• 1.15 million alerts sent in relation to online data exposure on the dark web and 33,700 on the open web in the first half of 2025. 
  • Italy ranked 6th in the world for compromised e-mail addresses, with 36.4% of users receiving at least one alert, of which 86.7% were related to data found on the dark web. The regions in Italy most affected were Lazio, Lombardy, Sicily, and Campania.
  • Criminals are constantly devising new, more sophisticated scams, such as likejacking and fake QR codes.

 

In the first half of 2025, approximately 1.2 million alerts were issued concerning the exposure of personal data online, highlighting the growing prevalence of this issue and the challenges users face in protecting themselves against attacks such as phishing1, smishing2, vishing3, spear phishing4, and infostealers5, which can compromise devices without the victim noticing.

Most alerts were related to the dark web, totaling 1.15 million, confirming that the dark web continues to be the primary channel for data exposure. However, the increase in public web alerts is concerning, reaching 33,700 alerts—a 43% rise compared to the second half of 2024.

More specifically, the most commonly detected information on the open web included e-mail addresses, tax codes, and phone numbers. Although the regulatory framework for privacy has been strengthened to protect users, some personal data remains exposed on the public web. At the same time, the increasing threats on the dark web demand even more rigorous and informed protection of digital information. 

These are some of the findings from the CRIF Cyber Observatory, which examines the vulnerability of users and companies to cyber-attacks. It highlights the key trends regarding data shared on both the dark web and the open web. 

Italy is certainly not immune to threats from cybercriminals, ranking 6th in the world for compromised e-mail addresses circulating on the dark web. In addition, Italy ranks 22nd in the world for the number of credit card details in circulation and is 16th in Europe for phone numbers, which are crucial in many online scams, including smishing.

 

Criminals are constantly coming up with even more sophisticated scams

According to the Cyber Observatory, cyber-attacks are becoming increasingly sophisticated, and new scams are emerging that exploit users’ digital habits to target them even more effectively. One of the most deceptive scams is the fake QR code, which is often placed on parking meters or in other public areas. Once scanned, they redirect users to malicious sites that mimic official ones in order to steal personal information or make fraudulent payments.

Likejacking is also common, taking place through social media and messaging apps, where it promises easy money in exchange for online interactions. To protect yourself, it's important to verify the authenticity of websites, avoid suspicious QR codes, and regularly monitor your banking transactions. 

“Data from the first half of 2025 shows a troubling shift in digital threats: Attacks are becoming more sophisticated and are leveraging AI-based tools to launch targeted, credible campaigns. Criminals are using techniques such as deepfakes, vishing, and AI-generated malware to create hyper-realistic content and personalized lures that are hard to detect and counter. This makes the adoption of advanced security tools and the constant monitoring of personal data on the dark web even more urgent”, commented Beatrice Rubini, Executive Director of CRIF’s Mister Credit line. She continues, “A real-life example is the recent attack on several Italian hotels, where the identity documents of guests were stolen and sold on dark web forums. This information could be used for targeted fraud and identity theft, resulting in serious consequences for victims. Cases like this show how important it is to strengthen security in the most exposed sectors and to raise users’ awareness of the risks.”

 

Data combinations most exposed to fraud

Personal data serves as a gateway to digital identities; once compromised, it can be exploited for a wide range of attacks. For example, e-mail addresses and phone numbers are frequently used in bulk, personalized phishing campaigns, in which messages appear credible precisely because they were created using actual user information, making it more likely that recipients will click on malicious links.

Analyzing the main combinations of exposed data, it can be seen that, in the first half of 2025, the combination of e-mail address and password was the most frequent, occurring in 91.7% of cases, with the password-username combination occurring in 84.9% of cases. Phone numbers are another prime target for cybercriminals: they are associated with an e-mail address in 41.1% of cases, and with the person’s first and last name in 38.2% of cases. Finally, the combination of credit card number with security code and expiration date was detected in 42.1% of cases, a significant figure. This has grown by +11.9%, an extremely worrying figure in terms of the risk of financial fraud, highlighting the importance of implementing protective measures such as two-factor authentication (2FA).

Personal information, when combined with each other, allows cybercriminals to build detailed profiles of individuals, increasing the effectiveness of social engineering attacks. Contact details, in particular, can be exploited to commit targeted fraud such as spear phishing, a form of phishing that is highly personalized and therefore more difficult to detect. A particularly damaging example includes Business E-Mail Compromise (BEC) attacks, or the so-called “CEO Scam”, where criminals pretend to be top-level corporate figures to trick employees into transferring funds or sharing confidential information.

