Ransomware operators continue to generate substantial profits, with new research from Rapid7 indicating that several cybercrime groups are recording revenue growth that outpaces many publicly traded businesses.
According to the cybersecurity firm's analysis, ransomware groups collectively received an estimated $529.2 million during the first quarter of 2026. That figure represents a 39% increase compared with the same period a year earlier. Rapid7 noted that none of the companies within the FTSE 350 index reported year-over-year revenue growth exceeding 30% during that quarter, placing ransomware operators among the fastest-growing entities examined in the study.
Several well-established ransomware operations appear to be benefiting from this trend. Rapid7 estimates that the Qilin ransomware group generated approximately $193 million between July 2025 and March 2026. During the same period, the Gentleman group is estimated to have collected roughly $52 million in ransom payments.
Rapid7 researchers argue that modern ransomware operations bear little resemblance to the stereotype of small groups of hackers working independently. Instead, many function through interconnected networks of specialists who focus on specific stages of an attack. Some actors gain access to victim networks, others develop malware, while separate teams handle extortion demands and payment negotiations.
A major factor behind this growth is the emergence of Initial Access Brokers, or IABs. These actors specialize in obtaining access to corporate networks and then selling that access to other criminals. As a result, launching a ransomware attack no longer requires extensive technical expertise. Access to compromised systems, attack tools, and even managed cybercrime services can now be purchased through underground marketplaces.
Researchers say this division of labor has created a more structured criminal economy. Different groups contribute individual services, allowing ransomware campaigns to operate through networks that resemble commercial supply chains rather than isolated criminal crews.
The study also highlights the resilience of these operations. Infrastructure used by ransomware groups, including servers, data leak platforms, and victim negotiation portals, can often be restored quickly after disruptions. Law enforcement agencies, meanwhile, frequently require lengthy investigations and international coordination before conducting enforcement actions. This difference in speed allows many criminal networks to continue operating even when portions of their infrastructure are removed.
Rapid7 CTO EMEA Thom Langford said ransomware groups have demonstrated an ability to continue generating revenue despite disruptions because their operations are designed to function even when individual components are taken offline. In many cases, the removal of a single server or criminal group does not significantly affect the broader ecosystem supporting ransomware activity.
The findings come amid continued financial losses linked to cybercrime. According to the FBI's Internet Crime Complaint Center, organizations and individuals reported more than $16 billion in cybercrime losses during 2024, reflecting the growing economic impact of digital fraud, extortion, and network intrusions.
To reduce ransomware risk, Rapid7 recommends that organizations continuously review their exposed systems and identify weaknesses that could provide attackers with an entry point. Particular attention should be given to misconfigured services, overlooked assets, and internet-facing systems, which are frequently targeted by Initial Access Brokers seeking access to corporate environments.
The company also advises security teams to make greater use of threat intelligence to understand how attackers operate, including the infrastructure, tools, and access methods commonly used during intrusions. Researchers further recommend strengthening identity security through tighter access controls, least-privilege policies, and monitoring for signs that employee credentials have been stolen, resold, or abused.
According to Rapid7, disrupting ransomware attacks before attackers establish access remains one of the most effective defensive strategies. By identifying weaknesses early and restricting opportunities for credential theft, organizations may be able to prevent ransomware incidents before they progress to the extortion stage.
Researchers at cybersecurity firm Sophos have uncovered a malware development framework that uses artificial intelligence tools to speed up the creation and testing of ransomware-related software designed to avoid detection by security products.
The investigation began after Sophos analysts discovered suspicious files on a customer system. What initially appeared to be a collection of penetration-testing tools soon revealed signs of criminal activity, including references to ransom notes and organizations listed on ransomware leak sites.
According to Sophos, the framework combines traditional attack tools with AI-assisted development workflows. Researchers found evidence that the operators used coding assistants such as Cursor and Claude Opus during different stages of development, including writing code, reviewing results, refining payloads, and researching techniques that could help malware evade security controls.
One of the framework's primary goals was to bypass Endpoint Detection and Response (EDR) platforms. These security products are designed to identify malicious activity on computers and servers, often detecting attacks that traditional antivirus software might miss.
The toolkit contained several components intended to reduce the chances of detection. Among them were customized Cobalt Strike profiles that made malicious network traffic resemble ordinary web browsing activity, communication channels that routed commands through Telegram, and malware development scripts capable of injecting malicious code into legitimate Windows applications while allowing those programs to continue functioning normally.
Researchers also identified the use of a Cloudflare Worker that acted as an intermediary between infected systems and attacker-controlled infrastructure. This setup can make it more difficult for defenders to identify the true location of command-and-control servers.
A particularly notable feature of the framework was an automated Active Directory discovery system. Active Directory is widely used in enterprise networks to manage users, computers, permissions, and other resources. Because it contains valuable information about an organization's internal structure, attackers frequently attempt to map Active Directory environments after gaining access to a network.
Sophos found that the discovery process relied on a series of AI-assisted agents that gathered information, assessed results, selected follow-up actions, and continued the investigation of the network. Rather than requiring a human operator to manually perform every step, parts of the reconnaissance process could be carried out through predefined automated workflows.
The framework itself appeared to operate through multiple specialized AI agents assigned to different tasks. Sophos reported that one agent coordinated the overall development process while others focused on testing, documentation, operational security improvements, virtual machine deployment, proxy testing, and malware evaluation.
Researchers also discovered that some agents had been tasked with examining publicly available security research. The system collected information from technical reports and research publications, extracted details about detection-evasion methods, mapped those techniques to the MITRE ATT&CK framework, recreated testing environments, and documented the results.
