The global cyber threat landscape was defined by fragmentation in 2025, driven in no small part by widening geopolitical fractures that threatened the 80-year-old rules-based international order that has kept the peace – at least in the global north – since the end of the Second World War, according to a report.
In a cyber threat report published last week, Recorded Future’s Insikt Group explored how the conduct of powerful nations – aptly demonstrated by the possibility of a unilateral US takeover of Greenland, threatening the integrity of the Nato alliance – is causing knock-on effects in the cyber world as long-standing security frameworks appear increasingly precarious.
Indeed, in some circumstances, legal ambiguity around US actions, particularly those taking place in the Caribbean and Venezuela, has in fact caused some of America’s core allies, including the UK, to restrict intelligence sharing. Recorded Future said that strained transatlantic relations were limiting coordinated responses to wider crises such as Russia’s four-year war on Ukraine, and that these geopolitical dynamics are directly shaping state behaviour in cyberspace.
Meanwhile, sustained law enforcement pressure led to some big wins last year in the form of disruptions and takedowns of cyber criminal infrastructure, along with arrests, but this is now resulting in a more decentralised, modular criminal ecosystem that, unfortunately, is also more resilient.
And on the technological front, this fragmentation was demonstrated by the growing split between China and the US as the two great powers vie for AI dominance.
“In 2025, Insikt Group tracked how cyber activity shifted from a primary focus on espionage toward increased use of cyber capabilities for signalling, coercion and disruption in both kinetic conflicts and grey-zone scenarios,” said the report’s authors.
“Securing access to identity systems, cloud environments and edge infrastructure emerged as a central feature of interstate competition, reflecting the growing strategic value of persistent digital access and pre-positioning.
“Disruption was equally visible in the information environment. Insikt Group observed hacktivist groups, patriotic volunteers and influence networks playing a growing role in conflicts involving Israel-Iran, India-Pakistan, Thailand-Cambodia, and Russia-Ukraine.
“These actors operated with varying degrees of state alignment, but consistently contributed to a threat landscape in which genuine intrusions, exaggerated claims and disinformation reinforced one another,” they said.
Speaking at the report’s launch at the annual Munich Security Conference in Germany, Recorded Future chief security and intelligence officer Levi Gundert said: “Uncertainty is no longer episodic – it’s the operating environment.
“As geopolitical norms weaken, state objectives, criminal capability and private-sector technology are increasingly reinforcing one another, compressing warning timelines and expanding plausible deniability. AI is accelerating that dynamic, not through autonomous attacks, but by scaling deception and eroding trust inside decision-making processes.
“In 2026, cyber risk will be defined less by singular events and more by persistent, fragmented pressure that reshapes competition, escalation, and stability over time.”
Cyber ops a routine tool
Against these general dynamics, Recorded Future said cyber operations are now becoming established as a routine tool of geopolitical competition, alongside more traditional instruments such as sanctions, tariffs or asset seizures.
“The cumulative effect is an international system with higher tolerance for risk and fewer constraints on escalation. For governments and businesses alike, resilience rather than stability is now the baseline operating assumption,” the team said.
This year, the report said, state-sponsored cyber operations will coalesce around low-visibility access and reconnaissance operations as a precursor to outright conflict, said Recorded Future co-founder Christopher Ahlberg.
“Cyber operations are no longer preparation for conflict – they are part of conflict. What we’re seeing is that adversaries are logging in, not hacking in. This is a shift toward access, influence and leverage that can be activated at moments of political or military tension, often below the threshold of traditional response,” he said.
Russia, said Recorded Future, will move away from malware-driven campaigns towards credential-based intrusions and the abuse of legitimate services such as identity platforms. This approach allows hackers to escalate to outright disruption while maintaining plausible deniability for their paymasters, and making it harder for security teams to detect them.
Chinese actors, meanwhile, are likely to expand from data theft towards information operations bombarding their targets with large volumes of AI slop in a form of “flooding the zone”. According to Recorded Future’s analysts, Beijing already has established doctrines on AI-driven “psychographic targeting” with the intent of eroding its rivals’ resolve through bespoke, emotionally provocative operations that complement its underlying attacks.
The Iranians, the report predicted, will remain largely focused on regional influence operations, with continued use of hacktivist proxies. Despite recent internal upheaval, and the US’s response to this, more widespread disruptive operations are probably unlikely, although they should not necessarily be ruled out.
North Korea will remain an active and dangerous cyber actor, with its operations likely to continue targeting workforce infiltration to enable data theft and, critically, revenue generation going forward.
Finally, defenders should also be on the lookout for commercial spyware, which will remain a key enabler of state-backed cyber risk. Such tools – the most infamous example being Israel-based NSO’s Pegasus malware – also muddy the waters somewhat in that they are now widely used by many governments against their own people.
