According to the report, the number of attacks that began with the exploitation of publicly accessible applications increased by 44%. The main causes were a lack of authentication controls and AI-assisted vulnerability scans. Globally, the exploitation of vulnerabilities was the most common cause of security incidents in 2025, accounting for 40%.

Mark Hughes, Global Managing Partner for Cybersecurity Services at IBM, said: "Attackers are not reinventing playbooks, they are accelerating them with AI".

Ransomware groups increase by 49

The number of active ransomware and extortion groups rose by 49% year-on-year. At the same time, the number of publicly disclosed victims increased by around 12%. According to X-Force, these are increasingly smaller, short-lived groups that are difficult to identify. Lower market entry barriers, reused leaked tools and AI-supported automation are contributing to this development.

Supply chains compromised four times more often

Since 2020, major compromises of supply chains and third-party providers have almost quadrupled. Attackers particularly exploited trust relationships and CI/CD automation in development environments and SaaS integrations. With the increased use of AI-powered programming tools, IBM expects further pressure on software pipelines and open source ecosystems in 2026.

Over 300,000 ChatGPT credentials exposed

Infostealer malware led to the disclosure of more than 300,000 credentials to the ChatGPT platform in 2025. The report points out that AI platforms thus have comparable identity risks to other central SaaS applications. In addition to account access, there are additional risks from the manipulation of expenses, exfiltration of sensitive data or the infiltration of malicious prompts.

Europe third most popular destination region worldwide

Europe was the target of 25% of the attacks investigated by IBM in 2025, putting it behind North America with 29% and the Asia-Pacific region.

In Europe, the exploitation of publicly accessible applications was the most common cause of attack at 40%. Malware was used in 43% of cases, the use of legitimate tools and unauthorized server access in 26% each. Credential harvesting was the most common cause of attack at 40%, followed by data leaks at 27% and data theft at 13%.

The financial and insurance sector was the most affected sector in 2025 with 39% of incidents, up from 18% in the previous year. Professional, business and consumer services fell from 38% to 18% in the same period. The manufacturing industry remained the most frequently attacked sector for the fifth year in a row, accounting for 27.7% of incidents observed worldwide.