A.R. Perez, Netlok. 7/8/2025
Multi-factor authentication (MFA) was once hailed as a near-perfect shield, yet recent headline breaches prove attackers are not only slipping past it—they are doing so at an accelerating pace. This report ranks today’s most common MFA combinations from weakest to strongest and quantifies the sharp rise in MFA-related attacks between 2023 and 2025. It should be noted that PhotolokÒ (a passwordless MFA factor that uses proprietary-coded photos) is not included in this analysis.
Why MFA Strength Varies
Every MFA scheme marries at least two factors—knowledge (password/PIN), possession (token/phone), or inherence (biometric). Security depends on:
Ranking MFA Combinations
| Rank | Typical Combination | Core Weaknesses | Core Strengths | Verdict |
| 8 (Strongest) | Hardware passkey + on-device biometric (FIDO2/WebAuthn) | None of the factor data ever leaves the device; resistant to phishing and replay 1, 2 | Cryptographic challenge tied to hardware; biometric unlock 3 4 | Phishing-resistant, passwordless gold standard |
| 7 | Password + hardware security key (FIDO2/U2F) | Requires user to manage key inventory | Cryptographic possession factor blocks replay 5, 1 | Best “password-plus” model |
| 6 | Password + smart-card/PKI token (PIV/CAC) | Complex deployment & driver issues | Mutual certificate validation; device binding 2 | Enterprise-grade where supported |
| 5 | Password + platform biometric (e.g., Windows Hello, Face ID) | Biometric unlock is local; underlying session can be phished if fallback to password allowed 4 | User-friendly; device-tied secrets6 | Good for mainstream use but still password-dependent |
| 4 | Password + number-matching push or TOTP-hardware token | Phishable one-time codes; token theft possible7, 8 | Short validity window, no SMS channel | Mid-level protection |
| 3 | Password + generic authenticator-app TOTP (30-second code) | Real-time phishing proxies capture code 9 | No carrier reliance; easy rollout 7 | Better than SMS, still phishable |
| 2 | Password + push notification (“Approve/Deny”) | MFA-fatigue bombing & social-engineering approvals10, 11 | User convenience | Frequently bypassed by prompt bombing |
| 1 (Weakest) | Password + SMS/voice code | SIM-swap, SS7 intercept, no encryption 12, 13 | Universal availability | Should be phased out per CISA and NIST guidance 2, 14 |
Key Takeaways
The Surge in MFA-Focused Attacks (2023-2025)
| Year | Representative Study | Metric Reported | Indicator of MFA Attack Activity |
| 2023 | Okta “State of Secure Identity 2023” | 12.7% of all MFA attempts on Okta’s Customer Identity Cloud were outright bypass attacks 15 | Baseline showing bypass in production traffic |
| 2023 | Kroll “Rise in MFA Bypass” (Oct 2023) | 90% of BEC cases investigated had MFA in place when accounts were compromised 16 | Confirms attackers pivoting to MFA-enabled targets |
| 2024 | Cisco Talos IR Q1 2024 | ≈50% of incident-response cases involved failure or bypass of MFA controls 10, 17 | Doubling of bypass prevalence over 2023 baseline |
| 2024 | Proofpoint “State of the Phish 2024” | Phishing frameworks such as EvilProxy observed in ≈1 million threats per month, explicitly harvesting MFA cookies 18 | Commodity kits fueling large-scale bypass |
| 2025 | Netrix Global “New Wave of MFA Bypass Attacks” (Jun 2025) | Advises a “surge” but no percentage; corroborated by FRSecure IR 2024-25 where 79% of BEC victims had correctly implemented MFA yet were breached 19 | MFA bypass now dominant in BEC incidents |
| 2025 | eSentire Q1 2025 Report | BEC attacks (often MFA bypass via Tycoon 2FA) rose 60% YoY, now 41% of all attacks 20 | Attack volume and proportion at all-time high |
Visualizing the Climb
| Year | Reported MFA-Attack Rate* | Year-over-Year Change |
| 2023 | 12.7%–-90% depending on vertical (baseline) | — |
| 2024 | ≈50% of IR cases involve MFA bypass 10, 17 | +~35 pp from Okta baseline |
| 79% of BEC victims breached despite MFA 19 | +29 pp vs 2024 IR data |
*Rates come from different datasets (CIAM traffic, IR engagements, BEC breaches). While scopes vary, all show the same climbing trajectory.
Why the Rate Keeps Rising
Commodity Phishing-as-a-Service (PhaaS)
Token Theft & Session Hijacking
MFA Fatigue & Social Engineering
Weak Factor Mix
Hardening the Human-Machine Perimeter
1. Phase Out Legacy Factors
2. Enforce Phishing-Resistant MFA
3. Strengthen Push Workflows
4. Layer Conditional Access & Risk-Based Controls
5. Educate to Eradicate MFA Fatigue
Conclusion
Attackers’ ability to sidestep MFA has grown from isolated exploits in 2023 to industrial-scale commodity services in 2025. Organizations that cling to password-plus-SMS or push-only MFA now occupy the bottom rung of the strength ladder and face a sharply rising threat curve. Yet the solution is within reach: broad adoption of phishing-resistant, device-bound authentication—coupled with risk-aware access controls—flips the cost curve back onto the attacker. Upgrade the factors, shrink the attack surface, and keep users from approving the next rogue prompt. One novel method of upgrading factors is to use Photolok – a passwordless factor that uses steganographic coded photos that also protects against AI/ML attacks as well as provides lateral movement penetrations due to its unique architecture.
