents and total financial losses compared to 2025.
