ARMONK, N.Y., February 25, 2026 — IBM (NYSE: IBM) today announced its annual X-Force Threat Intelligence Index 2026. In 2025, a quarter of all cyberattacks investigated by IBM X-Force targeted Europe, with critical sectors such as finance and insurance hit particularly hard. The study also shows that cybercriminals are increasingly exploiting basic security gaps, accelerated by AI tools that identify vulnerabilities faster than ever. IBM X-Force observed a 44% increase in attacks that began via exploiting publicly accessible applications, largely due to missing authentication controls and AI-assisted vulnerability discovery.

A quarter of all cyberattacks investigated by IBM targeted Europe
In 2025, a quarter of all cyberattacks targeted Europe. The most common method for initial access was exploiting publicly accessible applications (40%). Follow-up actions primarily involved the deployment of malware (43%), the use of legitimate tools (26%), and server access (26%). Credential harvesting was the most common impact at 40%, followed by data leaks (27%) and data theft (13%), demonstrating that attackers remain heavily focused on monetizing sensitive information. The finance and insurance sector accounted for 39% of incidents X-Force investigated in the region, followed by professional, business, and consumer services (18%) and retail (13%).

“Attackers aren’t reinventing playbooks, they’re speeding them up with AI,” said Mark Hughes, Global Managing Partner for Cybersecurity Services, IBM. “The core issue is the same: businesses are overwhelmed by software vulnerabilities. The difference now is speed. With so many vulnerabilities requiring no credentials, attackers can bypass humans and move straight from scanning to impact. Security leaders need to shift to a more proactive approach, using agentic-powered threat detection and response to identify gaps and catch threats before they escalate.”

AI’s Mounting Identity Problem
Infostealer malware led to the exposure of over 300,000 ChatGPT credentials in 2025, signaling that AI platforms have reached the same credential risk as other core enterprise SaaS solutions.

Compromised chatbot credentials create AI-specific risks beyond simple account access. Attackers can manipulate outputs, exfiltrate sensitive data or inject malicious prompts. This underscores the need to assess enterprise-wide AI adoption and enforce strong authentication, and conditional access controls.

AI, Leaked Tooling Lower Barriers to Ransomware Ecosystem
In 2025, X-Force observed a 49% increase in active ransomware groups compared to the prior year, as smaller, transient operators whose low volume campaigns complicate attribution. This trend is accelerated by collapsing barriers to entry as threat actors reuse leaked tooling, rely on established playbooks and increasingly tap AI to automate operations. As multimodal AI models mature, X-Force expects adversaries to automate complex tasks like reconnaissance and advanced ransomware attacks, driving faster-moving, more adaptive threats.

Pressure on Supply Chains Poised to Grow
X-Force identified a nearly 4X increase in large supply chain or third-party compromises since 2020, mainly driven‑ by attackers exploiting trust relationships and CI/CD automation across development workflows and SaaS integrations. With AI-powered‑ coding tools accelerating software creation, and occasionally introducing unvetted code, the pressure on pipelines and open‑source ecosystems is expected to grow in 2026.

This rise is also attributed to the blurring line between nation-state and financially motivated actors. As tactics and techniques spread across underground forums, and AI streamlines reconnaissance and exploitation, techniques once reserved for nation state actors are now being adopted by financially motivated groups.

Other key findings include:

• Active ransomware and extortion groups surged 49% year over year, indicating fragmentation in the threat landscape, while publicly disclosed victim counts rose by about 12%;
• Large supply chain and third-party incidents have nearly quadrupled since 2020, as attackers increasingly exploit environments where software is built and deployed, or SaaS integrations;
• Vulnerability exploitation became the leading attack vector, accounting for 40% of incidents observed by X-Force in 2025.

Additional information:

• Read the full IBM X-Force Threat Intelligence Index 2026;
• Read the blog on the key findings of the research.

Media Contact
Jasmina Premrl
jasmina.premrl@si.ibm.com