A.R. Perez, Netlok, July 1,2025
Understanding the Threat Landscape
The emergence of sophisticated deepfake technologies and synthetic identity creation tools represents one of the most significant challenges facing biometric authentication systems today. Deepfakes are highly realistic, artificially generated media that can convincingly replicate human faces, voices, and behaviors using advanced deep learning techniques 1, 2. These technologies have rapidly evolved from entertainment applications to become serious security threats, with attackers now capable of bypassing traditional biometric systems that once seemed unbreachable.
Recent data reveals the scale of this challenge: in 2024, 50% of surveyed businesses reported experiencing deepfake-related attacks, with 57% of cryptocurrency organizations facing audio deepfake fraud 3. The accessibility of AI tools has democratized deepfake creation, allowing even non-technical attackers to generate convincing synthetic media with minimal coding skills 4. Reports indicate a staggering 704% increase in face swap attacks across 2023, demonstrating the exponential growth of this threat vector 4.
Vulnerabilities in Current Biometric Systems
Traditional biometric authentication systems face significant vulnerabilities when confronted with sophisticated synthetic attacks. Research conducted at Penn State found that four of the most common facial liveness verification methods currently in use could be easily bypassed using deepfakes 5. The study developed a framework called “LiveBugger” which demonstrated that facial liveness verification features on various apps could be fooled by deepfake images and videos.
The fundamental challenge lies in the fact that conventional biometric systems were designed to distinguish between live humans and simple presentation attacks (like printed photos or basic recordings), but they struggle against AI-generated content that can mimic the subtle characteristics of live biometric samples 6, 7. Facial recognition systems, which rely on static features and patterns, are particularly vulnerable to sophisticated deepfake attacks that can replicate facial landmarks, expressions, and even micro-movements 8.
Voice biometric systems face similar challenges, with AI voice synthesis now capable of replicating vocal patterns, pitch, and tone with unsettling accuracy 8. Attackers can create voice clones using just a few seconds of recorded audio, enabling them to bypass voice-based authentication systems that were previously considered secure.
Impact on Authentication Confidence
The proliferation of deepfakes has begun to erode confidence in biometric authentication systems. Gartner analysts predict that by 2026, 30% of companies will lose confidence in facial biometric authentication due to the sophistication of AI deepfakes 1. This loss of confidence is not unfounded – traditional verification methods, including basic selfie comparisons and document-based biometric checks, are increasingly ineffective against realistic fake images, videos, and voices generated by accessible AI tools 3.
The problem extends beyond simple spoofing attacks. Fraudsters can now create entirely new synthetic identities that appear legitimate, utilizing generative AI models to produce hyper-realistic identification documents and deepfake videos capable of evading traditional liveness detection mechanisms 3. This capability allows attackers to circumvent Know Your Customer (KYC) checks employed by financial services, creating fraudulent accounts and executing unauthorized transactions.
Emerging Countermeasures and Technologies
The biometric industry is responding to these challenges through several innovative approaches designed to detect and prevent deepfake attacks:
Advanced Liveness Detection
Modern liveness detection technologies have evolved far beyond simple movement or challenge-response mechanisms. Companies like Mitek have developed sophisticated systems that can detect deepfakes and synthetic attacks through consistency analysis between different biometric modalities 9. Their IDLive® Face product has achieved recognition as a top performer in NIST facial presentation attack detection evaluations and demonstrates effectiveness against sophisticated fraud attempts 9.
Next-generation liveness detection systems incorporate passive analysis that can identify subtle artifacts and inconsistencies inherent in AI-generated content without requiring active user participation 10. These systems analyze factors such as texture inconsistencies, temporal anomalies, and physiological impossibilities that are difficult for current deepfake generation technologies to replicate perfectly.
Multimodal Biometric Fusion
One of the most promising defenses against deepfake attacks is the implementation of multimodal biometric systems that combine multiple authentication factors. Research shows that while attackers might successfully spoof one biometric modality, creating convincing fakes across multiple modalities simultaneously becomes exponentially more difficult 11, 12.
Companies are developing systems that integrate facial recognition, voice authentication, and behavioral biometrics into unified platforms. For example, Mitek’s MiPass® solution combines advanced facial and voice biometrics with passive liveness detection specifically to safeguard against deepfakes, synthetic identities, and identity theft 9.
AI-Powered Detection Systems
The fight against AI-generated attacks increasingly requires AI-powered defense systems. Researchers have developed sophisticated detection frameworks that can identify deepfakes by analyzing high-level audio-visual biometric features and semantic patterns 13. These systems focus on detecting characteristics that current deepfake generation technologies struggle to replicate, such as individual mannerisms and unique biometric patterns that persist across different contexts.
Advanced detection systems employ ensemble learning approaches and transformer-based architectures to improve accuracy in identifying synthetic content 11. These systems can achieve authentication accuracy rates exceeding 99.5% while maintaining spoof detection rates above 99.3% 11.
Tokenization and Privacy-Preserving Solutions
A fundamental shift in biometric security involves moving away from storing raw biometric templates to using irreversibly transformed tokens. Companies like Trust Stamp have developed technologies that replace biometric templates with cryptographic hashes that can never be rebuilt into original data 14, 15. These Irreversibly Transformed Identity Tokens (IT2) maintain matching capability while eliminating the risk of biometric data theft and misuse.
This approach addresses both deepfake vulnerabilities and privacy concerns by ensuring that even if systems are compromised, the stolen data cannot be used to recreate biometric information or generate convincing synthetic reproductions 14, 15.
