Online data theft: growth in the number (+5.8%) and average severity (+22%) of alerts on the dark web in 2025

• Over 2,200,000 reports submitted on data exposure on the dark web
• Iran jumps from 124th to 3rd position in the global ranking of compromised e-mail addresses, while Italy ranks 6th with 51.8% of users receiving at least one alert in 2025
• AI is making cyberattacks more sophisticated, with omnichannel phishing emerging as a key threat
• Compromised business accounts grew by 12.7%, accounting for almost 10% of the total

Bologna, March XX, 2026 – In 2025, the cyber threat ecosystem underwent a profound transformation, driven by new geopolitical scenarios, increasingly automated attack techniques, and the enrichment of data exchanged on both the dark web and open web. Compared to the previous year, the number of reports sent relating to data exposure on the dark web increased by 5.8%, reaching more than 2,200,000 alerts. For the open web, on the other hand, the number of reports related to data exposure stood at 55,000, down 6.6% compared to 2024.
On the dark web, more complete information than in 2024 was detected, resulting in an increase in the average severity of alerts (+22%). This increase is due in particular to the identification of more complex and dangerous data combinations, which increasingly associate e-mail addresses with passwords and specific details of compromised accounts.

These are some of the findings from the CRIF Cyber Observatory, which examines the vulnerability of users and companies to cyberattacks. It highlights the key trends regarding data shared on both the dark web and open web. 

The shift in the global geopolitical scenario is also reflected in the growth of cyber threats: a case in point is Iran, which went from 124th to 3rd place in the world ranking of compromised e-mail addresses. In this context, Italy is particularly exposed to the threats of cybercriminals, ranking 6th in the global ranking for compromised e-mail addresses circulated on the dark web and 23rd in the ranking for the amount of credit card data in circulation. In addition, Italy ranks 17th in Europe for phone number exposure—a key element in many online scams.

The Impact of AI on Cybercrime

The Observatory paints a picture in which cyberattacks are not only growing, but are becoming increasingly difficult to detect and mitigate owing to the availability of an unprecedented amount of data and increasingly sophisticated attack techniques. Smishing¹ campaigns are among the fastest‑growing threats, and in Italy these have become especially convincing: from fake messages about unpaid road tolls to bogus notifications of parcel delivery issues, all designed to steal personal data and payment information. At the same time, phishing², vishing³, and spear phishing⁴ have become more deceptive thanks to AI, which generates flawless e-mails and audio-video deepfakes, favoring structured approaches such as omnichannel phishing, which combines multiple channels to increase the credibility of fraud attempts. The risk of account takeovers⁵ is rising as attackers pair stolen credentials with highly tailored social‑engineering tactics. Completing the picture is the growing spread of stealer‑as‑a‑service⁶ malware, capable of harvesting complete, highly valuable information packages for the criminal market, putting users at serious risk.

The increasing sophistication of cybercriminal strategies, powered by AI, fuels the circulation of highly detailed data combinations on the dark web, which increasingly include business-related information. Indeed, although qualitative analysis of domains associated with e-mail accounts exposed on the dark web shows a clear prevalence of personal addresses (90.2% of the total), compromised business accounts increased by 12.7% in 2025 (9.8% of the total). This trend suggests, on the one hand, that private users continue to provide inadequate protection for their digital data and, on the other, that businesses, even though they are equipped with increasingly advanced controls, remain vulnerable and are therefore increasingly targeted.

“The cyber threat landscape is continuing to evolve rapidly, and in 2025 we saw the emergence of new technologies and players, with AI-powered phishing attacks and highly personalized content that deceive victims with unprecedented precision. But 2025 highlighted another issue very clearly: companies are becoming increasingly vulnerable and attractive targets. Much more comprehensive datasets are circulating on the dark web that include, in addition to personal information, professional credentials and business account details. These datasets allow targeted attacks against business processes and operating platforms, transforming any compromised credentials into a potential entry point into an organization’s systems,” commented Beatrice Rubini, Executive Director of the CRIF Mister Credit line. She continued, “It’s still vital to protect your own data and pay attention to what you share, but this isn’t enough. Nowadays, it’s essential to recognize the new attack techniques enabled by AI, such as e-mails generated by advanced language models, audio and video deepfakes, and increasingly compelling multi-channel phishing campaigns.”

Data Combinations Most Exposed to Fraud

The most widespread and vulnerable types of data on the dark web are, in order of importance: passwords, e-mail addresses, usernames, residential addresses, first names and last names. Phone numbers, personal ID numbers, and credit card details are also commonly exposed and at risk of being compromised.

Looking at the main combinations of exposed data, it can be seen that, in 2025, the combination of full credit card numbers with first and last names is detected in 94.2% of cases, which is particularly worrying due to the serious risk of financial fraud. The combination of e-mail address and password remains extremely common, with the password found with the e-mail address in 91.5% of cases, and in 85.2% of cases it is also associated with the username. The combination of username and password is primarily linked to corporate accounts, highlighting potential vulnerabilities for businesses. This data confirms that account theft continues to be a priority for hackers, underlining the importance of adopting secure password management practices, such as the use of unique credentials, regular updates, and the use of password managers.

