Crypto : Ransomware attacks jump 50% in 2025, but ransoms decline
One might think that “more attacks” = “more money.” In 2025, reality took a twist. According to Chainalysis, ransomware groups have multiplied breaches (nearly 8,000 leak events, +50% year on year), but on-chain payments reportedly fell to around $820M (≈ -8%). In other words: they are more active… for a less generous harvest.
In brief
- In 2025, ransomware attacks climb 50% while on-chain ransoms drop overall.
- Under regulatory pressure, groups mainly target SMEs because they pay quickly, often still.
- Cheaper victim access, infostealers and AI automate, massively multiplying intrusions and phishing.
An industry that focuses on volume (and smaller targets)
The biggest change isn’t “technical.” It’s business-related. Chainalysis describes a shift: fewer spectacular strikes against giants, more serial attacks against SMEs/ETIs. The idea is simple: a small structure has less time, fewer proper backups, fewer lawyers… so it “pays quickly.”
This trend says something quite cold: ransomware increasingly resembles a production line. The goal isn’t necessarily the jackpot. It’s a steady cash flow. And when the “big” ones refuse to pay, the machine targets more vulnerable victims.
Even specialized observers agree: Corsin Camichel (eCrime.ch) talks about a structural crypto shift towards less “headline” intrusions but more numerous ones. It’s not a detail. It’s a strategy.
Why ransoms decline despite crypto attacks explosion
First explanation: pressure. Chainalysis highlights regulatory surveillance, crackdown actions targeting laundering rails, and especially a very human thing: more organizations refusing to pay. When the probability of collecting drops, the model weakens.
Second important nuance: “on-chain” figures are often revised. Chainalysis reminds that the amounts attributed can increase over months, as new addresses and flows are identified (as happened for 2024). So “$820M” isn’t a truth carved in stone: it’s a snapshot at time T.
Third, more paradoxical point: the report also notes that the median ransom reportedly rose significantly (nearly $60,000, +368% year on year). Translation: fewer payments (or fewer large payments), but when they pay… it can sting. An extortion economy, rarer and pricier.
“Discount” access + AI: the formula for an easier attack
Where the system becomes worrying is upstream. The “access price” to a victim, sold on dark markets via access brokers, reportedly dropped from around $1,427 in early 2023 to $439 in early 2026. When entry costs less, more people try their luck.
And while ransomware is watched, the Crypto ecosystem also takes hits from something else: social engineering. CertiK estimates that in January 2026, around $370.3M were stolen via exploits and scams, including $311.3M attributed to phishing. It’s the same logic as ransomware: industrializing access, then monetizing fast.
Chainalysis talks about a flooded market: cheap tools, multiple ransomware strains, and especially infostealer logs that reduce the work needed to start an attack. Add AI blocks to automate lure writing, sorting credentials, or personalization… and you get a mechanical rise in “operational yield.” And at the same time, Chainalysis also observes an 85% increase in crypto use in trafficking networks, a sign these same “rails” serve multiple crimes.
Maximize your Cointribune experience with our "Read to Earn" program! For every article you read, earn points and access exclusive rewards. Sign up now and start earning benefits.
Enseignante et ingénieure IT, Lydie découvre le Bitcoin en 2022 et plonge dans l’univers des cryptomonnaies. Elle vulgarise des sujets complexes, décrypte les enjeux du Web3 et défend une vision d’un futur numérique ouvert, inclusif et décentralisé.
The views, thoughts, and opinions expressed in this article belong solely to the author, and should not be taken as investment advice. Do your own research before taking any investment decisions.