The Dark Side of Cybersecurity: What the Industry Won’t Tell You

The world will spend over $377 billion on cybersecurity by 2028. The bad guys are still winning.

Behind every threat intel report and conference keynote is a grimmer story about a shadow economy that has outpaced every defense thrown at it. This is not the cybersecurity story vendors pitch you. This is the one that keeps CISOs awake at 3 a.m.

The $10.5 Trillion Number Nobody Wants to Say Out Loud

Ask anyone in a boardroom how much cybercrime costs the world. Most will not have a ready answer.

Global cybercrime costs are on track to hit $10.5 trillion annually by 2025, up from $3 trillion a decade ago. That figure is larger than the GDP of every nation except the U.S. and China. It gets worse: less than 25% of cybercrimes are ever reported to law enforcement.

So the number everyone quotes is already an undercount.

The real damage lives in the breaches companies quietly settle, the ransoms paid and never disclosed, and the reputational hits absorbed in silence. That silence is the dark side of this industry, not the exploit code, but the culture around it.

Ransomware Stopped Being a Hack. It Became a Business.

The image of a lone hacker in a hoodie died somewhere around 2021.

What replaced it is a full-blown ransomware economy, complete with affiliate programs, customer support desks, and tiered pricing. Ransomware payments hit a record $1.1 billion in 2023. Groups like LockBit and ALPHV/BlackCat were not hacker collectives. They were organized crime operations with service-level agreements.

When Operation Cronos took down LockBit in February 2024, the criminal ecosystem did not collapse. RansomHub and Akira stepped in within weeks with the same business model and new branding.

Healthcare took the worst of it. Rebecca Wright, a cybersecurity professor at Barnard College, has pointed out that hospitals are particularly exposed because they run on a mix of legacy systems and third-party vendors that are nearly impossible to fully secure. The PowerSchool breach in December 2024 made that point painfully clear, exposing data belonging to 62 million students and 10 million teachers.

AI Did Not Level the Playing Field. It Tilted It Toward Attackers.

Every cybersecurity vendor has an AI pitch deck. Here is what those decks leave out.

74% of hackers now say AI made attacks more accessible, not just faster, but open to people who could never have pulled them off before. The barrier to entry for a sophisticated cyberattack has dropped sharply.

Deepfake incidents targeting senior executives have become common enough that 51% of cybersecurity professionals say they have encountered one. These are not phishing emails anymore. They are video calls, voice messages, and audio clips that sound exactly like your CFO authorizing a wire transfer.

A North Korean operative used deepfake technology to land a job at KnowBe4, a company whose entire business is security awareness training. If a company that specializes in detecting social engineering got fooled, most organizations do not stand a chance.

In September 2025, investigators confirmed the first AI-orchestrated espionage campaign, where attackers used AI not as a support tool but as an autonomous actor in the attack chain. Reported cyber capabilities in adversarial AI had doubled in just six months.

Phishing still accounts for roughly 60% of intrusion incidents. The difference now is that the emails read like they were written by someone who actually knows you.

131 New Vulnerabilities Every Single Day

Security teams are not losing because they are incompetent. They are losing because the math does not work.

In 2024, an average of 113 CVEs, Common Vulnerabilities and Exposures, were published daily. In 2025, that number climbed to 131 per day. At this pace, the year will end with over 40,000 known vulnerabilities, a 30% jump from 2023 and a 56% increase from 2022.

No patch cycle on earth keeps up with that. Attackers know which vulnerabilities go unpatched and they camp there.

82% of breaches in 2024 involved cloud-based data, a direct result of organizations racing to the cloud without the security infrastructure to match. And when a breach does happen, the average cost in the United States reaches $9.36 million, the highest of any country in the world.

The Dark Web Has a Supply Chain. It Is Thriving.

Most people picture the dark web as chaotic and underground. It is neither.

57% of dark web content is outright illegal, covering drug markets, violence forums, and stolen credentials listed with the same ease as products on an e-commerce site. Passwords sell in bulk. Data brokers post fresh breach dumps on a regular schedule.

The RockYou2024 leak landed in July 2024 carrying roughly 10 billion unique plaintext passwords, the largest credential dump ever recorded. Every entry is a potential door still left open somewhere.

Identity fraud pulled in $27.2 billion in 2024, up 19% year over year. Synthetic identity fraud, where criminals construct entirely fake identities rather than stealing real ones, now drives over 80% of new account fraud. Banks are approving accounts for people who do not exist.

Your Vendor Is Their Way In

The U.S. Treasury was not breached through its own systems.

In December 2024, attackers linked to a Chinese state-sponsored group got in through a contractor’s remote support tool. A vendor’s help desk session became the entry point into one of the most sensitive financial institutions in the world.

Gartner’s projection that 45% of global organizations would face software supply chain attacks by 2025 was not an exaggeration. It turned out to be a calendar. Third-party risk management remains one of the most underfunded disciplines in enterprise security, even as attackers have made it their primary playbook.

The Industry Is Burning Out Its Own People

There is a cost to all of this that almost never appears in a threat report.

55% of cybersecurity professionals say their stress levels have increased to a degree they are flagging it as a professional concern. SOC analysts work through hundreds of alerts a day knowing that the one they miss might be the one that matters. The talent pipeline does not refill fast enough, and the attrition is quiet but real.

Rachel Tobac, a widely respected voice in ethical hacking, summed it up when asked about AI-enabled attacks heading into 2026: defender successes using AI will happen, but it is going to take time to catch up.

That gap between when attacks mature and when defenses match them is where most of the damage actually happens.

What Has to Change

The industry has a comfort problem. Security theater, compliance checkboxes, annual audits, and vendor renewals, gets mistaken for actual resilience.

Only 15.1% of organizations plan to meaningfully increase security spending in 2025, even as attack surfaces keep expanding. Boards approve the cybersecurity budget the same way they approve facilities management: overhead, not strategy.

That framing has to break. Third-party vendors need to be treated as part of your attack surface, not outside it. Breaches need to be disclosed rather than quietly managed. And the people running security operations need support structures that match the weight of what they are actually carrying.

The criminal ecosystem shares intelligence in real time. The defense side largely does not. Until that changes, the scoreboard stays lopsided.

Frequently Asked Questions