Tags
Security

X-Force Threat Intelligence Index 2025 highlights attackers steal, and sell, user identities at scale

Published 17 April 2025
Illustration of a hollow 3D square on an angle with several smaller squares inside

Authors

Chris Caridi

Strategic Threat Analyst

IBM X-Force

The IBM X-Force Threat Intelligence Index is the culmination of knowledge and insights derived from dozens of expert analysts across IBM’s security teams. Each year, we look back and review the threats and actions that make up the threat landscape across all major industries and regions. Our intention is to provide insights that will allow clients and security professionals to better understand the threats they face. Armed with this knowledge, effective security measures can be put in place. Among the multiple noteworthy findings in this year’s report, three trends rose to the top, and we encourage our readers to observe the following:

  • Attackers continue to “log in” after abusing user identities with credential attacks
  • Critical infrastructure organizations are falling victim to vulnerability exploitation
  • The intersection of cybersecurity and AI technology is on the horizon

Credentials as a commodity

Occurring in 30% of cases, the abuse of user identities remained the preferred entry point for attackers in 2024. A surge in phishing emails delivering infostealer malware and conducting credential phishing is fueling this trend and may be attributed to attackers leveraging AI to scale distribution. With nearly one in three incidents resulting in credential theft, there is no end in sight for identity abuse.

Making matters worse is the thriving dark web market that trades in stolen credentials. Analysis indicates that there was a 12% increase in infostealer credentials for sale on the dark web compared to the same time last year. In 2024, the top five infostealers alone had more than 8 million advertisements on the dark web. With each listing having the potential to contain hundreds of credentials within, the true number is undoubtedly much higher.

Man looking at computer

Strengthen your security intelligence 


Stay ahead of threats with news and insights on security, AI and more, weekly in the Think Newsletter. 


Critical infrastructure vulnerabilities

Last year, 70% of the attacks that X-Force responded to involved an organization in the critical infrastructure sector. In more than one-quarter of these cases, attackers successfully exploited a vulnerability to gain access to the victim’s infrastructure.

This highlights the continued patching challenges that are plaguing critical system operations. Once compromised, attackers deployed malware in 40% of cases, with ransomware being the malware of choice in nearly one-third of the incidents. Of all industries, inside and out of the critical infrastructure space, manufacturing remains the top target, accounting for 26% of incidents. As highlighted in our previous analysis, manufacturing organizations experience the highest number of ransomware cases as the ROI for encryption holds strong due to the sector's low tolerance for downtime.

Evolving threats and AI

While large-scale attacks on AI technologies haven’t materialized yet, security researchers are racing to stay ahead, identifying and fixing vulnerabilities before threat actors can exploit them. Issues like the remote code execution vulnerability that X-Force found in a framework for building AI agents will become more frequent, and where weaknesses exist, attackers will follow. The use of publicly available AI tools to improve production and automate tasks such as coding and email writing has also been documented by X-Force.

With adoption set to soar this year, so will the incentives for adversaries to develop specialized attack toolkits targeting AI.

Learn more in the X-Force Threat Intelligence Index

The X-Force Threat Intelligence Index offers our unique insights into the 2024 cybersecurity landscape to IBM clients, researchers in the security industry, policymakers, the media and the broader community of security professionals and business leaders.

Discover more in the report about the threat landscape and the latest cybersecurity trends:

  • Analysis of the top initial access vectors, top attacker actions on objective and top impacts on organizations
  • Geographic and industry trends
  • Recommendations on how organizations should respond and where to start

Download the report and register for the webinar for a panel discussion with Kevin Albano, Associate Partner of IBM X-Force, Limor Kessem, Cyber Crisis Management Global Lead for IBM X-Force and Mohit Goyal, Product Manager for Red Hat Insights. They’ll offer a detailed explanation of the findings and what they mean for organizations defending against these evolving threats.

Mixture of Experts | 17 April, episode 103

Decoding AI: Weekly News Roundup

Join our world-class panel of engineers, researchers, product leaders and more as they cut through the AI noise to bring you the latest in AI news and insights.
Watch all episodes of Mixture of Experts
Related solutions
IBM Verify

Build a secure, vendor-agnostic identity framework that modernizes IAM, integrates with existing tools, and enables seamless hybrid access without added complexity.

 Explore IBM verify
Threat detection response solutions

Accelerate response by prioritizing high-impact risks and automating remediation across teams.

 Explore threat detection response solutions
IBM Cyber Threat Management

Predict, prevent, and respond to modern threats to strengthen business resilience.

 Explore IBM cyber threat management
Take the next step

Discover how IBM Verify modernizes IAM by integrating with your existing tools to deliver secure, seamless hybrid identity access.

  1. Discover IBM Verify
  2. Explore threat detection response solutions