New research shows a 1,500% surge in AI-related illicit activity, 3.3 billion compromised credentials fueling identity-based attacks, and ransomware pivoting to pure-play identity extortion.
WASHINGTON, March 11, 2026 /PRNewswire-PRWeb/ -- Flashpoint, the global leader in threat intelligence, today announced the release of its 2026 Global Threat Intelligence Report (GTIR), providing security leaders from threat intelligence and vulnerability management teams to physical security professionals and the CISO's office with a proprietary data-driven, ground-truth view of the converging threats defining today's hybrid risk environment.
Powered by Flashpoint's Primary Source Collection (PSC), the 2026 GTIR reveals a sharp rise in AI-related discussions, signaling a rapid shift from criminal curiosity to the active development of malicious agentic frameworks. At the same time, the mechanics of cybercrime have shifted from breaking in to logging in, as attackers leverage stolen session cookies to operate as legitimate users. As technical defenses against encryption harden, ransomware groups are pivoting to the path of least resistance: human trust and identity compromise. Meanwhile, the patching window continues to collapse, with mass exploitation of zero-day vulnerabilities occurring in as little as 24 hours after discovery.
"In 2026, cybercrime has reached a point of total convergence, where the silos that once separated malware, identity, and infrastructure have consolidated into a single, high-velocity threat engine — that agentic AI is rapidly transforming from human-led campaigns to machine-speed operations," said Josh Lefkowitz, Co-Founder and CEO of Flashpoint. "As attackers automate exploitation of identity, vulnerabilities, and ransomware, defenders who rely on fragmented visibility will fall behind. To keep pace, organizations must ground their decisions in primary-source intelligence that is drawn from adversarial environments, so that decision-makers can get ahead of this accelerating threat cycle."
Cybercrime Has Entered the Era of Total Convergence
Between late 2025 and early 2026, adversaries rapidly accelerated adoption of agentic AI frameworks capable of orchestrating autonomous attack chains — automating reconnaissance, phishing generation, credential testing, and infrastructure rotation all without direct human control. This dramatically lowers the cost of experimentation and increases the speed of exploitation.
The 2026 GTIR identifies four converging forces reshaping the global threat landscape:
- Agentic AI Operationalization — Autonomous systems capable of executing end-to-end attack chains at machine speed, increasing both the volume and intensity of cybercrime
- Identity as the Primary Exploit Vector — Billions of compromised credentials fueling credential-based intrusions beyond the boundaries of organizational oversight and control
- Compression of the Exploitation Window — Vulnerabilities weaponized within hours of disclosure before organizations can understand their exposures or begin to respond
- The Evolution of Extortion — Ransomware shifting toward identity-driven and insider-enabled models, enhancing its effectiveness
Together, these dynamics form a single, high-velocity threat ecosystem where automation, identity compromise, and vulnerability exploitation reinforce one another.
AI-Related Illicit Activity Surged 1,500% in a Single Month
Flashpoint identified a 1,500% rise in AI-related illicit discussions between November and December 2025 from 362,000 mentions to more than 6 million, signaling a rapid transition from experimentation to operationalized malicious AI frameworks.
Threat actors are actively developing autonomous systems capable of scraping data, rotating infrastructure, adjusting messaging, and learning from failed attempts without continuous human oversight. These agentic systems dramatically increase iteration speed and reduce operational friction for attackers.
Identity Has Become the Primary Exploit Vector
Flashpoint observed over 11.1 million machines infected with infostealers in 2025, generating an inventory of 3.3 billion compromised credentials and cloud tokens.
As a result, the mechanics of cybercrime have shifted from "breaking in" to "logging in." Attackers now leverage stolen session cookies, tokens, and legitimate credentials to bypass traditional security perimeters entirely, turning digital identity into the connective tissue of modern exploitation. The reality of identity data and the potential for its automation necessitates a shift in how organizations must view their attack surface. Infostealers have shown that it is no longer limited to corporate infrastructure; it now includes employee browsers, personal devices, SaaS platforms, and third-party access.
The Window Between Vulnerability Disclosure and Exploitation Is Vanishing
Vulnerability disclosures increased by 12% year-over-year, with one-third (33%) of disclosed vulnerabilities having publicly available exploit code.
