Blockchain analytics firm Chainalysis says ransomware activity increased sharply in 2025, with attackers shifting away from high-profile breaches toward a larger volume of small and medium-sized targets. In its annual report, Chainalysis found nearly 8,000 public leak events in 2025 — a roughly 50% jump from 2024 — while total on-chain ransom payments fell to about $820 million, an 8% decline year over year.
Chainalysis attributes the drop in overall payments to several factors: greater regulatory scrutiny, enforcement actions that disrupt laundering and infrastructure used by attackers, and a growing unwillingness among large firms and institutions to pay ransoms. Those pressures, the report says, appear to have prompted threat actors to pursue easier, faster payoffs from smaller victims.
Security researchers describe a clear targeting shift. Smaller organizations are perceived as quicker to pay, so adversaries are increasing volume rather than seeking fewer, larger payouts. At the same time, Chainalysis notes a divergence between publicly announced leaks and actual payments: despite a record number of public claims, recorded on-chain payments are trending downward, suggesting attackers are facing diminishing returns.
The report also highlights a steady decline in the average price for “victim access” sold on darknet markets — from about $1,427 at the start of 2023 to roughly $439 by early 2026. That price drop reflects an influx of inexpensive ransomware-as-a-service offerings and stolen-access logs, plus the adoption of AI tools that streamline attacks. Chainalysis warns this industrialization — AI-assisted tooling, automated access pipelines and a proliferation of infostealer logs — lowers barriers to entry and creates an oversupply of low-cost, operationally limited options that flood the market and depress prices.
Although on-chain ransomware payments fell modestly in 2025, crypto-related losses remained significant into 2026. Cybersecurity firm CertiK reported that in January 2026 approximately $370.3 million in cryptocurrency was stolen through exploits and scams, with about $311.3 million lost to phishing schemes alone.
This pattern underscores a broader cybercrime ecosystem where cheaper, more automated tools increase the number of incidents even as successful large-scale extortion payouts become harder to obtain. Readers should consult original reports from Chainalysis and CertiK for full methodology and datasets, and verify details independently as investigations and enforcement actions continue to evolve.