Behavioral and Continuous Authentication
The future of biometric security increasingly relies on behavioral analysis and continuous authentication rather than single-point verification. Systems are being developed that monitor keystroke dynamics, mouse movements, and other behavioral patterns to create unique user profiles that are extremely difficult to replicate through synthetic means 16, 17.
Zero-trust architectures that implement continuous authentication represent a significant advancement in combating deepfake threats 18, 19. These systems continuously verify user identity throughout a session, making it much more challenging for attackers to maintain unauthorized access even if they successfully bypass initial authentication.
Industry Response and Future Outlook
The biometric industry has recognized the severity of the deepfake threat and is investing heavily in countermeasures. Companies are developing specialized solutions for different attack vectors, including injection attack detection that protects against virtual cameras and software-based spoofing attempts 10. These systems can detect when fraudsters use emulators, cloning apps, or other software tools to inject synthetic content into authentication processes.
The integration of artificial intelligence into biometric systems is driving improvements in both accuracy and security. AI-driven algorithms are enhancing biometric processing speeds and fraud detection capabilities while continuously learning and adapting to new attack methods 20. Modern facial recognition systems now achieve accuracy levels exceeding 99.5% under optimal conditions while incorporating sophisticated anti-spoofing measures 20.
Recommendations for Organizations
Organizations implementing or upgrading biometric authentication systems should consider several key strategies:
Adopt Multimodal Approaches: Implement systems that combine multiple biometric factors rather than relying on single-modality authentication. This significantly increases the difficulty for attackers to create convincing synthetic reproductions across all required modalities 12.
Implement Advanced Liveness Detection: Deploy passive liveness detection systems that can identify synthetic content without requiring user interaction. These systems should be regularly updated to address new deepfake generation techniques 21.
Consider Tokenization Technologies: Evaluate privacy-preserving biometric solutions that use irreversible tokenization to eliminate the risk of biometric data theft and reduce the potential for synthetic identity creation 14, 15.
Plan for Continuous Authentication: Develop zero-trust architectures that continuously verify user identity throughout sessions rather than relying solely on initial authentication 18, 19.
Stay Current with Threat Intelligence: Maintain awareness of evolving deepfake technologies and attack methods to ensure defensive measures remain effective against emerging threats 4.
Investigate PhotolokÒ : It is a passwordless IAM solution that uses photos – not passwords. Photolok can be used as a second factor behind a biometric to prevent access and authentication. Its unique architecture protects against AI attacks as well as lateral movements. To learn more, go to www.netlok.com .
The rise of deepfakes and synthetic IDs represents a paradigm shift in cybersecurity threats, but the biometric industry is actively developing sophisticated countermeasures. Success in this evolving landscape will require organizations to adopt comprehensive, multi-layered approaches that combine advanced detection technologies, continuous authentication, and privacy-preserving architectures. While the challenges are significant, the continued advancement of defensive technologies provides hope for maintaining the security and integrity of biometric authentication systems in the face of increasingly sophisticated synthetic attacks.
A.R. Perez, Netlok, June 2025
To enhance their performance, bad actors favor methods that increase the breath of their attacks at the fastest speed possible. As a result, password theft has emerged as the preferred attack vector for cybercriminals, enabling them to compromise systems with unprecedented speed and scale. Unlike traditional hacking methods that require exploiting technical vulnerabilities, credential theft provides attackers with legitimate access that appears normal to security systems, creating a path of least resistance for rapid and extensive exploitation 1, 2. This analysis examines how stolen passwords accelerate and expand attack capabilities across multiple dimensions.
Accelerated Initial Compromise and Lateral Movement
Rapid Breakout Times
The speed at which attackers can move from initial access to broader network exploitation has dramatically increased due to credential theft. Recent research shows that the average “breakout time” – the period between initial compromise and lateral movement – has decreased to just 62 minutes in 2024, down from 84 minutes the previous year 3. In extreme cases, attackers achieved lateral movement in as little as 2 minutes and 7 seconds, with initial discovery tools being deployed within 31 seconds of gaining access 3.
Bypassing Technical Barriers
Password theft eliminates the need for complex technical exploits, allowing attackers to simply “log in” rather than “hack in” 2. This approach bypasses many traditional security controls, as the activity appears legitimate to monitoring systems 2, 4. When attackers use valid credentials, they can blend with normal traffic patterns, making detection extremely difficult and enabling faster movement throughout the network 4, 5.
Streamlined Lateral Movement
Stolen credentials enable several efficient lateral movement techniques:
These techniques enable attackers to move laterally through networks within minutes rather than hours or days, dramatically reducing the time from initial breach to full compromise 1, 2.
Automated Exploitation at Scale
Mass Credential Testing
Password theft enables attackers to automate exploitation at unprecedented scale through credential stuffing attacks. Using specialized tools, cybercriminals can test thousands or millions of stolen username/password combinations across multiple services simultaneously 8, 10. This automation allows a single attacker to target vast numbers of accounts across different organizations with minimal effort 8, 5.
Rapid Exploitation of Stolen Credentials
Research shows that stolen credentials are exploited with alarming speed. According to security researchers, approximately 20% of compromised accounts are accessed within one hour of credentials being exposed, 40% within six hours, and about half within 12 hours 11. This rapid exploitation timeline means organizations have very little time to respond once credentials are compromised 11.
Distributed Attack Infrastructure
Modern credential theft operations leverage sophisticated infrastructure to maximize speed and scale:
This infrastructure enables attackers to compromise thousands of accounts across multiple organizations in a matter of hours, far faster than would be possible with traditional exploitation methods 8, 5.
