# FBI Reports $21 Billion in Cybercrime Losses for 2025—A Troubling Trend Continues


The Federal Bureau of Investigation has released its annual Internet Crime Complaint Center (IC3) report, revealing that cybercrime losses in the United States reached nearly $21 billion in 2025. This staggering figure underscores a persistent and escalating threat landscape where threat actors continue to exploit vulnerabilities in critical infrastructure, financial systems, and consumer endpoints with devastating consequences.


The IC3, which operates as the FBI's primary mechanism for collecting and analyzing cybercrime complaints from the American public, documented the mounting costs of digital attacks across industries, geographies, and victim demographics. The $21 billion figure represents not just financial losses, but disrupted operations, eroded trust, and compromised sensitive data affecting millions of individuals and thousands of organizations.


## The Scale of the Problem


To contextualize this number: $21 billion would fund over 100,000 full-time cybersecurity professionals for an entire year. It represents losses greater than the GDP of several nations. Yet despite years of awareness campaigns, security investments, and regulatory frameworks, the needle barely moves on the fundamental economics of cybercrime.


The FBI's data confirms what security researchers and corporate leaders already knew: cybercrime is profitable, relatively low-risk for perpetrators, and increasingly cost-effective to execute at scale. When criminal organizations can generate millions in revenue from ransomware alone, the financial incentive to continue operations remains undiminished.


## What's Driving These Losses?


While the FBI's report presents aggregated figures, historical patterns and contemporaneous threat intelligence suggest several crime categories dominate the losses:


### Ransomware Attacks

Ransomware remains the single largest contributor to cybercrime losses. Organizations across all sectors—from healthcare to manufacturing—have fallen victim to sophisticated variants deployed by groups operating from nations with minimal extradition treaties. The average ransomware payment has increased dramatically, with some negotiations reaching $10-15 million for large enterprises.


### Business Email Compromise (BEC)

Business Email Compromise schemes, where threat actors impersonate executives or trusted vendors to manipulate employees into fraudulent wire transfers, consistently rank among the highest-loss crime categories. These attacks exploit human psychology and organizational trust, making them remarkably effective despite being decades old in concept.


### Romance and Investment Fraud

Confidence schemes targeting individuals—particularly elderly Americans—remain prolific. Scammers build elaborate false personas online, establishing relationships and trust before requesting funds for fabricated emergencies or "investment opportunities."


### Credential Theft and Account Takeovers

Leaked passwords, compromised APIs, and credential stuffing attacks enable fraudsters to gain legitimate access to banking systems, email accounts, and cloud services. Once inside, they exfiltrate data or modify account settings before the legitimate owner notices.


### Tech Support Scams

Deceptive pop-ups and fake support services trick users into granting remote access to their devices, allowing scammers to install malware, steal credentials, or directly extract funds.


## Sector-Specific Impact


The losses are not evenly distributed. While every sector faces threats, certain industries bear disproportionate costs:


| Sector | Notable Vulnerabilities |

|--------|------------------------|

| Financial Services | Direct access to funds, regulatory penalties |

| Healthcare | Patient data value, operational disruption criticality |

| Manufacturing | Operational technology exposure, supply chain leverage |

| Government | Critical infrastructure targeting, national security impact |

| Retail | Payment card data, customer PII, operational downtime |


Healthcare organizations, in particular, face an acute threat from ransomware operators who understand that hospitals cannot tolerate prolonged downtime and often pay quickly to restore patient care systems.


## The Year-Over-Year Trend


The $21 billion figure represents a concerning trajectory. While the FBI has tracked cybercrime losses for nearly two decades, the growth rate shows no signs of slowing. Several factors explain this acceleration:


  • Increased digital adoption: More services, transactions, and interactions occur online, expanding the attack surface.
  • Sophistication of tools: Ransomware-as-a-Service (RaaS) platforms and other criminal infrastructure allow less technical actors to participate in profitable campaigns.
  • Geopolitical tensions: State-sponsored actors and nation-state-adjacent groups conduct espionage operations that extract intellectual property and sensitive data.
  • Cryptocurrency: Digital currencies provide criminals with some degree of anonymity and fungibility, reducing the friction of monetizing stolen assets.

    • ## Geographic Distribution


    Cybercriminals operate from across the globe, though certain regions—particularly Eastern Europe and parts of Asia—host the highest concentration of sophisticated criminal infrastructure. However, victims are predominantly in the United States, reflecting both the size of the U.S. economy and the concentration of high-value targets in American financial and technology sectors.


    The FBI's report likely documents complaints from all 50 states and U.S. territories, revealing that no geographic area is immune to cybercriminal activity.


    ## The Response Challenge


    Despite the FBI's continued collection of complaint data and law enforcement coordination through agencies like the Cybersecurity and Infrastructure Security Agency (CISA), prosecution rates remain low relative to the volume of incidents. Extradition barriers, technical complexity in attribution, and the sheer volume of incidents create enforcement challenges.


    International cooperation has improved, but it remains inconsistent. When perpetrators operate from jurisdictions with weak rule of law or implicit state tolerance, enforcement becomes nearly impossible.


    ## What Organizations Can Do


    While the $21 billion figure reflects a systemic problem, individual organizations can reduce their exposure through proven practices:


  • Multi-Factor Authentication (MFA): Implement MFA across all critical systems to mitigate credential-based attacks.
  • Employee Training: Conduct regular security awareness training focused on social engineering, phishing, and BEC tactics.
  • Incident Response Planning: Develop and regularly test incident response procedures to minimize dwell time and containment failure.
  • Backup Strategy: Maintain offline, immutable backups to mitigate ransomware impact without resorting to payment.
  • Vendor Management: Assess third-party security posture and contractually require baseline security controls.
  • Threat Intelligence Subscription: Subscribe to threat feeds and information-sharing organizations to stay informed about emerging tactics.
  • Zero Trust Architecture: Move away from perimeter-based security toward a zero-trust model that assumes compromise.

    • ## The Path Forward


    The FBI's $21 billion cybercrime loss report serves as both a sobering benchmark and a call to action. As digital infrastructure becomes increasingly critical to economic and national security, the cost-benefit analysis for would-be cybercriminals remains overwhelmingly favorable.


    Addressing this requires sustained investment in detection, response, and prosecution capabilities—as well as a cultural shift in how organizations approach security. Until the friction and risk of engaging in cybercrime significantly increase, expect these loss figures to continue their upward trajectory.


    Organizations that treat cybersecurity as a strategic imperative rather than a compliance checkbox will outperform their peers in resilience and breach prevention. For others, the $21 billion figure serves as a grim statistical reminder: cybercrime is not a hypothetical threat—it is an active, evolving, and highly profitable criminal enterprise.