Crypto: Ransomware attacks to jump 50% in 2025, ransoms to decrease

One might think that “more attacks” = “more money”. In 2025, reality has changed. According to Chainalysis, ransomware groups have multiplied breaches (almost 8,000 leaks, +50% YoY), but on-chain payouts have reportedly fallen to around $820M (≈ -8%). In other words: they are more active… for a less generous harvest.

An industry that focuses on volume (and smaller targets)

The biggest change is not “technical”. It has to do with business. Chainalysis describes the shift: less flashy attacks against giants, more serial attacks against SMEs/ETIs. The idea is simple: a small structure has less time, less proper deposits, less lawyers… so it “pays fast”.

This trend says something pretty cool: ransomware is increasingly resembling a production line. The goal is not necessarily the jackpot. It’s a steady cash flow. And when the “big guys” refuse to pay, the machine targets the more vulnerable victims.

Even specialist observers agree: Corsin Camichel (eCrime.ch) talks about a structural crypto shift towards less “major” breaches, but more numerous ones. It’s not a detail. It’s a strategy.

Why Ransoms Are Falling Despite the Explosion of Crypto Attacks

The first explanation: pressure. Chainalysis highlights regulatory oversight, anti-money laundering crackdowns and, in particular, a very human thing: more organizations refusing to pay. As the collection probability drops, the model weakens.

The second important nuance: “on-chain” data is often revised. The chain analysis reminds that the allocated amounts may increase over the months as new addresses and flows are identified (as was the case in 2024). So “$820 million” isn’t a truth set in stone: it’s a T-era snapshot.

A third, more paradoxical point: the report also notes that the median ransom has reportedly increased significantly (almost $60,000, +368% year-over-year). Translation: fewer payments (or fewer large payments), but when they do pay… it can sting. Blackmail economy, rarer and more expensive.

“Discount” approach + AI: formula for easier attack

Where the system becomes worrisome is upstream. The “access price” for a victim, sold on dark markets through access brokers, has reportedly dropped from around $1,427 in early 2023 to $439 in early 2026. When entry costs less, more people try their luck.

And while ransomware is being tracked, the Crypto ecosystem is also using something else: social engineering. CertiK estimates that around $370.3 million was stolen through exploits and fraud in January 2026, including $311.3 million attributed to phishing. It’s the same logic as ransomware: industrialization of access and quick monetization.

Chainalysis talks about a flooded market: cheap tools, multiple strains of ransomware, and especially infostealer protocols that reduce the work needed to launch an attack. Add AI blocks to automate bait writing, login sorting or personalization… and you get a mechanical increase in “operating yield”. And at the same time, Chainalysis also observes an 85% increase in the use of cryptocurrencies in human trafficking networks, a sign that the same “rails” serve many crimes.

Lydia M.

Lydia, a teacher and IT engineer, discovers Bitcoin in 2022 and dives into the world of cryptocurrencies. It popularizes complex topics, deciphers Web3 challenges and defends the vision of an open, inclusive and decentralized digital future.

DISCLAIMER OF LIABILITY

The views, thoughts and opinions expressed in this article are solely those of the author and should not be taken as investment advice. Before making any investment decision, do your own research.