By Rafe Pilling, Director of Threat Intelligence, Sophos X-Ops CTU

The 2025 threat landscape shows how cyber risks are expanding on multiple fronts. Both state and criminal actors are adapting quickly, finding new opportunities, and challenging defenses worldwide. Key trends shaping the current environment include:

• Western threat actors fuelling ransomware
  Groups like Scattered Spider amplify the ransomware crisis with bold campaigns that often start with stolen credentials and identity abuse.
• Rising digital supply chain attacks
  Though still emerging from a low base, compromises of software and service providers are growing as attackers seek scale and leverage.
• Malicious GenAI experimentation
  Threat actors continue testing generative AI, producing incremental gains in phishing, malware tooling, deepfakes, and automation rather than breakthroughs.
• North Korean IT workers
  DPRK operatives posing as freelance developers infiltrate organisations to steal code, credentials, and hard currency.
• Social engineering at the front line
  Tactics like “click-fix” lures, fake help desk calls, MFA fatigue, and QR-code phishing remain highly effective entry points for attackers.
• China’s persistent cyber-threat
  Persistent campaigns spanning attacks on network edge devices to the data-filled centre of cloud compute, mirroring China’s global strategic priorities.

Where we’re headed: Predictions for 2026

As these trends evolve, the next year will bring new tactics and risks that push defenders into unfamiliar territory. Here are three predictions shaping the future:

1a) Deja Vu

In 2026 we will see a major cyberattack which will cause huge disruption. The root cause will be poor cyber hygiene, and the attack will have been entirely preventable.

1) Deepfake voice fraud hits enterprise scale

Attackers could weaponise AI-generated voice cloning to bypass identity verification in high-value processes - think financial approvals, password resets and vendor onboarding. This moves social engineering beyond email and QR codes into real-time voice channels.

2) Agentified CEO fraud at scale

Agentic AI and Generative AI are combined to enhance and operationalise customised voice and or video-based CEO fraud.  Collections of agents could be used to locate voice and video clips of CEOs, generate deepfake videos based on a scripted or goal driven interaction and conduct interactive calls via WhatsApp with targeted executives which would include the CEO delivering a video message before moving the conversation to chat.

3) Insider risk amplified by AI-augmented employees

Organisations could face a surge in insider-driven breaches, not just from malicious actors but from AI-assisted mistakes. Employees using GenAI tools for productivity inadvertently expose sensitive data through misconfigured connectors, prompt leaks, and shadow integrations.

4) Crypto theft on a grander scale

We could see a crypto theft that exceeds the $1.5 billion taken from ByBit, likely perpetrated by North Korea.

5) DPRK IT workers extend the use of AI for fraudulent employment

North Korean IT workers could use Agentic AI to enhance the survivability of their fake personas, improve the responsiveness to remote requests, and conduct remote taskings more effectively.

6) Ransomware remains a top cyberthreat

Ransomware will continue to be the dominant form of high impact cybercrime with increased fragmentation of the market and growing participation from non-Russian speaking group, predominantly from English speaking and Chinese speaking groups.

The threat landscape is expanding from broad ransomware campaigns to identity-centric attacks, AI-driven fraud, and insider risk amplified by automation. Defenders will need to rethink controls for identity, AI governance, and insider risk to stay ahead.