A complete residential address is also very attractive for cybercriminals, associated with a telephone number in 44.5% of cases. In addition, the increasing incidence of passport number circulation along with first and last names (64.6%) and, albeit to a slightly lesser extent, along with the full address (57.5%), increases the risk of identity theft, impersonation, and advanced profiling scenarios.

Source: CRIF Cyber Observatory

Most Frequent Types of Accounts on the Dark Web

A qualitative analysis of the contexts in which this information circulates revealed that, excluding e-mail services, usernames found on the dark web were primarily linked to online services, which account for the largest share (53.7%). This is followed by accounts related to the most popular social networks (15%) and websites (10.4%). In fourth place is theft of gaming accounts (5.9%), with a growth of 22.9%, followed by public sector or institutional accounts (5.2%), while e-commerce sites fell to sixth place (5%).
  

Source: CRIF Cyber Observatory

Stolen credentials can be used for a variety of purposes, such as to hack victims’ accounts, fraudulently use services, send messages with money requests or phishing links, or spread malware or ransomware to extort or steal money. In this scenario, the “human factor” continues to play a crucial role in this type of data theft: user carelessness and the use of weak or reused passwords are among the most common causes.

In addition to this trend, there is a growing prevalence of account takeover (ATO) attacks, which affect not only more traditional accounts, but also messaging services such as WhatsApp. Furthermore, certain account types—such as social networks, streaming platforms, and gaming platforms—are also exposed to the tendency of users to provide their credentials to seemingly harmless services that offer freebies or additional features, but often turn out to be tools for collecting credentials.

Countries Most Affected by Data Theft

In terms of the countries most affected by online e-mail and password theft, the USA is in top spot, followed by Russia, Germany, and France. Italy ranks 6th, ahead of the UK. The increase in Iranian accounts can be attributed in large part to geopolitical tensions in the Middle East, with government agencies particularly targeted.

With regard to the illicit exchange of credit card details, Russia continues to be the most affected country, followed by India and the USA, while Italy ranks 23rd in the global ranking.

The ranking of continents most affected by the exchange of stolen credit card details puts Europe first (78.3%), with a significant increase from 2024 (+32.1%), followed by Asia (13.1%) and North America (5.7%).

Source: CRIF Cyber Observatory

Focus on Italy

According to the CRIF Cyber Observatory, hacker activities continued to pose a significant threat in 2025, with a 4.6% increase in the number of consumers alerted to data on the dark web. Overall, 51.8% of Italian users received at least one alert, 85.6% of which referred to data detected on the dark web, while only 14.4% related to data on the open web.

Among Italian consumers alerted by CRIF’s protection services, the most affected age group was 51-60 year olds (26.8%), followed by the 41-50 age group (25.3%), and the over 60s (25.2%). Men account for the majority of users sent an alert (64.6%).

The regions with the highest number of alerts are Lazio (16.3%), Lombardy (15.2%), and Sicily (9.7%). However, analyzing the data in proportion to the population, Sardinia, Umbria, Lazio, Calabria, and Friuli-Venezia Giulia emerge as the areas with the highest incidence of alerts. Geographically, the South (31.8%) and the Center (26.2%) have the highest number of alerts, but proportionately it is the inhabitants of the Northwest and the Center who receive the most alerts.

In 2025, the most commonly identified data on the open web, in other words, publicly accessible information, was e-mail addresses (48.6%) and tax codes (42.2%). These were followed in much lower numbers by phone numbers (4.2%), addresses (3.3%), and usernames (1.6%). On the dark web, it was e-mail credentials that were most detected, followed by phone numbers, while the third place was tax codes, which are particularly risky, facilitating identity theft and fraud with financial impacts. In 2025, a large number of tax codes were detected in high‑risk environments, grouped by victims’ age, gender, and geographical location.

“In a context marked by geopolitical tensions and increasingly automated cyberattacks, preventive security measures and rapid responses are vital to protect people, businesses, critical infrastructure, and institutions from targeted threats. At CRIF, we continue to raise users’ awareness of these evolving risks, encouraging them to safeguard their personal data and stay up to date on new types of online scams, because a lack of awareness remains the most exploited element by attackers,” concluded Beatrice Rubini, Executive Director of CRIF.

¹Smishing: Cyber fraud through SMS or messaging apps such as WhatsApp.
²Phishing: Cyber fraud aimed at stealing personal information through deceptive e-mails.
³Vishing (voice phishing): A cyber scam that uses phone calls or voice messages to steal personal data.
⁴Spear phishing: A cyber scam that uses personalized messages to steal information from targeted victims.
⁵Account takeover: Unauthorized access to a digital account to gain control or steal data.
⁶Stealer-as-a-service: Malware to steal information, such as credentials and financial data.