Multi-System Compromise Through Password Reuse
Exploiting Password Reuse Patterns
Password theft is particularly effective because of widespread password reuse. Recent studies of over 16 billion exposed passwords reveal that 94% are reused or duplicated across multiple accounts, with only 6% being unique 12. This behavior creates a multiplier effect where a single stolen password can provide access to numerous systems 13, 12.
Predictable Password Modifications
Even when users attempt to create variations of their passwords across different services, they typically follow predictable modification patterns that attackers can easily anticipate 9. Research shows that among users who modify their passwords, there is only a small set of common rules applied, making these variations highly predictable to attackers 9.
Cross-Domain Exploitation
Password reuse enables attackers to rapidly expand their reach across different security domains:
This cross-domain exploitation dramatically increases the speed and breadth of attacks, allowing cybercriminals to quickly pivot from a single compromised account to dozens or hundreds of systems across multiple organizations 13, 10.
Bypassing Multi-Factor Authentication
Session Token Theft
Modern credential theft has evolved beyond simple password stealing to include techniques that bypass multi-factor authentication (MFA). Attackers now target session tokens and cookies, which allow them to hijack active authenticated sessions without needing to re-authenticate or trigger MFA challenges 15, 16.
Pass-the-Cookie Attacks
In these attacks, cybercriminals steal browser cookies that store authentication information and use them to impersonate legitimate users in separate browser sessions 15. This technique is particularly effective because it completely circumvents MFA, allowing attackers to access protected systems without triggering additional authentication steps 15, 17.
MFA Fatigue and Prompt Bombing
When direct MFA bypass isn’t possible, attackers use techniques like MFA fatigue, where they repeatedly trigger authentication prompts until frustrated users approve the request just to stop the notifications 17, 18. This social engineering approach accelerates compromise by exploiting human behavior rather than technical vulnerabilities 17, 19.
These MFA bypass techniques significantly accelerate attacks by eliminating what would otherwise be a major barrier to rapid exploitation, allowing attackers to move through protected systems at nearly the same speed as unprotected ones 17, 18.
Privilege Escalation and Administrative Access
Targeting Privileged Accounts
Password theft enables attackers to specifically target high-value accounts with administrative privileges. By compromising these accounts, attackers can rapidly gain control over entire systems or domains rather than having to gradually escalate privileges through technical exploits 20, 21.
Service Account Exploitation
Service accounts are particularly valuable targets because they often have extensive privileges across numerous systems but may not be subject to the same security controls as user accounts 20. By compromising these accounts, attackers can impersonate critical system functions and quickly gain broad access across the organization 20, 21.
Accelerated Administrative Control
The compromise of privileged credentials dramatically accelerates attacks by providing immediate high-level access. Instead of spending days or weeks gradually escalating privileges through technical vulnerabilities, attackers can gain administrative control within minutes by simply authenticating with stolen administrator credentials 20, 21.
This rapid privilege escalation enables attackers to quickly take control of critical systems, deploy malware across the organization, and establish persistent access before defenders can respond 20, 4.
Enabling Advanced Attack Techniques
Business Email Compromise
Password theft enables sophisticated Business Email Compromise (BEC) attacks, where attackers use compromised email accounts to impersonate executives or trusted partners 22. These attacks are particularly effective because they leverage the trust associated with legitimate email accounts, allowing attackers to quickly convince victims to transfer funds or sensitive information 22.
Supply Chain Attacks
Stolen credentials enable attackers to compromise software supply chains, as demonstrated by recent trojanized supply chain attacks that used GitHub and NPM repositories to distribute malicious code 14. By using legitimate credentials to access development environments, attackers can insert backdoors into software that is then distributed to thousands or millions of downstream users 14.
Ransomware Deployment
Password theft has become a critical enabler for ransomware attacks. With valid credentials, attackers can quickly move through networks, disable security controls, and deploy ransomware across multiple systems simultaneously 23. This accelerated deployment significantly reduces the time between initial compromise and complete encryption of an organization’s data 23.
These advanced techniques demonstrate how password theft enables attackers to not only move faster within individual systems but also to rapidly expand the scope and impact of their attacks across entire supply chains and business ecosystems 14, 22.
The Credential Theft Ecosystem
Specialized Attack Infrastructure
The credential theft ecosystem has evolved into a sophisticated supply chain with specialized roles that increase both speed and scale:
This specialization has increased the efficiency and effectiveness of credential theft operations, allowing cybercriminals to focus on their specific expertise while participating in the broader ecosystem 9, 23.
Infostealer Malware Proliferation
The dramatic rise of infostealer malware specifically targeting credentials has created a self-reinforcing cycle of compromise. Research indicates a 266% year-on-year increase in the deployment of information-stealing malware designed to extract passwords from browsers, password managers, and system files 23, 9.
Dark Web Marketplaces
The dark web marketplace for stolen credentials has reached unprecedented scale, with over 16 billion usernames and passwords from data breaches currently available 12, 10. This abundant supply enables attackers to quickly obtain valid credentials for almost any target organization, eliminating the need for time-consuming reconnaissance and vulnerability discovery 12, 10.
This ecosystem dramatically accelerates attacks by providing immediate access to valid credentials, allowing attackers to skip the most time-consuming phases of traditional attacks and move directly to exploitation 9, 10.
Conclusion: The Speed and Scale Advantage
Password theft has fundamentally changed the cybersecurity landscape by enabling attacks that are both faster and broader than traditional exploitation methods. By leveraging legitimate credentials, attackers can bypass security controls, move laterally through networks, and compromise multiple systems at unprecedented speed and scale 12.
