Cybercrime is no longer the domain of isolated, technically gifted individuals. Today, organised crime operates as a global industry where personal data, credentials and digital identities are stolen, traded and exploited on a massive scale.
Europol’s latest report, IOCTA 2025: Steal, Deal and Repeat – How Cybercriminals Trade and Exploit Your Data, reveals the evolution of this underground economy. The growing sophistication and specialisation of cybercriminal actors means that every security breach becomes an opportunity for fraud, extortion, or money laundering.
What data are cybercriminals after?
The first step in the chain is information theft. Criminal actors primarily seek:
- Personal data and access credentials: email addresses, passwords, authentication tokens, ID documents.
- Financial and business data: card details, IBANs, bank accounts, access to data management systems like ERPs or CRMs.
- Remote access tools: VPNs, virtual desktops, cloud servers.
- Social media and online service profiles: used for impersonation or to build social engineering attacks.
- Publicly exposed data: posts, likes, and images that can support hyper-targeted phishing campaigns.
The end goal may vary — from launching ransomware attacks to creating synthetic identities for long-term fraud.
How do they obtain this data?
Social engineering
Attackers exploit techniques such as phishing (via email, SMS or fake websites), vishing (voice scams), or fake profiles to trick users.
With the rise of generative AI and deepfakes, fake identities have become far more convincing. Europol highlights how LLMs (Large Language Models) and synthetic voices are already being used to create scams in multiple languages — automatically.
Technical vulnerabilities
Criminals also exploit security flaws in exposed infrastructure. Some common methods include:
- Attacks on VPNs, firewalls or vulnerable web servers
- Theft of cookies or session tokens
- Reuse of intercepted biometric data
- Spoofing of device or camera origins (key in injection attacks)
Who’s behind these attacks?
Today’s criminal ecosystem is broad and decentralised, there’s no single attacker profile. Key players include Initial Access Brokers (IABs), who sell access to already-compromised systems; data brokers, who trade in vast quantities of leaked data and full identity profiles; and Advanced Persistent Threat (APT) groups or hybrid actors, who target critical infrastructure using zero-day exploits or supply chain attacks.
There are also niche criminals who don’t resell stolen data, but instead exploit it for long-term manipulation, such as in romance scams or sextortion.
Where is this data traded?
Stolen data rarely stays with the original attacker. It’s quickly circulated through various cybercrime channels: dark web marketplaces, private access-only forums, and encrypted messaging apps like Telegram or Discord.
Within these spaces, a well-established Fraud-as-a-Service (FaaS) model has emerged: criminal networks offering attack kits, tech support, automated tools, and even quality guarantees on the data sold. These platforms resemble legitimate marketplaces, with reputation systems and customer service, making it easy for anyone, even without technical expertise, to launch sophisticated attacks quickly and at scale.
This model turns fraud into a scalable, professional, global business — making it harder to contain and far more damaging.
Protecting identity goes beyond data
In today’s landscape, data is no longer the final objective, it’s the gateway to more complex, automated, and untraceable attacks. That’s why defence must go beyond reacting, it must anticipate.
At Facephi, we’ve developed a tech ecosystem that combines advanced biometrics, AI and real-time signal analysis to secure every stage of the user lifecycle from onboarding to every transaction.
We also believe that educating users and employees in cybersecurity is crucial, turning them into the first line of defence.
Get in touch with our expert team to discover how advanced technology can help your organisation stay one step ahead of cybercrime.