TL;DR

• Ransomware payments stagnated despite record attacks claimed. Total on-chain ransomware payments fell by approximately 8% to $820 million in 2025, even as claimed attacks rose 50%.
• Median ransom payment size increased significantly. While aggregate revenue stagnated, the median ransom payment grew 368% year-over-year to nearly $60,000.
• Initial Access Broker (IAB) activity can serve as a leading indicator; on-chain analysis indicates that spikes in IAB inflows typically precede increases in ransomware payments and victim leaks by roughly 30 days.
• Criminal and state-linked actors share infrastructure. The infrastructure layer has converged, with financially-motivated cybercriminals and state-aligned actors using the same…