Global Cybercrime Report 2026: Key Findings

Cybercrime is on track to cost the world $11.88 trillion in 2026, with the trajectory pointing toward $19.71 trillion by 2030. The threat industrialized over 2025: payment volumes fell as attack volumes climbed to record highs. AI lowered the barrier to entry for new attackers. Manufacturing absorbed the largest year-over-year ransomware surge. Third-party breaches doubled.

This article distills the key findings from our full Global Cybercrime Report 2026, which combines forecast modeling, third-party primary research, and Proxyrack's internal calendar 2025 KYC enforcement data into a single picture of where the threat is heading.

Six Key Findings for 2026

1. Global cybercrime cost is estimated to reach $11.88 trillion in 2026, up from $10.5 trillion in 2025, on a path to a projected $19.71 trillion by 2030. That figure approximates the GDP of China and exceeds the combined GDP of Germany, the UK, and India.

2. The 10 highest-risk countries cluster across emerging markets in Latin America, Africa, and the Middle East. The 2026 update places Myanmar, Haiti, and the DR Congo at the top, reflecting Basel AML Index 2025 data. Nordic countries continue to dominate the safest end.

3. Ransomware payments fell roughly 8% to an estimated $820 million in 2025 (Chainalysis), but the median payment per victim climbed 368%. Attack volume reached the highest level on record. Q1 2026 trackers show activity holding at the elevated 2025 plateau.

4. Manufacturing absorbed a 61% surge in ransomware activity in 2025. Healthcare took 290+ ransomware incidents at provider organizations. SMBs faced disproportionate exposure: 88% of ransomware-affected organizations had fewer than 1,000 employees (Sophos).

5. AI lowered the skill floor for cybercriminals rather than raising the ceiling. The FunkSec ransomware group, whose developers told researchers they were not coders, used generative AI to ship working malware and reportedly claimed 113 victims by March 2025.

6. Proxyrack internal KYC enforcement data for calendar 2025 shows the United States accounted for the largest single share of suspended accounts (26.32%), followed by a tier of 6 countries at 5.26% each (Brazil, Hong Kong, Indonesia, Cambodia, Nigeria, Poland). The dataset reflects Proxyrack's platform enforcement activity and is not a measurement of global cybercrime distribution.

Global Cybercrime Cost: $11.88 Trillion in 2026

Cybercrime is estimated to cost the world $11.88 trillion in 2026, growing at roughly 13% compound annually through 2030. The forecast comes from Proxyrack's internal model, which uses Cybersecurity Ventures historical baseline data only (2015-2023) and applies growth-rate inputs derived from Verizon DBIR breach prevalence trends, IBM Cost of a Data Breach annual averages, and Chainalysis crypto-crime payment volumes.

The 2025 actual landed within 4% of our prior-year projection, which means the model is calibrated against ground truth. Three structural shifts amplify the trajectory: AI-augmented attack tooling has expanded the attacker pool, the Initial Access Broker economy now functions as a 30-day leading indicator for ransomware activity, and third-party breaches doubled to 30% of all breaches in 2025. For deeper analysis on direct breach costs, see our Cost of a Data Breach report.

Cybercrime Risk by Country: 2026 Update

The 2026 update places Myanmar at the top of the risk list with a Cybercrime Risk Score of 8.43, followed by Haiti at 8.12 and the Democratic Republic of the Congo at 7.94. Venezuela, Panama, Costa Rica, Chile, Saudi Arabia, Uruguay, and the UAE round out the top 10. The shift at the top reflects the Basel AML Index 2025 update, which elevated Myanmar, Haiti, and the DRC to the highest-risk tier for financial crime vulnerability. For the previous year's rankings, see our Cybersecurity Country Rankings 2025.

Finland, Iceland, and San Marino take the safest spots. Nordic countries continue to dominate the safest end of the rankings, with mandatory cybersecurity legislation, deep public-private cooperation, and high digital infrastructure investment per capita all reinforcing each other.

Methodology note. The Proxyrack Cybercrime Risk Score combines five international indices weighted equally: the Basel AML Index 2025 (14th Public Edition), the Cybersecurity Exposure Index (held at 2020 because no newer edition exists), the National Cyber Security Index (live data), the Digital Development Level (live data), and the ITU Global Cybersecurity Index v5 (held at 2024 because v6 has not been released). Each index is normalized to a 0-10 scale before averaging. The methodology is unchanged from the 2025 Proxyrack report to preserve year-over-year comparability.

Ransomware in 2026: Industry Restructured, Did Not Weaken

Ransomware payments fell roughly 8% to an estimated $820 million in 2025 (Chainalysis), the second consecutive annual decline. At the same time, attack volume reached the highest level on record. The two facts together describe an industry that did not weaken. It restructured around a smaller pool of paying victims, a fragmented supplier base, and an AI-enabled new class of low-effort operators.

Key 2026 dynamics:

70 active ransomware groups tracked in Q1 2026 (Ransomware.live), up from 67 a year earlier and roughly double the count from 2022. New groups keep arriving even as established names get disrupted by law enforcement.

Top 10 groups captured 73% of payment volume (Chainalysis 2026 Crypto Crime Report). The long tail of 60+ smaller groups absorbs the rest, often through volume-over-value pricing.

Median ransom payments climbed 368% from 2023 to 2024 ($175,000 to $814,000) and continued rising in 2025. The smaller pool of organizations that still pay are paying significantly more per incident.

Manufacturing absorbed a 61% year-over-year surge in ransomware activity. The Akira, Qilin, and Play groups dominated the segment.