The combination of automated tools, widespread password reuse, and sophisticated bypass techniques has created an environment where a single compromised password can lead to enterprise-wide compromise in a matter of hours rather than days or weeks 3, 11. This acceleration presents significant challenges for defenders, as the window for detection and response continues to shrink 32.
Organizations must recognize that traditional security models focused on perimeter defense are insufficient against credential-based attacks. Instead, a more comprehensive approach is needed that addresses both the technical and human aspects of security, including stronger authentication mechanisms, improved monitoring of user behavior, and enhanced security awareness training 5, 22.
As attackers continue to refine their credential theft techniques, the gap between the effort required to compromise systems through password theft versus technical exploits will likely widen further, making credential protection an increasingly critical component of effective cybersecurity strategies 5, 9.
One solution that prevents password exploitation is Netlok’s PhotolokÒ because it replaces passwords with photos and uses randomization to protect against AL/ML attacks. For users, it is simple to use, ultrasecure, and cost effective when compared to passwords.
A.R. Perez, Netlok, June 24, 2025
Like most people and organizations, cybercriminals value their time and cost of doing business. As a result, they have increasingly shifted their tactics from complex technical exploits to credential theft to increase their ROI. This preference for “logging in” rather than “hacking in” represents a fundamental change in attack methodology that has profound implications for organizations and individuals alike 1, 2. The reasons behind this strategic shift are multifaceted, combining economic incentives, technical advantages, and human vulnerabilities.
The Path of Least Resistance
Cybercriminals, like most rational actors, seek the most efficient route to their objectives 3. Password theft has emerged as the definitive path of least resistance in the cybercrime ecosystem for several compelling reasons:
Lower Technical Barriers
Traditional hacking methods often require specialized technical knowledge, including understanding of software vulnerabilities, network protocols, and custom exploit development 4. In contrast, credential theft can be executed with minimal technical expertise using widely available tools 5. This accessibility has democratized cybercrime, allowing a broader range of threat actors to participate regardless of their technical background 6.
The commoditization of the underground economy has created multiple paths of lower resistance, with suppliers providing different services for various aspects of fraud operations6. These services significantly lower the cost of attacks and reduce the barrier to entry for aspiring cybercriminals 6, 7.
Higher Success Rates
IBM’s X-Force threat intelligence team reported a staggering 71% increase in attacks relying on valid login credentials in 2023 compared to the previous year 1, 8. This dramatic shift reflects the effectiveness of credential-based approaches compared to technical exploits 5. Charles Henderson, global head of IBM’s X-Force team, described this as “an aha moment on the part of threat actors in shifting to something that works” 5.
The success of credential theft is further amplified by human behavior patterns, particularly password reuse across multiple services 9. Research shows that 52% of users reuse or modify their passwords across different online services, creating a cascading vulnerability effect where a single breach can compromise multiple accounts 10.
Economic Advantages
Cost-Effectiveness
From a purely economic perspective, password theft offers cybercriminals an exceptional return on investment compared to technical hacking methods 5:
Abundant Supply of Credentials
The dark web marketplace for stolen credentials has reached unprecedented scale, creating a self-sustaining ecosystem that fuels further attacks 13. Over 15 billion usernames and passwords from 100,000 data breaches are currently available on underground marketplaces 13. This number represents a 300% increase since 2018, equivalent to more than two compromised accounts for every person on Earth 13.
More recently, cybersecurity researchers confirmed that nearly 16 billion passwords were leaked and exposed in data breaches between 2024 and 2025, providing attackers with an enormous arsenal for conducting further attacks 9, 7.
Stealth and Detection Evasion
Blending with Legitimate Traffic
One of the most significant advantages of credential-based attacks is their ability to evade detection by security systems 5. When attackers use valid credentials, they can blend in with normal traffic patterns, making it extremely difficult for security tools to distinguish malicious activity from legitimate user behavior 25.
Traditional security measures such as firewalls and intrusion detection systems are designed to identify anomalous network activity or malicious code execution 2. However, when an attacker simply logs in with valid credentials, these systems often fail to detect the intrusion because the activity appears legitimate from a technical perspective 28.
Extended Dwell Time
The stealthy nature of credential-based attacks allows cybercriminals to maintain a persistent presence within compromised systems 5. According to IBM’s Cost of a Data Breach Report, breaches involving compromised credentials take significantly longer to detect and contain, averaging 292 days—the longest of any attack vector studied 14.
This extended dwell time provides attackers with ample opportunity to move laterally within networks, escalate privileges, and exfiltrate sensitive data without triggering security alerts 25. By the time the breach is discovered, the damage has often already been done 14.
Human Vulnerability Exploitation
Predictable Password Behaviors
Cybercriminals exploit fundamental human tendencies in password creation and management 9. Despite decades of cybersecurity education, password practices remain fundamentally flawed 9. Analysis of exposed passwords revealed that 94% were reused or duplicated across multiple accounts, with only 6% being unique 9.
The most commonly used passwords continue to be predictably weak, with “123456,” “admin,” “12345678,” “password,” and “Password” topping the list 9. Additionally, 42% of users rely on passwords with only 8-10 characters, with eight characters being the most popular length 9. These predictable patterns make password guessing attacks highly effective 9 15.
Password Modification Patterns
Even when users attempt to create variations of their passwords across different services, they typically follow predictable modification patterns that can be easily anticipated by attackers 10. Research shows that among a large user population, there is only a small set of rules that users often apply to modify their passwords 10. This “low variance” makes modified passwords highly predictable, with algorithms able to guess 30% of modified passwords within just 10 attempts 10.
