Trends to look out for in 2026

January 27, 2026

As we enter 2026, the story of cyber risk continues to evolve. At the same time, there are consistencies we have seen growing for some time. Attackers don’t need unique or specialized skills anymore – the world of hacking is much more accessible, especially when they [threat actors] can log in like you or convince you to log in on their behalf. Automation is making that easier, faster, and cheaper than ever, especially with the development of AI.

Here we explore some of the cyber security and crime trends that look most defining for 2026, based on what major incident and law-enforcement reporting has been showing through 2024–2025.

Identity is the “New” Perimeter

Identity-based attacks have been on the rise for some time, and we expect this to continue throughout 2026. These types of attacks remain one of the primary paths attackers take to compromise corporate networks. This is due to the fact that credential information is readily available on the dark web, and it remains one of the simplest ways to gain access, not requiring specialized hacking skills. Therefore, expect 2026 to be the year more organizations stop treating identity as a feature of IT and start treating it as a core security control.

Verizon’s 2025 DBIR notes that Basic Web Application Attacks commonly involve stolen credentials, and credential abuse remains a dominant initial access method across multiple attack patterns.

Because of this, you should expect to see more phishing-resistant authentication being implemented across systems as well as continuous verification.

Social Engineering

Threat actors don’t only have the ability to steal credentials; they can also coerce them from unwitting employees through social engineering. A common target in 2025 was to trick the help desk into resetting MFA and it is expected this will continue into 2026.

With the continued development of AI, it is likely that social engineering attacks will improve with the ability to create deepfakes to fool people into believing they are providing a legitimate person access. DarkOwl analysts started exploring this trend in 2024 here.

Infostealers Keep Feeding the Credential Economy

Infostealer malware isn’t new but in the last year they have appeared to be more widespread and relied upon to conduct real-world intrusions.

Mandiant highlights infostealers as an ongoing pipeline for initial access, where stolen creds from “logs” enable follow-on compromises that end in data theft and extortion.

In 2026 we expect more stealer log compromises that start outside the enterprise – meaning employee personal devices, unmanaged browsers, and reused passwords. As well as the use of stolen cookies/tokens, not just passwords.

As Telegram continues to be a source for both free and paid stealer log subscriptions, they remain relatively easy for threat actors to access, again lowering the threshold for the sophistication that actors need to have to gain access to systems.

Ransomware Keeps Evolving into “Extortion-as-a-Service”

Ransomware has been around for a long time, and it doesn’t show any signs of slowing down as we head into 2026. However, it has developed over the years with ransomware groups operating like mature businesses with specializations, supply chains, affiliate programs, PR, and negotiation playbooks.

In addition, their techniques have also developed, although we commonly refer to these attacks and groups as ransomware, data theft is common, and data theft extortion events where no ransomware is deployed are becoming increasingly common.

In 2026 we expect more “no-encryption” extortion attacks where actors steal data, threaten to leak on a dark web site and do so if the extortion payment is not paid – without ever encrypting the data.

AI

In 2026, AI isn’t just “writing better phishing emails” – it’s enabling highly targeted, multilingual scams at scale, voice cloning for “CEO fraud” and synthetic identities, and deepfake-driven coercion.

European law enforcement has been explicit that AI is accelerating organized crime and enabling impersonation and scalable fraud. ENISA’s 2025 Threat Landscape also notes criminal abuse around AI tooling, including fraudulent AI tool sites used to deliver malware and concerns about AI supply chain risks.

Generative AI will also make it cheap to produce high quality lures for cyberattacks, and it can do this at scale meaning that threat actors can use AI to industrialize phishing attacks as well as other methods of attack.

As highlighted above, social engineering is an attack vector which is likely to increase in 2026, and AI will be at the forefront of enabling that growth. AI-assisted social engineering will include voice cloning for “urgent CFO calls,” fake candidates in hiring funnels, vendor payment diversion among many other techniques – some probably not yet thought of.

However, AI can and will also be a useful tool in defending against threat actors. AI can be used to automate and triage vulnerabilities and risk indicators for faster detection and investigation.

Online Fraud Keeps Growing

Cybercrime isn’t only “breaches.” In raw victim impact, fraud dominates, and it’s increasingly industrialized. The FBI’s Internet Crime Report for 2024 reported record losses and flagged investment fraud, often crypto-related, as a major driver of dollar losses. This is likely to continue to rise.

Dark web marketplaces continue to be a hot bed of activity when it comes to financial crime, with credit cards, bank account information, and access to payment apps being traded routinely.

Geopolitics, Hacktivism, and Disruption Campaigns Stay Loud

Since the invasion of Ukraine by Russia in 2022, hacktivist groups have been particularly vocal and active. This only grew after the October 7 attacks in Israel. The groups primarily conduct DDOS (distributed denial of service) attacks but have also conducted many defacement attacks and in recent times have been more likely to leak data and dox individuals.

This threat is not likely to diminish in 2026, with geopolitics continuing to remain strained throughout the world. It is likely that more groups will emerge in response to real world events and political affiliations.

Conclusion

Many of the cybercrime and cyber security trends of 2025 will continue into 2026, but it is likely to become more difficult to keep up with the speed and scale of attacks due to the use of AI.

It is important for organizations and individuals to remain vigilant and ensure that they are using appropriate precautions to protect themselves.

Contact us to learn how we can help.

Explore the Products

Button Product Vision
Vision UI ›
Button Product Search
Search API ›
Button Product Entity
Entity API ›
Button Product Score
DarkSonar API ›
Button Product Score
Score API ›
Button Ransomware API
Ransomware API ›
Button Product Datafeeds
Datafeeds ›

See why DarkOwl is the Leader in Darknet Data

Get a Demo
Get a Demo

Products

Services

Use Cases

Company

Copyright © 2026 DarkOwl, LLC All rights reserved.
Privacy Policy
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.