Several high-impact vulnerabilities were mass exploited within hours of disclosure, compressing remediation timelines and raising the stakes for exposure management. In this environment, organizations cannot rely solely on reactive patching cycles; they must incorporate early-warning intelligence to anticipate weaponization trends.
Ransomware Is Pivoting Toward Pure-Play Identity Extortion
Ransomware incidents rose by 53% in 2025, with RaaS groups responsible for more than 87% of attacks.
Rather than relying exclusively on encryption payloads, threat actors are increasingly targeting identity and human trust by recruiting malicious insiders, abusing authorized access, and leveraging credential theft to extort organizations without deploying traditional ransomware binaries.
What Security Leaders Will Gain from the 2026 GTIR
The 2026 Global Threat Intelligence Report delivers:
- Deep analysis of the convergence between AI and identity-driven attacks
- Intelligence on the professionalization and franchise model of modern extortion ecosystems
- Data-driven insights to strengthen vulnerability prioritization and exposure management
- Strategic guidance for operationalizing primary-source intelligence
- Recommendations for defending against machine-speed attack chains
The full 2026 Global Threat Intelligence Report is available here.
Frequently Asked Questions (FAQ)
What is Flashpoint's 2026 Global Threat Intelligence Report (GTIR)?
The 2026 GTIR is Flashpoint's flagship annual research report analyzing global cybercrime, identity exploitation, ransomware trends, vulnerability acceleration, and AI-driven attack evolution. It is powered by Flashpoint's Primary Source Collection, which collects data directly from original sources, driven by an organization's unique requirements.
Who should read the 2026 GTIR?
The report is designed for CISOs, threat intelligence teams, vulnerability management leaders, fraud and risk teams, and executive decision-makers seeking a strategic view of converged cyber and hybrid threats.
What makes this report different from other threat reports?
Unlike reports based solely on telemetry, surveys, or post-incident analysis, the 2026 GTIR is powered by Flashpoint's Primary Source Collection to gather intelligence directly from Deep and Dark Web forums, illicit marketplaces, encrypted channels, and threat actor–linked infrastructure and ecosystems.
This enables early visibility into emerging tactics, tools, and operational models, often before they are widely weaponized.
What actionable guidance does the report provide?
Beyond trend analysis, the 2026 GTIR delivers:
- A blueprint for defending against autonomous attack chains
- Strategic recommendations for intelligence-led exposure management
- Insights into prioritizing identity protection and credential monitoring
- Guidance for integrating primary-source intelligence into decision workflows
How can organizations use this report internally?
Security leaders can use the GTIR to:
- Benchmark their threat posture against emerging adversary tradecraft
- Brief executive stakeholders on evolving risk dynamics
- Refine vulnerability prioritization strategies
- Reevaluate identity protection and insider threat controls
- Align intelligence programs to machine-speed threat realities
How does Flashpoint help organizations respond?
Flashpoint delivers primary-source intelligence, expert-led analysis, and operationally relevant insights through the Flashpoint Ignite platform, enabling organizations to detect, prioritize, and mitigate threats across cyber, fraud, vulnerability, and geopolitical domains.
About Flashpoint
Flashpoint is the leader and largest private provider of threat data and intelligence. We empower mission-critical businesses and governments worldwide to decisively confront complex security challenges, reduce risk, and improve operational resilience amid fast-evolving threats. Powered by Flashpoint Primary Source Collection, our proprietary approach to collecting intelligence directly from the digital spaces where threats originate, the Flashpoint Ignite platform delivers unmatched depth, speed, and relevance from open and hard-to-reach sources, enriched by human expertise and scaled by AI. Our solutions span cyber threat intelligence, vulnerability intelligence, geopolitical risk, physical security, fraud, and brand protection. The result: our customers safeguard critical assets, avoid financial loss, and protect lives. Discover more at flashpoint.io.
Join the conversation. Follow us on LinkedIn and X.
Media Contact
Kari Walker, RedIron PR for Flashpoint, 1 7039288886, [email protected]
SOURCE Flashpoint
Share this article