Infostealers pose a persistent threat by facilitating advanced attacks such as ransomware and espionage. According to KELA’s “The State of Cybercrime 2024” report, 3.9 billion credentials have been found in credential lists sourced from infostealer logs.
The report provides a comprehensive look into cybercrime and highlights some of the notable threats from 2024. Using this insight, KELA predicts what attack vectors it thinks will feature prominently in 2025 before providing advice on how to stay ahead of threat actors.
Infostealers
Information stealer (infostealer) malware is designed to harvest credentials, financial information, and other sensitive data.
In 2024, KELA observed more than 4.3 million machines infected with info stealer malware, representing more than 330 million compromised credentials. They discovered that the top three variants, Lumma, StealC, and Redline, accounted for over 75% of the malware detected on infected machines.
Moving forward, KELA envisages Infostealers maintaining their role as a primary access vector. They recommend combatting the threat with zero trust implementation, multi-factor authentication enforcement, and improved incident-response practices.
Hacktivists
Hacktivists are groups or individuals who conduct cyberattacks and commit cybercrimes to further their political, social, or religious ideologies. They are increasingly favoring ransomware as an attack method and utilizing infostealers as well.
Owing to the turbulent geopolitical situation in 2024, hacktivist groups allied to the Russia/Ukraine and Israel/Palestine conflicts featured heavily. More than 200 new hacktivist groups emerged, accounting for more than 3,500 distributed denial (DDoS) attacks. They were found to favor the Telegram messaging app for its ease of use and minimal moderation and are looking to self-fund and generate revenue beyond donations through cybercrime.
Based on their findings, KELA predicts a continuation of hacktivist activities, which will be influenced by geopolitical events and enabled by emerging technologies. They advocate for vigilant monitoring, investment in advanced DDoS protection, and closer collaboration with cyber threat intelligence (CTI) providers.
Ransomware & Extortion Actors
A crackdown on ransomware and extortion gangs in 2024 has seen groups pivot into operating as ransomware-as-a-service (RaaS) platforms, relying on double extortion and targeting organizations involved in the supply chain. In 2024, KELA observed a few cases of ransomware groups using different monetization models and advertising additional services.
KELA believes that ransomware actors will continue relying heavily on RaaS models and exploring new monetization strategies this year.
APTs and Influence Campaigns
Advanced Persistent Threat (APT) groups are typically linked to nation-states, are well-funded, and are looking to gain unauthorized access to networks for extended periods to achieve maximum disruption. The boundary between cybercrime and state-sponsored activity is often blurry as it is not always apparent whether motivations are financial or political. Links between gangs and governments can be hard to prove, providing plausible deniability to the state involved.
Elections dominated 2024, primarily the US election, with suspected influence from Iran, China, and Russia. The Taiwanese government reported receiving an average of 2.4 million cyberattacks per day in 2024, including a spike before their elections in January, while India was another country targeted during its elections in 2024.
In 2025, KELA expects APT groups to continue to blur the lines between cybercrime and state-sponsored activities, leveraging financial extortion to fund geopolitical objectives, the targeting of critical infrastructure, and continued campaigns. They recommend leveraging AI tools to combat the spread of disinformation, securing security services, and widespread education on the issue.
Abuse of AI through LLMs
The increased efficiency of tools like ChatGPT for individual use and the advantages organizations can gain from GenAI-powered insights have driven many connections between databases and LLMs.
The rise in popularity of these tools has also correlated with a sharp increase in the number of compromised accounts. Through their research, KELA identified 3,000,000 ChatGPT accounts were compromised in 2024, compared to 154,000 in 2023. Gemini also saw a significant increase from 12,000 compromised accounts in 2023, to 174,000 in 2024. They identify Prompt injection, where threat actors bypass the model’s safety controls through curated inputs, emerging as the top attack method.
Looking ahead, KELA predicts the use of LLMs for nefarious purposes will only increase, citing deepfakes, backdoored models, and adversarial attacks as areas to watch out for. They identify securing integration, auditing, and evaluating usage as necessary in relation to LLMs. In terms of AI, simulating scenarios, only downloading from trusted sources and education around misuse are strongly advised.
Be Proactive
The biggest takeaway from the report is the need to be proactive in defense. With AI advancing rapidly and the geopolitical situation fragmented and unstable across many regions, opportunistic cybercriminals are utilizing and sharing new AI tools to exploit emerging gaps.
Three recommendations repeatedly appear throughout the report to effectively equip organizations to respond. Organizations must educate their employees on these issues, implement stronger access controls wherever they can in line with a zero-trust framework, and explore and invest in AI tools that can put them on the front foot to identify, contain, and eliminate threats before they happen.
Adam Parlett is a cybersecurity marketing professional who has been working as a project manager at Bora for over two years. A Sociology graduate from the University of York, Adam enjoys the challenge of finding new and interesting ways to engage audiences with complex Cybersecurity ideas and products.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.