# FBI Reports Cybercrime Losses Neared $21 Billion in 2025, Marking Continued Escalation in Digital Threats


The Federal Bureau of Investigation released its annual Internet Crime Complaint Center (IC3) report, revealing that cybercrime losses in the United States reached approximately $21 billion in 2025, a staggering figure that underscores the growing financial toll of digital attacks on businesses, government agencies, and individuals. The report, compiled from hundreds of thousands of complaints submitted to the FBI's IC3 platform, provides a comprehensive snapshot of the cybercrime landscape and highlights the evolving tactics employed by threat actors worldwide.


## The Scale of the Problem


The $21 billion figure represents complaints filed with the IC3, making it one of the most reliable public metrics for understanding cybercrime's financial impact. However, cybersecurity experts caution that the actual cost likely exceeds this number significantly, as many organizations never report breaches to law enforcement, and countless incidents go undetected entirely.


To contextualize this figure:

  • The average reported loss per victim ranges from tens of thousands to millions of dollars, depending on the attack type
  • Large enterprises face significantly higher individual attack costs, with some incidents resulting in losses exceeding $100 million
  • Small and medium-sized businesses (SMBs) remain particularly vulnerable, often lacking dedicated security teams
  • Individuals constitute a substantial portion of complaints, with losses ranging from hundreds to hundreds of thousands of dollars per victim

    • ## Background and Context


    Cybercrime has evolved from a niche threat into a sophisticated, industrialized ecosystem. What began as amateur hackers operating from basements has transformed into organized, well-funded criminal enterprises—many backed by state-sponsored actors or operating with tacit government approval.


    Key drivers of rising cybercrime costs:


  • Increased digitization: More business processes moving online means larger attack surfaces
  • Remote work normalization: Distributed workforces created new vulnerabilities in network perimeters
  • Supply chain attacks: Threats increasingly targeting third-party vendors to reach larger organizations
  • Cryptocurrency adoption: Digital currencies enable faster, harder-to-trace ransom payments
  • Improved attack tooling: Malware-as-a-Service and ransomware-as-a-Service platforms lower barriers to entry for cybercriminals

    • The IC3 receives an average of 2,600+ complaints per day, with the agency noting that complaint volume has remained stable or increased year-over-year, even as awareness campaigns attempt to educate potential victims.


    ## Technical Details and Attack Categories


    The $21 billion in losses encompasses a diverse array of attack vectors:


    | Attack Type | Typical Impact | Primary Targets |

    |---|---|---|

    | Ransomware | $10M–$100M+ per incident | Healthcare, finance, manufacturing |

    | Business Email Compromise (BEC) | $100K–$10M per incident | Large enterprises, government |

    | Phishing/Credential Theft | $1K–$100K per victim | All sectors |

    | Extortion/Blackmail | Highly variable | Specific high-value targets |

    | Tech Support Scams | $500–$50K per victim | Individuals, small businesses |

    | Cryptocurrency Fraud | $1K–$1M+ per victim | Crypto investors, traders |

    | Denial of Service (DDoS) | $10K–$5M+ per incident | E-commerce, gaming, critical infrastructure |


    ### Ransomware Remains the Dominant Threat


    Ransomware-as-a-Service (RaaS) platforms continue to drive losses, with threat groups operating like legitimate software companies, complete with customer support and feature updates. Notable groups and their tactics:


  • LockBit: Maintains an affiliate network with a revenue-sharing model
  • Change Healthcare incident: A single 2024 ransomware attack resulted in approximately $300 million in extortion and remediation costs
  • ESXi zero-day exploitation: Threat actors increasingly target virtualization infrastructure for maximum impact

    • ### Business Email Compromise Surge


    BEC attacks, where attackers compromise corporate email accounts to manipulate financial transactions, continue to generate outsized losses. The average BEC incident exceeds $100,000, with some cases reaching tens of millions.


    ## Implications for Organizations


    The 2025 cybercrime report carries serious implications across sectors:


    Financial Impact Beyond Direct Losses:

  • Downtime costs: Many organizations lose $5,600–$300,000+ per minute of service disruption
  • Regulatory fines: GDPR violations can reach 4% of global revenue
  • Reputation damage: Customer trust erosion can depress revenue for years
  • Recovery expenses: Forensic investigations, remediation, and infrastructure upgrades

    • Sector-Specific Vulnerabilities:


  • Healthcare: Ransomware targeting hospitals disrupts patient care and creates immediate safety hazards
  • Manufacturing: Production shutdowns due to ransomware cause supply chain cascades affecting multiple industries
  • Government: Federal agencies face both criminal and state-sponsored attacks, with national security implications
  • Financial services: Direct financial theft and account takeover pose existential risks

    • The FBI emphasizes that no industry is immune, with attacks affecting Fortune 500 companies, mid-market firms, and government agencies with equal frequency.


    ## Recommendations for Risk Mitigation


    Organizations seeking to reduce their cybercrime exposure should implement a layered defense strategy:


    Immediate Actions:

  • Enable multi-factor authentication (MFA) on all critical accounts, especially email and VPN access
  • Maintain current backups stored offline to enable recovery from ransomware
  • Patch systems promptly, prioritizing internet-facing systems and known exploits
  • Segment networks to limit lateral movement after compromise

    • Operational Improvements:

  • Implement email security controls including DMARC, SPF, and DKIM authentication
  • Conduct regular security awareness training focusing on phishing and social engineering
  • Deploy endpoint detection and response (EDR) solutions for real-time threat visibility
  • Establish an incident response plan with clear escalation procedures

    • Strategic Measures:

  • Conduct threat modeling to understand your most valuable assets
  • Establish vendor security requirements to reduce supply chain risk
  • Maintain cyber liability insurance with coverage matching organizational risk profile
  • Report incidents to law enforcement (FBI IC3) to aid investigation and national threat tracking

    • The FBI's IC3 actively coordinates with international law enforcement and privately operates an online reporting system accessible at ic3.gov.


    ## Looking Forward


    The trajectory of cybercrime losses suggests that 2026 will likely see continued escalation, driven by:

  • Increasing adoption of AI-powered attacks
  • Expansion of supply chain targeting
  • Growing sophistication of social engineering
  • State-sponsored cyber operations blending with criminal activity

    • Organizations that treat cybersecurity as an ongoing operational necessity—rather than a checkbox compliance item—stand the best chance of avoiding costly incidents.


    The $21 billion figure serves as a sobering reminder: cybercrime is no longer a fringe problem or theoretical risk. It is a pervasive, evolving threat with direct bottom-line implications for businesses of all sizes. The question is no longer whether an organization will face a cyber attack, but when—and whether it will be prepared.