The Cybercriminal Ecosystem
Specialized Roles and Services
The credential theft ecosystem has evolved into a sophisticated supply chain with specialized roles 16:
This specialization has increased the efficiency and effectiveness of credential theft operations, allowing cybercriminals to focus on their specific expertise while participating in the broader ecosystem16.
Infostealer Malware Proliferation
A significant development in recent years is the dramatic rise of infostealer malware specifically targeting credentials 1. The X-Force team observed a 266% year-on-year uptick in the deployment of infostealing malware 8. These specialized tools extract passwords from browsers, password managers, and system files, then transmit them to command-and-control servers operated by cybercriminals 16, 8.
The proliferation of infostealers has created a self-reinforcing cycle where compromised credentials fuel further attacks 1. More than 23 million devices have been affected by infostealers, creating vast repositories of stolen login data that criminals can exploit 1.
Conclusion: The Shifting Cybersecurity Paradigm
The preference for password theft over direct hacking methods represents a fundamental shift in the cybersecurity landscape 2. As Charles Henderson of IBM noted, “What this establishes is that the criminals have figured out that valid credentials are the path of least resistance, and the easiest way in” 5.
This shift requires a corresponding evolution in defensive strategies 2. Organizations must recognize that traditional perimeter-based security models are insufficient against credential-based attacks 2. Instead, a more comprehensive approach is needed that addresses both the technical and human aspects of security, including stronger authentication mechanisms, improved monitoring of user behavior, and enhanced security awareness training 25.
One viable passwordless solution is Netlok’s PhotolokÒ MFA login because it replaces passwords with photos and uses randomization to protect against AL/ML attacks. For users, it is simple to use, ultrasecure, and cost effective when compared to passwords.
As attackers continue to refine their credential theft techniques, the gap between the effort required to compromise systems through password theft versus technical exploits will likely widen further 5 11. Understanding this dynamic is essential for developing effective security strategies that can adapt to the evolving threat landscape 5.
A.R. Perez, Netlok, June 17, 2025
The pace of technological change is accelerating crime. For example, cybercrime has undergone a fundamental transformation over the past two decades, evolving from isolated hackers operating in basements to sophisticated criminal enterprises that mirror legitimate business models 1, 2. What was once the domain of technically skilled individuals driven by prestige and ideology has become a $1.5 trillion in cybercriminal revenue/earnings that operates with the professionalism and structure of Fortune 500 companies 3, 2. In this article, we will examine how cybercrime has evolved into a modern business model that is profitable and built to attack you, your family, and business.
The Evolution from Individual Hackers to Criminal Enterprises
Early Days: Prestige Over Profit
The first phase of cybercrime, roughly spanning from 1990 to 2006, was characterized by hackers motivated primarily by personal prestige and technical challenge rather than financial gain 4. These early cybercriminals operated as lone wolves, requiring extensive technical knowledge and specialized skills to execute attacks 4. The underground economy was fragmented, with limited collaboration between different criminal actors5.
The Dotcom Realization
The dotcom boom fundamentally shifted the cybercrime paradigm by demonstrating the immense financial potential of internet-based activities 4. Criminals began to recognize that the same digital infrastructure powering legitimate e-commerce could be exploited for illicit profit 4. This realization marked the beginning of cybercrime’s transformation into a business-driven enterprise 4.
The Birth of Crime-As-A-Service
Defining the CaaS Model
Crime-as-a-Service (CaaS) represents a business model where cybercriminals provide various hacking and cybercrime services to other individuals or groups, typically for financial gain 6. This model essentially commodifies and commercializes cybercriminal activities, allowing even those with little technical expertise to engage in sophisticated cyberattacks 6. The CaaS framework mirrors legitimate Software-as-a-Service (SaaS) business models, transforming hacking into a subscription service available to individuals, groups, and even nation-states 1.
The Democratization of Cybercrime
The emergence of CaaS has fundamentally democratized cybercrime by lowering the barriers to entry 7, 5. Previously, successful cyberattacks required exceptional technical abilities that were limited to a small group of highly skilled individuals 5. Today, budding cybercriminals need only a rudimentary understanding of cybersecurity, internet access, and a few dollars in cryptocurrency to initiate sophisticated attacks 6, 7.
This democratization is exemplified by cases like the infamous Lapsus$ hacking group, where several members were renegade teenagers who managed to breach tech giants like Microsoft and Nvidia, with the group’s former leader being a 16-year-old living at his mother’s home in the English countryside1.
Business Models and Revenue Structures
Subscription-Based Pricing Models
The CaaS ecosystem employs various pricing models that mirror legitimate business practices 8, 9. The most common revenue structures include:
Monthly Subscriptions: Many cybercrime services operate on recurring monthly fees, similar to legitimate SaaS platforms 8. These subscriptions often range from tens to thousands of dollars, depending on the sophistication of the service 10.
Commission-Based Models: In ransomware-as-a-service operations, developers typically receive a 20-30% cut while affiliates retain 70-80% of ransom payments 9. This revenue-sharing model incentivizes both development and deployment of criminal tools 9.
One-Time Purchases: Some services offer single-payment options for specific tools or access credentials 8. For example, corporate login credentials can sell for several thousand dollars 11.
Hybrid Models: Many providers combine subscription fees with performance-based commissions, maximizing revenue from multiple streams 8, 9.
