US Cyber‑Crime Hits 1 Million Incidents, Losses Top $20.8 Billion

Context Cyber‑crime has accelerated for years, but 2025 marks a sharp inflection point. The FBI’s annual cyber‑crime report shows incidents rising from 288,012 in 2015 to just over one million last year, the highest count on record. Financial damage followed a similar trajectory, climbing from $16.6 billion in 2024 to $20.8 billion in 2025.

Key Facts - The surge includes a more than two‑fold increase in threats of physical violence attached to ransomware attacks. In the US, 46 % of ransomware victims reported such threats, up from roughly 20 % the previous year. - Semperis research indicates that 40 % of global ransomware incidents in 2025 featured intimidation tactics that referenced personal addresses, social‑security numbers, or direct phone calls to staff. - Threats range from explicit messages, like the package delivered to Semperis employee Tim Beasley, to coercive control of industrial equipment—turning robots or conveyor belts on and off to demonstrate lethal capability. - Most violent extortion originates from financially motivated groups, often run by individuals aged 17‑25, who outsource “violence‑as‑a‑service” to third parties. - State‑backed actors from Russia, China, Iran and North Korea also employ physical threats, but they remain a minority of cases.

What It Means The data signals a shift from purely digital extortion to hybrid attacks that blend cyber intrusion with real‑world intimidation. Security teams can no longer treat ransomware as a purely technical incident; they must anticipate personal safety concerns for employees whose data have been exposed. The rise in “In Real Life Com” networks—online groups that sell violent enforcement—adds a new layer of risk that law‑enforcement alerts now flag.

Mitigations – What Defenders Should Do 1. Patch known vulnerabilities – Apply critical updates for CVE‑2023‑XXXXX (remote code execution in common VPNs) and CVE‑2024‑XXXXX (privilege escalation in Windows SMB) within 48 hours. 2. Deploy multi‑factor authentication (MFA) on all privileged accounts to block credential‑theft techniques (MITRE ATT&CK T1110). 3. Segment networks to isolate critical OT (operational technology) systems, preventing attackers from toggling machinery. 4. Monitor for data‑exfiltration – Enable DLP (data‑loss‑prevention) rules that flag bulk export of personal identifiers (addresses, SSNs). 5. Establish a physical‑security protocol – Create a response plan that includes law‑enforcement liaison, employee safety briefings, and secure communication channels for threat reports. 6. Threat‑intel sharing – Subscribe to FBI alerts on “violence‑as‑a‑service” groups and integrate indicators of compromise (IOCs) into SIEM (security information and event management) tools. 7. Regular phishing simulations – Reduce initial access vectors (MITRE ATT&CK T1566) by training staff to recognize spear‑phishing and malicious attachments.

Looking Ahead Watch for the FBI’s Q2 release, which will detail whether the trend of physical threats continues to rise and how emerging ransomware‑as‑a‑service models may further blur the line between cyber and real‑world violence.