FBI: Cybercrime Losses Hit $20.9B in 2025, Up 26%

Americans lost $20.9 billion to cybercrime in 2025, according to the FBI's annual Internet Crime Complaint Center report released this week. That's a 26% increase from 2024 and marks the highest losses ever recorded since IC3 began tracking complaints in 2000.

The numbers paint a grim picture: over one million complaints filed, nearly 3,000 per day. Cumulative losses over the past five years now exceed $71 billion. Since 2020, annual losses have increased 400%—from $4.2 billion to nearly $21 billion.

Investment Fraud Dominates

Investment-related fraud accounted for $8.65 billion in losses, making it the costliest crime category by a wide margin. These scams typically involve fake cryptocurrency platforms, pig butchering schemes, and fraudulent trading apps that promise guaranteed returns.

The growth correlates directly with cryptocurrency adoption. Victims wire funds to what appear to be legitimate exchanges, only to discover the platforms are entirely fabricated. By the time they realize the scam, their money has been converted to cryptocurrency and laundered through mixers.

Business email compromise followed at $3.05 billion. BEC attacks remain devastatingly effective—attackers compromise or spoof executive email accounts, then instruct finance teams to wire funds to accounts they control. The UNC6783 campaign targeting BPOs represents an evolution of this technique, where attackers breach third-party service providers rather than the target organization directly.

Tech support scams rounded out the top three at $2.1 billion. These often target elderly victims through pop-up warnings claiming their computers are infected.

Cryptocurrency: $11.4 Billion

For the first time, cryptocurrency-related losses exceeded $11 billion annually. The FBI report notes that crypto has become the preferred payment method for investment fraud, tech support scams, and ransomware alike.

The irreversibility of cryptocurrency transactions makes recovery nearly impossible. Once funds transfer to an attacker-controlled wallet, they can be laundered through decentralized exchanges and cross-chain bridges within hours.

Law enforcement has achieved some successes. Operation Atlantic announced last week froze $12 million and identified 20,000 victims across a multi-jurisdictional crypto fraud investigation. But these recoveries represent a fraction of overall losses.

Ransomware Losses Surge 259%

Ransomware losses jumped to $32.3 million in 2025—a 259% increase from the prior year's $12.5 million. The IC3 received over 3,600 ransomware complaints, with attacks hitting all 16 critical infrastructure sectors.

Healthcare, manufacturing, and financial services bore the heaviest impact. The ChipSoft ransomware attack that disrupted 11 Dutch hospitals earlier this month demonstrates how these attacks create cascading operational failures.

Top ransomware variants included Akira, Qilin, INC, BianLian, and Play. Several of these groups have shifted to pure exfiltration models, skipping encryption entirely in favor of threatening data publication.

AI-Related Fraud Emerges

This year's report includes a new section on artificial intelligence—a first in IC3's 25-year history. AI-related complaints totaled 22,364, with losses approaching $893 million.

The category primarily captures deepfake-enabled fraud: synthetic voice calls impersonating executives, AI-generated video for romance scams, and fabricated identity documents for account takeover. As generative AI improves, these attacks will become harder to detect.

Security teams should prepare for increased social engineering sophistication. When attackers can clone voices from public recordings and generate convincing video in real time, traditional verification methods fail.

Elderly Victims: 37% of Losses

Victims aged 60 and older filed 201,000 complaints with losses totaling $7.75 billion—37% of all cybercrime losses. The disproportionate impact reflects targeted campaigns against this demographic through tech support scams, romance fraud, and investment schemes.

The FBI notes that elderly victims are less likely to report fraud due to embarrassment, meaning actual losses are likely significantly higher.

What the Numbers Miss

IC3 data captures only reported incidents. The FBI estimates actual cybercrime losses could be three to four times higher than reported figures suggest.

Many organizations don't report ransomware attacks to avoid regulatory scrutiny or reputational damage. Small businesses often lack the resources to file complaints. International victims typically aren't captured in U.S. statistics.

The $20.9 billion figure is sobering. The actual number may approach $80 billion.

Why This Matters

The 26% year-over-year increase signals that defenses aren't keeping pace with attacker innovation. Investment fraud's dominance reflects broader societal vulnerability to financial scams during economic uncertainty. And the ransomware surge suggests that disruption operations like the FBI's Hive takedown haven't deterred the broader ransomware ecosystem.

For security teams, the report reinforces familiar priorities: employee security awareness, MFA deployment, and incident response preparation. For individuals, skepticism toward unsolicited contact—especially involving cryptocurrency or urgent wire transfers—remains the best defense.

The full report is available on the IC3 website.