At the center of the operation was a Python-based payload generation tool. This component produced malware written primarily in Rust and Go while combining encryption, execution techniques, and anti-analysis measures intended to make detection more difficult. Sophos observed nearly 80 generated modules being tested against more than 70 separate evasion methods.
The malware was evaluated in laboratory environments against security products from Sophos, CrowdStrike, and Microsoft. Researchers noted that repeated testing and revision cycles appeared to improve the success rate of many payloads. However, they also observed inconsistencies between some reported results and actual testing outcomes, leaving questions about the accuracy of certain internal performance claims.
Despite the extensive use of artificial intelligence during development, Sophos found no indication that AI was embedded within deployed malware or operating independently on victim systems. The technology was primarily used to accelerate the research, testing, and refinement process while human operators remained responsible for directing the activity.
The findings provide another example of how threat actors are incorporating AI into existing workflows. Rather than introducing entirely new attack methods, these tools appear to be helping attackers shorten the time needed to transform publicly available security research into functioning malware capable of challenging modern security defenses.
For years, Bitcoin was widely associated with cryptocurrency-related crime. New industry data suggests that picture has changed astronomically, with stablecoins now accounting for the vast majority of identified illicit cryptocurrency activity.
The change of terms was accentuated by Bitcoin-focused financial services company River, which cited blockchain intelligence findings showing that Bitcoin's role in unlawful crypto transactions has declined sharply over the past several years. According to data attributed to Chainalysis, Bitcoin represented roughly 70% of illicit cryptocurrency transaction volume in 2020. By 2025, that figure had fallen to approximately 7%, while stablecoins had grown to account for around 84% of identified illicit transaction volume.
The numbers point to a drastic transformation in how cybercriminals, fraud operators, sanctioned entities, and money-laundering networks move digital funds across borders.
Why Stablecoins Are Becoming More Attractive to Criminal Networks
Unlike Bitcoin and many other cryptocurrencies, stablecoins are designed to maintain a relatively fixed value, typically by being linked to a traditional currency such as the U.S. dollar.
This stability removes one of the major risks associated with cryptocurrency transactions. A criminal group holding $1 million in Bitcoin today could see the value fluctuate significantly within days. Stablecoins largely eliminate that uncertainty, allowing illicit actors to move, store, and transfer funds without being exposed to major price swings.
Researchers say this makes stablecoins particularly useful in fraud schemes, investment scams, money-laundering operations, and cross-border transfers where predictable value is important.
The spike in acceptance of stablecoins across exchanges, payment services, and over-the-counter trading networks has also contributed to their increased use. Many stablecoins can be transferred globally within minutes while maintaining a value closely tied to fiat currency, making them practical for both legitimate and illegitimate financial activity.
Bitcoin Still Appears in Certain Criminal Operations
Despite its declining share, Bitcoin has not disappeared from the cybercrime infrastructure. It is still part of the overall pipeline in digital currency exchange.
Blockchain investigators continue to observe Bitcoin being used in ransomware attacks, darknet marketplaces, and extortion schemes. In these environments, long-established infrastructure, existing payment workflows, and familiarity among threat actors continue to support Bitcoin's use.
However, analysts note that criminal organizations are increasingly treating Bitcoin as only one option within a much larger digital financial ecosystem rather than the default cryptocurrency for illicit transactions.
Illicit Crypto Activity Continues to Soar
The change in asset preference comes as blockchain intelligence firms report increases in the overall value of illicit cryptocurrency activity.
TRM Labs recently estimated that illicit cryptocurrency flows reached approximately $158 billion in 2025, representing the highest level recorded by the company. The firm reported a sharp increase from the previous year, attributing much of the growth to sanctions-related activity, sophisticated money-laundering operations, underground financial networks, and expanded use of cryptocurrency by state-linked actors.
A large portion of these transactions involved stablecoins in the grand scheme of carrying out cyber criminal activities.
Researchers also observed that sanctions-evasion networks increasingly rely on stablecoins because of their liquidity, accessibility, and ability to move large sums through multiple jurisdictions with relative speed.
Compliance and Regulatory Pressure Expected to become more stringent
The developing concentration of illicit activity within stablecoin ecosystems is likely to intensify scrutiny from regulators and law-enforcement agencies.
Unlike decentralized cryptocurrencies, many major stablecoins are issued by identifiable companies that maintain reserve assets and have the technical ability to freeze certain wallets when required by legal authorities.
As a result, policymakers are increasingly examining how stablecoin issuers monitor suspicious transactions, respond to sanctions violations, and cooperate with criminal investigations.
Several stablecoin providers have already expanded collaboration with law enforcement agencies. Tether, the issuer of USDT, has publicly reported freezing wallets connected to suspected criminal activity, while blockchain analytics companies continue to develop tracking tools designed to identify suspicious transaction patterns across networks.
Criminal Use Remains a Small Portion of Overall Activity
Although illicit cryptocurrency volumes have risen in absolute terms, researchers caution against interpreting the data as evidence that most cryptocurrency activity is criminal.
Industry reports consistently show that unlawful transactions represent only a small fraction of total blockchain activity. Stablecoins process trillions of dollars in annual transaction volume, meaning the overwhelming majority of transactions are associated with legitimate uses such as payments, trading, remittances, and settlement activities.
Nevertheless, the latest findings draw a clearer picture into how criminal groups adapt quickly to changing financial technologies. While Bitcoin once dominated illicit cryptocurrency transactions, blockchain intelligence data now suggests that stablecoins have become the preferred vehicle for many forms of crypto-enabled financial crime due to their price stability, global accessibility, and ease of transfer.
The trend is expected to remain a driving focus for regulators, compliance teams, cryptocurrency exchanges, and law-enforcement agencies as governments continue developing rules for the rapidly expanding stablecoin sector.