Market Maturation and Pricing Evolution
The cybercrime marketplace has demonstrated remarkable price evolution as competition has intensified 4. The Zeus malware, which originally cost $8,000, saw its price drop to around $500 due to competition from SpyEye 4. By 2011, when the Zeus source code was leaked, it effectively became free, demonstrating how market forces operate even in illegal sectors 4.
The Scale of the Criminal Economy
Revenue and Economic Impact
The cybercrime economy has reached staggering proportions, with research estimating total annual revenues at $1.5 trillion 3. This massive figure breaks down across various criminal activities:
Cybersecurity Ventures projects that the total economic damage to victims will reach $10.5 trillion annually by 2025, representing a 15% annual growth rate 12. If cybercrime were measured as a country, it would rank as the world’s third-largest economy, behind only the United States and China 13, 12.
Service Diversification
The CaaS ecosystem now encompasses nearly every aspect of cybercrime 14, 15. Beyond traditional malware and phishing kits, the marketplace now offers:
Advanced Specialized Services:
Professional Support Services:
Organizational Structure and Professionalization
Corporate-Style Operations
Modern cybercrime organizations have adopted sophisticated business structures that mirror legitimate enterprises 14, 15. These criminal enterprises now feature:
Hierarchical Management: Clear organizational charts with specialized roles including developers, distributors, and end-users 17. Developers create malicious software, distributors act as intermediaries assembling attack teams, and end-users execute attacks with minimal knowledge of the larger operation 17.
Human Resources Functions: Cybercrime marketplaces now feature dedicated help-wanted pages and recruiting staff 14, 15. Criminal job seekers post summaries of their skills and qualifications, while employers advertise positions with competitive salaries, performance bonuses, and even paid time off 10.
Research and Development: Criminal organizations invest heavily in innovation, constantly developing new attack methods and improving existing tools to evade detection 5, 11.
Professional Customer Experience
The professionalization of cybercrime extends to customer service and user experience 11. Criminal service providers now offer:
Ransomware-as-a-Service: The Premium Model
The RaaS Business Model
Ransomware-as-a-Service (RaaS) represents perhaps the most sophisticated evolution of the CaaS model 8. RaaS providers lease out compiled ransomware, source code, and complete infrastructure packages to affiliates 8. These services include:
Major RaaS Operations
Prominent RaaS groups like Conti, REvil (Sodinokibi), DarkSide, and LockBit have established themselves as major players in the criminal marketplace 8. LockBit 3.0, for instance, operates as a full-service RaaS platform where affiliates share a percentage of profits with operators as commission 18.
These organizations have demonstrated remarkable resilience and adaptability 18. When law enforcement disrupts one operation, others quickly emerge to fill the market gap, suggesting a mature and self-sustaining ecosystem 11.
Market Infrastructure and Payment Systems
Dark Web Marketplaces
The CaaS economy operates primarily through dark web marketplaces that provide anonymity and security for both buyers and sellers 19. These platforms have evolved sophisticated features including:
Payment Systems: Bitcoin and Monero are the primary cryptocurrencies used, with many marketplaces implementing mixing services for additional anonymity 19.
Escrow Services: Sophisticated escrow mechanisms protect both buyers and sellers, with funds held until services are delivered satisfactorily 19.
Multi-signature Security: Advanced marketplaces use multi-signature wallets requiring authorization from two of three parties (buyer, seller, marketplace) to complete transactions 19.
Auto-finalize Features: Automatic fund release mechanisms ensure vendors receive payment even if buyers don’t confirm receipt 19.
Trust and Reputation Systems
Criminal marketplaces have developed comprehensive trust and reputation systems that parallel legitimate e-commerce platforms 10. Vendors with proven track records of delivering working malware and maintaining operational security can command premium prices 10. Some ransomware groups have built such strong reputations for reliability that they leverage their “brand recognition” to charge higher fees 10.
The Future of Criminal Innovation
Continuous Evolution
The CaaS ecosystem continues to evolve rapidly, driven by the same market forces that shape legitimate business 11. As cybersecurity defenses improve, criminal services adapt by offering more sophisticated tools and techniques 14, 15. The commoditization of nearly every component of cybercrime has created opportunities for attackers of any skill level to participate in this underground economy 14, 15.
Economic Incentives
The massive financial incentives driving the CaaS ecosystem show no signs of diminishing3. With annual revenues exceeding $1.5 trillion and growth rates of 15% per year, the criminal economy has established itself as a self-sustaining and continuously expanding sector 1, 23.
Conclusion
The transformation of cybercrime from individual hacking activities to a subscription-based service economy represents one of the most significant developments in modern criminal enterprise 17. By adopting legitimate business models, implementing professional operational structures, and creating user-friendly service offerings, cybercriminals have successfully democratized access to sophisticated attack capabilities 6, 14.
This evolution has fundamentally altered the threat landscape, making advanced cyberattacks accessible to anyone with modest financial resources and basic internet access 7 16. The CaaS model’s success demonstrates how criminal organizations can adapt and thrive by mimicking the very business innovations they seek to exploit 4, 11.
As the cybercrime economy continues to mature and expand, reaching projected revenues of $10.5 trillion by 2025, it presents an unprecedented challenge to cybersecurity professionals and law enforcement agencies worldwide 12. The subscription-based nature of modern cybercrime has created a resilient, scalable, and increasingly sophisticated threat that mirrors the digital transformation occurring in legitimate business sectors 1, 15.
A.R. Perez, Netlok, June 12, 2025
Despite facing significant cybersecurity threats, many family offices continue to operate with inadequate defenses, creating a dangerous disconnect between risk exposure and preparedness. Understanding the underlying causes of this vulnerability reveals systemic challenges that go beyond simple oversight.
