Industrialized cybercrime drives explosion of cyber-extortion
Since 2020, the number of victims of Cy-X has tripled, rising by 44.5% in 2025 worldwide. Small and medium-sized businesses (1-249 employees) suffer two-thirds of attacks, with significant growth in Europe (+91% in Germany, +54% in France). Cy-X extortion is going global, with 35 new countries added to the Security Navigator study this year. The number of victims is increasing, particularly in Africa (+47%), Latin America (+60%) and Asia (+82%), and is impacting critical sectors: +69% in healthcare, +71% in finance and insurance and also distribution (+80%), for example.
The fragmentation of the cybercrime landscape is accelerating. The dissolution of groups such as LockBit or Black Basta has given way to a multitude of players, each operating on a comparable scale. The list of active malicious actors has almost tripled, from 33 to 89.
Cybercrime had been professionalized, but now it has become industrialized, based on a “Crime-as-a-Service” model.
Charl van der Walt, Head of Security Research, Orange Cyberdefense, comments:
“As attackers diversify across geographies and business sizes, what’s clear is that the traditional perception of the “supply chain” as linear is obsolete. In reality, we exist within a dense web of interdependence where a single weakness can enable mass compromise. Small businesses and critical services have become prime conduits to amplify economic and social consequences. While traditional defenses and incremental enforcement are necessary, they are not enough to offset agile adversaries that exploit society’s interconnectedness.“
Converging cybercriminals, state actors and hacktivists reshape modern geopolitics.
The balkanization of cyberspace is manifesting itself in the division of the cyberworld into geopolitical blocs. As revealed in our Security Navigator 2025, the boundaries between these players continue to blur, particularly with the rise of hacktivists, who are often ideologically aligned with complicit states. They carry out destabilization campaigns, DDoS attacks and manipulation of critical systems.
The main objective of these operations is no longer just technical disruption, but also misinformation, manipulation of opinion and psychological destabilization. It is a real strategy of cognitive attacks, demonstrating the interconnectedness of the various players involved. Hacktivists are becoming more professional, exploiting off-the-shelf ‘bot as-a-service’ cybercrime solutions to carry out these destabilization campaigns.
Misinformation completes the threat toolbox and is becoming one of the milestones in the evolution of cybercrime and contemporary geopolitics, with companies in critical sectors also targeted. The dissemination of false information, the manipulation of public opinion through misinformation campaigns, and the staging of spectacular cyber-attacks are fueling a hybrid war in which the boundaries between cybercrime, espionage and propaganda are becoming blurred.
At the same time, state actors continue to invest in cyberspace to carry out their cyber espionage and sabotage operations in a tense geopolitical context. They use criminal groups as proxies or extensions of their geopolitical strategy, in particular to destabilize adversaries or gather sensitive intelligence. For example, the Salt Typhoon campaigns, attributed to China, target critical infrastructure in more than 80 countries, exploiting vulnerabilities in telecommunications equipment and third-party supplier networks. These operations illustrate the integration of cyberattacks into the geopolitical strategies of governments.
Unprecedented global cooperation is the only path forward.
International co-operation is increasing with the active participation of 74 private organizations, under the aegis of Europol, Interpol and the Five Eyes alliance, among others.
An unprecedented analysis of 418 law enforcement actions (2021-2025) shows a steady increase in these operations, the majority resulting in arrests (29%), takedowns (17%) and charges (14%).
Co-operation that works
Co-operation between public agencies and private players is essential. The majority of operations involve private partners, particularly in deterring and dismantling criminal infrastructure.International co-ordination has made it possible to dismantle networks, seize servers, prosecute cybercriminals and strengthen deterrence.The success of these operations shows that public-private collaboration is an effective weapon for dealing with the increasing number of attacks and the growing power of cybercriminal groups.
Hugues Foulon, Chief Executive Officer, Orange Cyberdefense, concludes:
“Far from being a tragic fate, the consequences of the balkanization of cyberspace should provide us with an opportunity to strengthen co-operation, transparency and resilience. The fight against organized cybercrime requires a global alliance, both public and private, to confront a threat that knows no borders. Orange Cyberdefense is ready to share the benefits of its Cyber Threat Intelligence to further reinforce our digital shield.”
See more: Nokia and Telefónica Germany agree 5-year RAN deal to advance 5G expansion
See more: China to host ITU World Radiocommunication Conference 2027 in Shanghai