Various threat actors and organizations are expected to undergo significant changes. Deep and Dark Web (DDW) marketplaces will likely be influenced and governed by law enforcement operations and geopolitical factors, while ransomware, digital extortion, and social engineering will continue to pose serious threats to organizations.
These were some of the findings of ZeroFox’s 2025 Key Forecasts Report, which added that generative AI (GenAI) will be a key tool that malicious actors will exploit to enhance the efficiency and effectiveness of their attacks.
Daniel Curtis, Manager of Global Intelligence at ZeroFox, says, “The threat from LLMs, deepfake technology, and other AI-powered tools is almost certain to increase during 2025, as threat actors implement them into both traditional and novel attack techniques.”
Let’s see how everything is expected to unfold in 2025.
Deep & Dark Web (DDW) Faces Intensified Scrutiny
DDW environments that harbor extreme threat actor activity involve discussions on the evolution of Tactics, Techniques, and Procedures (TTPs), the trading of stolen goods, and the operation of malicious services and marketplaces. However, their ability to operate freely in harmful, illegal activities is no longer possible.
ZeroFox says external geopolitical factors and law enforcement (LE) operations create fear and paranoia within these communities. In 2024, several significant LE operations took place, including the direct disruption of high-profile extortion groups such as LockBit and ALPHV. The effects of these operations are expected to persist into 2025. Additionally, the company has observed multiple instances of individuals trying to sell their entire operations, including administration panels and malware source code.
While some areas may see reduced activity, this could lead to greater professionalization of DDW forums and marketplaces. Improved operational security protocols and malicious actors will likely push more activity to encrypted messaging platforms and closed channels. This change creates new challenges for those monitoring the darknet for stolen credentials, law enforcement disrupting cyber operations, and technology companies preventing illicit activities.
Ransomware and Digital Extortion (R&DE) Poised for a Surge
2024 saw a record number of identified victims, with R&D incidents expected to exceed the highs of 2023. The report revealed an average of 388 incidents per month, an increase from 337 in 2023. May recorded the peak with over 1,100 attacks, making the second quarter of 2024 the most active quarter yet. Although there was a slight slowdown in the fourth quarter, ongoing threats and ransom payments indicate that high attack volumes will continue into 2025.
The manufacturing industry is particularly vulnerable to extortion demands, while the retail, construction, healthcare, and technology sectors are also frequently targeted.
Curtis highlights the resilience of ransomware collectives, noting that targeting their digital infrastructure rarely weakens the overall threat in the long run. “Often, digital infrastructure such as forums and victim leak sites are the first component of a collective to be successfully targeted.”
He says other aspects that would increase the chance of rendering the collective operationally ineffective, like command and control servers, cryptocurrency wallets, or personnel, are more difficult to successfully target and disrupt. “As such, collectives that find themselves at the centre of significant scrutiny, perhaps losing their digital infrastructure, can retain their experienced affiliates and successfully continue operations under a new brand.:
Also, considering the slew of historic examples, there is slight evidence to suggest that the disruption of prominent digital extortion collectives successfully degrades or weakens the ransomware threat landscape, besides, perhaps, in the short term. “In the medium to long-term, it is more likely to become a driver of techniques, tactics, and procedures, as both rebranded and new collectives seek to differentiate themselves from their competition, and attract experienced affiliates.”
Generative AI: The New Shiny Weapon
As mentioned, in 2025, generative AI (GenAI) is expected to enhance existing cyber threats rather than completely transform them. Threat actors will increasingly use AI tools for social engineering, malware development, and disinformation. While advanced offensive techniques may be adopted by elite attackers, the most significant change will be the greater accessibility of AI-driven attacks. ZeroFox predicts that both attackers and defenders will continue to adopt AI technologies, with dark web forums fostering innovation in bypassing security measures.
“An essential mitigation strategy that organizations should continually undertake is that of a fundamental cyber security awareness and education plan, across employees of all positions and seniority. Organizations should also implement AI into their own defense strategies. These tools are able to assist in identifying deepfake technologies, analyse real-time data to spot unusual trends, and automate specific aspects of threat detection-freeing the resources of cybersecurity teams.”, Curtis adds.
Rise in AI-fueled Social Engineering attacks
Social engineering will continue to be a major attack vector in 2025, with tactics such as phishing, business email compromise (BEC), and espionage remaining prevalent. The phishing-as-a-service (PhaaS) market is expected to fuel large-scale attacks by providing advanced tools like multi-factor authentication (MFA) bypass, session hijacking, and token theft. Additionally, generative AI will enhance phishing and social engineering efforts, making these attacks more difficult to detect. AI-generated scripts will also refine fraudulent tactics, especially in the financial services, retail, and telecommunications sectors.
Curtis comments “On the low-effort end of the scale, AI is able to mitigate—to some extent—many of the primary weaknesses of mass phishing campaigns. Non-English speaking actors, for example, are able to significantly improve the spelling and grammar of malicious communications-traditionally one of the common reasons that such a method could be flagged as suspicious even by employees regardless of cyber security awareness. On the high-effort end of the scale, AI-powered tools are enabling malicious actors to significantly enhance attacks such as executive impersonation and business email compromise, increasing the chances of success.
All of these threat vectors, however, rely on the compromise of a human to access a victim organization’s network-regardless of the leveraging of malicious AI-powered tools. Even in high-effort attack techniques that leverage deepfake technology, a human, or multiple, must still be deceived to succeed in most cases. As such, this threat can be decreased by ensuring that employees are educated on identifying many of the inherent social engineering factors that threat actors cannot easily overcome using AI.”
Geopolitical Developments
Geopolitical events are expected to significantly influence cyber threats in 2025, reinforcing the trend of cyber-geopolitical convergence. Nation-states, cybercriminals, and hacktivists will adjust their strategies in response to evolving conflicts, with cyber activities increasingly reflecting political disputes. These attacks may include social engineering, data breaches, DDoS attacks, and the deployment of spyware.
Moving Forward
ZeroFox’s report highlights key threat vectors that will influence the cyber landscape of 2025. While the influence of Deep Web and Dark Web (DDW) threats is likely to decrease, it’s important to recognize both the positives and negatives of these changes. Maintaining and enhancing your existing defenses, as well as promoting employee awareness of these new trends, will always be crucial.
Dilki Rathnayake is a cybersecurity content writer and the Managing Editor at Information Security Buzz, with a BSc in Cybersecurity and Digital Forensics. She is skilled in computer network security and Linux system administration. Dilki has also led awareness programs and volunteered for communities promoting best practices for online safety.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.