Public incidents anchored the year. The Marks & Spencer breach in April and May 2025, attributed to Scattered Spider, disrupted UK retail operations. The Jaguar Land Rover incident has been reported in industry coverage to have inflicted multi-billion-dollar damages. The DaVita ransomware breach is reported to have exposed approximately 2.7 million patient records.

AI-Powered Cybercrime: The Skill Floor Collapse

AI cybercrime is the dominant cybersecurity narrative of 2026, but the popular framing has it backwards. The risk is not that AI created a small number of more dangerous attackers. The risk is that AI eliminated the apprenticeship that previously kept low-skill actors out of the cybercrime market, creating a much larger pool of mediocre but functional attackers operating at higher volume.

FunkSec is the case study. The group launched in late 2024 with developers who told researchers they were not coders. Using generative AI tools to produce Rust-based malware, they shipped a functional ransomware payload in weeks. By March 2025, FunkSec had reportedly claimed 113 victims across 10 countries, ranking among the top groups by victim count for that quarter despite the small team size and limited capital.

IBM's 2025 study of 600 breached organizations found that 16% of breaches involved AI-assisted attacks, most commonly in the phishing and impersonation categories. The percentage is rising quarter over quarter according to IBM's tracking through Q1 2026.

The defensive side of the AI shift is more encouraging. IBM found that organizations using AI tools in security operations cut their breach lifecycle by 80 days and saved nearly $1.9 million on average per breach compared to organizations without AI in the SOC.

Supply Chain Attacks: The Largest Single-Year Shift

Third-party breaches doubled in 2025 to 30% of all breaches, the largest single-year shift in attack vector composition Verizon has recorded in the DBIR's history. Vendor risk management still receives a small fraction of enterprise security spend despite this exposure. For the broader picture of which industries are most exposed, see our Exposed Industries report.

The increase reflects two shifts. Organizations have continued to outsource more operations to specialized vendors. Attackers have learned that compromising one well-positioned vendor can cascade access to dozens or hundreds of downstream organizations.

Proxyrack Internal Data: KYC Enforcement Record for Calendar 2025

Proxyrack operated a Know Your Customer (KYC) verification process throughout calendar 2025 as one layer of its anti-abuse stack. The dataset below captures all account suspensions executed under that process during the full 2025 calendar year. Total suspensions: 76 accounts.

The United States accounted for the largest single share at 26.32% of suspensions. A second tier of six countries (Brazil, Hong Kong, Indonesia, Cambodia, Nigeria, Poland) each accounted for 5.26%. A third tier of four countries (India, Netherlands, Pakistan, Vietnam) each accounted for 2.63%. The remaining 24 countries each accounted for 1.32%.

Important caveats. The figures represent share of total suspensions by country, not in-country suspension rates. The dataset is small (76 total accounts) and reflects activity on the Proxyrack platform during one calendar year. It is not a measurement of global cybercrime distribution.

Proxyrack's KYC verification process was retired in late 2025 as the company consolidated its anti-abuse stack around its opt-in compliance framework, which provides ongoing real-time enforcement at the device, network, and session layers.

What This Means for Security Teams in 2026

The defining ransomware shift of 2025 is not in attack count or payment dollars. It is in the supply chain. Initial Access Brokers, AI-enabled small operators like FunkSec, and the splintering of LockBit-class groups into a long tail of low-skill teams have changed the threat model. The old defensive playbook assumed a small number of well-resourced attackers. The 2026 reality is a much larger pool of lower-skill operators working at significantly higher volume, supported by increasingly accessible credential and access markets.

- Katy Salgado, Operations Manager, Proxyrack

Three priorities for 2026:

Treat the Initial Access Broker market as a leading indicator, not a downstream artifact. When IAB listings spike in your sector, ransomware activity in the same sector spikes 30 days later. Build that into your threat intelligence cadence.

Build vendor security review into the same priority tier as identity and access. Third-party breaches at 30% of all breaches mean the supply chain is now a primary attack surface, not a secondary concern.

Design defensive architecture for the high-volume low-skill AI-enabled attacker, not just for the sophisticated operator. Detection logic optimized for nation-state TTPs will miss the FunkSec-class segment because there is nothing distinctive to detect.

Methodology and Sources

The 2026 cybercrime cost forecast is produced by Proxyrack's internal model using Cybersecurity Ventures historical baseline data only and growth-rate inputs derived from current Verizon DBIR, IBM, and Chainalysis data. The country rankings methodology is unchanged from the 2025 Proxyrack report to preserve year-over-year comparability. The KYC suspension dataset reflects Proxyrack platform enforcement activity for calendar 2025 only.

Primary external sources cited in this article and the full report include the Chainalysis 2026 Crypto Crime Report, Verizon DBIR 2025, Sophos State of Ransomware 2025, IBM Cost of a Data Breach Report 2025, Halcyon 2026 Power Rankings, IPinfo + AbuseIPDB joint research at RSA Conference 2026, GreyNoise 2026 Invisible Army Report, Google Cloud Threat Intelligence IPIDEA Disruption (January 2026), the Basel AML Index 2025, the e-Governance Academy National Cyber Security Index, the ITU Global Cybersecurity Index v5, and others. The complete source list is in the full report.

This article summarizes findings from the Global Cybercrime Report 2026 (8,700 words, 5 charts, 24 primary sources). The full report covers 11 sections including phishing economics, cryptojacking trends, government action, NIS2 enforcement, and our complete methodology.