Key combinations of data exposed to fraud on the dark web H1 2025  Variation vs H2 2024
E-mail + Password 91.7% +15.6%
Username + Password 84.9% +6.5%
Credit Card Number + Security Code and Expiration Date   42.1% +11.9%
Phone number + E-mail 41.1% -38.7%
Full address + Phone Number 38.2% -25.4%
Full address + Phone Number 22.6% -44.4%
Full address + E-mail 21.8% -21.0%

Source: CRIF Cyber Observatory

 

Most frequent types of accounts on the dark web

A qualitative analysis of the contexts in which this information circulates revealed that, excluding e-mail services, usernames found on the dark web were primarily linked to service accounts, such as job portals and online news outlets, which account for the largest share at 42.0%. This is followed by accounts related to the most popular social networks (17.5%), and websites (12.9%). In fourth and fifth places are account theft related to financial services (8.8%) and public sector bodies or institutions (6.3%), while e-commerce sites fell to sixth place (3.9%).  

Most frequent types of accounts found on the dark web H1 2025 Variation vs H2 2024
Services (job portals and online news outlets) 42.0% +18.0%
Social Networks 17.5% -35.5%
Internet sites 12.9% +30.9%
Financial services 8.8% +100.0%
Public sector bodies / institutions 6.3% -23.8%
E-commerce platforms 3.9% -52.0%
Gaming 2.7% -44.2%
Dating 2.0% +100.0%
Streaming services 1.1% -65.1%

Source: CRIF Cyber Observatory

Stolen credentials are exploited for a wide variety of criminal purposes, including unauthorized access to victims’ accounts, unlawful use of services, sending fraudulent money requests or phishing links, and spreading malware or ransomware to extort or steal money. 

Even for this type of data theft, we can say that the “human factor” plays a significant role, i.e., user inattention is one of the most common causes, as well as weak passwords or use of the same passwords for multiple accounts.

Through a qualitative analysis of the domains of e-mail accounts exposed on the dark web, the Observatory found that in 90.2% of cases they were personal e-mail accounts, while the remaining 9.8% of cases were business accounts. This increasing trend seems to confirm that, on the one hand, individuals still don’t pay enough attention to online security, making them prime targets for hackers. On the other hand, the growth of exposed business accounts suggests that companies are increasingly becoming targets for cyber-attacks.

 

Focus on Italy

Looking specifically at Italy, there has been an increase in alerts sent related to the open web. However, most of them continue to concern the theft of data monitored on the dark web. Overall, 36.4% of users received at least one alert in the first half of 2025, 86.7% of which referred to data detected on the dark web, while only 13.5% related to data on the open web.

Among Italian consumers alerted by CRIF’s protection services, the most affected age group was 51-60 year olds (26.7%), followed by the 41-50 age group (25.6%), tied with the over 60s (25.6%). Men account for the majority of users sent an alert (64.8%).

The Italian regions in which most people were sent alerts were Lazio (17.1%), Lombardy (14.7%), Sicily (9.3%), and Campania (7.9%). However, when considering the population size, the highest proportion of alerts were received by those living in Molise, Piedmont, Umbria, and Aosta Valley. 

In the first half of 2025, the most commonly identified data on the open web, in other words, publicly accessible information, was e-mail addresses (51.6%) and tax codes (43.8%). These were followed in much lower numbers by phone numbers (2.2%), usernames (1.3%), and addresses (1%). Although they account for a small share (0.1%), it is interesting to note that several IBANs were also found. On the dark web, on the other hand, the information most often detected in the first half of 2025 was e-mail credentials, followed by phone numbers, tax codes, e-mail domains, and credit card details.

“In a world where AI has become a powerful weapon in the hands of cybercriminals, digital education remains a strategic prevention tool. For several years, we have been implementing awareness-raising initiatives, such as the Cyberninja game to raise awareness about phishing, and the short film Il Furto (The Theft), which addresses the consequences of identity theft. Now more than ever, it is essential to foster a cybersecurity culture that actively engages every individual and business. In this context, the new anti-spoofing rules introduced by AGCOM mark an important step: they require operators to block international calls that spoof Italian numbers, countering one of the most sophisticated forms of phone fraud”, concluded Beatrice Rubini.

 

1 Phishing: Cyber fraud aimed at stealing personal information through deceptive e-mails.
2 Smishing: Cyber fraud through SMS or messaging apps such as WhatsApp.
3 Vishing (voice phishing): A cyber scam that uses phone calls or voice messages to steal personal data.
4 Spear phishing: A cyber scam that uses personalized messages to steal information from targeted victims.
5 Infostealer: Malware designed to automatically steal confidential information from infected devices.