The Scale of the Problem
The cybersecurity preparedness gap among family offices is striking. While 43% of family offices globally have experienced a cyberattack over the last 12-24 months, nearly one-third (31%) lack a comprehensive cybersecurity strategy, leaving them woefully unprepared 16. In North America, the situation is even more concerning, with 57% of family offices reporting cyber incidents during recent periods 9. Despite these alarming statistics, only 31% of family offices say their cyber risk management processes are well-developed 1.
Root Causes of Unpreparedness
Underestimation and Misperception of Threats
Many family offices fundamentally underestimate their attractiveness as targets and the sophistication of modern cyber threats 19. A significant factor contributing to this vulnerability is the belief that “privacy equals security” – the misguided notion that operating “under the radar” provides adequate protection 19. This mindset leads to a dangerous miscalculation where family offices assume they’re too small or obscure to warrant sophisticated attacks 20.
Research reveals that 47% of family offices acknowledge that underestimating the threat level obstructs the implementation of risk management measures 3. Additionally, smaller and newer family offices are particularly vulnerable, with only 15% accurately assessing the likelihood of cyberattacks compared to 25% at larger family offices 3.
Complacency and Reactive Approaches
A pervasive culture of complacency significantly hampers cybersecurity preparedness among family offices 13. Studies show that 41% of family offices cite complacency as an obstacle to implementing risk management measures 3. This reactive mindset is further evidenced by the fact that 33% of family offices have adopted a “reactionary rather than preventative approach” to cybersecurity, an increase from around 25% in previous studies 21.
As one US-based single family office CEO noted, “Many people do not react to cyber threats until they have been attacked” 2. This wait-and-see approach leaves offices vulnerable to increasingly sophisticated attacks that target the “low-hanging fruit” 2.
Resource and Budget Constraints
Unlike large enterprises, family offices often lack the financial resources for comprehensive cybersecurity infrastructure 21. Only 33% of family offices report having a dedicated cybersecurity budget, forcing many to rely on inadequate solutions 5. The typical family office operates with a small staff ranging from 2 to 25+ members, making it challenging to allocate personnel specifically for cybersecurity functions 7.
The resource limitation extends beyond budgets to human capital. Just 8% of family offices have in-house cybersecurity personnel, and 67% have not hired third-party defense providers 1. This staffing gap means that cybersecurity often becomes an afterthought rather than a strategic priority.
Organizational Structure Challenges
Family offices face unique structural challenges that impede effective cybersecurity implementation. Many operate more like small businesses when it comes to cybersecurity infrastructure while managing wealth comparable to mid-sized enterprises 2023. This creates a dangerous mismatch between resources and risk exposure.
The fragmented nature of family office operations compounds these challenges. Many use disparate systems that don’t communicate effectively, creating security vulnerabilities and making comprehensive protection difficult to implement 29. Without proper integration, family offices struggle to maintain consistent security protocols across all their technological touchpoints.
Third-Party Vendor Risks
Family offices increasingly rely on external vendors and service providers, creating additional vulnerabilities they may not fully understand or manage effectively 2830. There has been “a huge uptick in third-party vendors having cybersecurity incidents and then reporting them back to the data owner,” creating cascading security risks 28.
Family offices without proper processes to vet third-party vendors significantly increase their risk exposure through insecure connections and compromised vendor relationships 30. This is particularly problematic given that many family offices outsource critical functions without implementing adequate vendor security oversight.
Lack of Awareness and Training
A critical gap exists in cybersecurity awareness and training across family office organizations. Fewer than 25% of family offices have implemented basic protections such as phishing simulation tests, security awareness training, external penetration testing, or defined incident response plans 5.
The challenge is compounded by the diverse technology adoption patterns within wealthy families, ranging from tech-savvy younger members to “tech-averse octogenarians” 13. This spectrum of cyber hygiene habits makes it difficult to implement consistent security protocols across all family members and staff.
The Human Factor
Cybersecurity experts emphasize that most cyberattacks don’t happen through technology failures but because of people and process weaknesses 16. Family offices are particularly vulnerable to social engineering attacks because cybercriminals can often gather extensive information about wealthy families through social media and public records 18.
The younger generation’s increased online visibility has inadvertently exposed families that previously maintained tight privacy controls 18. As one expert noted, “The younger members of the family are outing families that have kept a really tight lid on their wealth for a long period of time” 18.
The Cost of Inaction
The consequences of inadequate cybersecurity preparedness extend far beyond immediate financial losses. Among family offices that have experienced cyberattacks, a significant one-third have suffered some form of loss or damage, with operational damage and financial loss being the most common consequences 9.
The average cost of a data breach globally approaches $4 million, with individual family offices at risk of losing up to $500,000 in ransom payments alone 10. Beyond direct financial impacts, successful attacks can severely damage reputation, erode trust, and lead to regulatory inquiries and litigation 14.
Moving Forward
The persistent unpreparedness of family offices despite high cyberattack risks reflects a complex interplay of psychological, organizational, and resource-related factors. Addressing these challenges requires a fundamental shift from reactive to proactive cybersecurity approaches, supported by dedicated budgets, specialized expertise, and comprehensive risk management frameworks.
As cybersecurity threats continue to evolve and become more sophisticated, family offices can no longer afford to operate under the assumption that their size or privacy provides adequate protection 16. The time for reactive measures has passed; proactive cybersecurity investment has become an operational necessity rather than an optional consideration.
Member – Insider GovTech
FOLLOW US ON SOCIAL MEDIA
©2015-2025 Netlok. All rights reserved.