The Cost of Cybercrime: Who’s Paying, How Much, and What’s Changing

Key Takeaways

• Only about 1 in 10 ransomware victims officially report their attacks or losses to authorities.
• Phishing was the most-reported cybercrime in 2024, receiving 193,407 complaints, but it accounted for only $70 million in losses, representing just 0.4 percent of the total money lost to cybercrime that year.
• In 2024, the total number of cybercrime complaints reported to the FBI’s IC3 reached 859,532, equating to approximately one complaint for every 395 U.S. residents.
• In 2024, financial losses due to cybercrime reached a new record of an astounding $16.6 billion.
• In 2024, investment scams led financial losses by type of cybercrime, with reported losses nearing $6.6 billion.
• 100 of the most high-profile cybercrime cases from 1988 to 2025 collectively resulted in financial losses surpassing $128 billion.

Introduction

Cybercrime has become a global economic threat, with costs soaring across sectors and borders. But who’s paying the price — and how has that changed over time?

We at vpnMentor offer a two-layered analysis: 25 years of FBI IC3 data reveal long-term domestic trends, while a review of major global incidents highlights shifting tactics, targets, and financial impacts worldwide. Together, these perspectives shed light on the true cost of cybercrime — and how it's evolving.

U.S. Consumer-Side Data (FBI IC3 Reports)

To deliver a comprehensive analysis of cybercrime trends in the U.S., we examined data collected by the Internet Crime Complaint Center (IC3), a division of the FBI that gathers and analyzes cybercrime reports to aid law enforcement.

Based on the IC3’s 2024 report, phishing topped the list with the highest number of complaints in 2024, totaling 193,407. This was followed by extortion, which had 86,415 complaints, and personal data breaches, with 64,882 complaints.

Data from previous years shows a consistent trend, with phishing being the most reported cybercrime from 2019 onward, whereas non-payment scams recorded the highest number of complaints between 2015 and 2018.

In 2024, the total number of cybercrime complaints reached 859,532, equating to approximately one complaint for every 395 U.S. residents. The volume of cybercrime complaints reported to the IC3 has steadily increased over time, rising from 16,838 complaints in 2000 — a 51-fold growth by 2024.

Financial losses due to these cybercrimes have also steadily increased over the years. In 2024, losses reported to the IC3 reached a new record of an astounding $16.6 billion. This represents a 32.8% rise compared to the previous year, when $12.5 billion was lost to cybercrime.

With losses at a relatively modest $6.7 million in 2000, this amounts to an almost 2,500-fold increase in financial losses due to cybercrime over the course of 24 years.

Analyzing financial losses by type of cybercrime, investment scams topped the list in 2024, with reported losses approaching $6.6 billion. Although phishing generated the highest number of complaints, it accounted for only $70 million in losses, representing just 0.4 percent of the total money lost that year.

Business Email Compromise (BEC) received just 21,442 complaints — less than one-tenth the number reported for phishing — yet it was the second most costly cybercrime in 2024, resulting in $2.8 billion in losses.

In the following table, you can see the breakdown of cybercrime complaints and associated financial losses in the U.S. from 2015 to 2024, categorized by crime type.

IC3 also found that, in 2024, financial losses due to cybercrime grew exponentially as age increased. For instance, seniors led in both the number of complaints filed and the total financial losses, with 147,127 complaints and $4.8 billion lost.

In contrast, individuals under 20 reported the fewest complaints and the lowest financial losses, totaling 17,993 complaints and $22.5 million lost. Young adults also experienced relatively low figures, with 71,399 complaints and $540.1 million in losses.

As illustrated in the following chart, this trend has remained steady over the years, with senior citizens aged over 60 consistently reporting the highest financial losses since 2015, when they faced $283 million in cybercrime losses. This escalated to $4.8 billion in 2024 — an extraordinary increase of approximately 1,595%.

Corporate & Global Incidents

For this research, we analyzed 100 of the most high-profile cybercrime cases from 1988 to 2025 and found that together they have caused financial losses exceeding $128 billion.

Out of the 100 cybercrimes analyzed, data breaches are the most prevalent, accounting for 35 reported incidents. Notable examples include the Yahoo mega-breach, the Equifax breach, the Target data breach, and the Capital One cloud breach.

Ransomware attacks, however, inflicted the greatest financial damage on corporations, with combined losses exceeding $6 billion.

This aligns with broader cybersecurity industry predictions for 2025, where global ransomware damages are expected to reach tens of billions of dollars annually — Cybersecurity Ventures predicts around $57 billion globally in 2025 alone.

The major financial impact arises not only from ransom payments but also from downtime, operational disruptions, recovery costs, legal consequences, reputational damage, and regulatory fines.

Out of the corporations analyzed, Change Healthcare took the biggest hit, suffering an estimated financial impact of $1.6 billion from the 2024 ransomware attack, with later estimates revising the total anticipated cost to nearly $2.87 billion for the year. This includes direct response costs, ransom payments, operational disruptions, and reimbursements to healthcare providers affected by the outage.

In terms of the single cyber incident with the highest financial loss, the MyDoom malware ranks highest, causing an estimated $38 billion in damages. It is followed by the Klez mass-mailer worm, which resulted in around $20 billion in losses.

Other significant incidents include the NotPetya malware attack, with approximately $10 billion in damages, and the MOVEit mass exploit supply-chain attack, which caused nearly $9.9 billion in financial harm.

These incidents highlight the devastating economic impact that widespread malware outbreaks and sophisticated cyber attacks can have on organizations and economies worldwide.

Below, we dive into some of the most significant cyber attacks in recent years in terms of impact and financial losses.

NotPetya (2017)

The NotPetya cyber attack, launched in June 2017, is considered one of the most devastating and costly cyber attacks in history, causing over $10 billion in damages. Initially targeting Ukraine, it spread rapidly to infect computers worldwide. The attack began by compromising the update servers of M.E.Doc, a widely used Ukrainian tax software.

NotPetya was disguised as ransomware, displaying a message demanding a $300 ransom in Bitcoin to unlock encrypted files. However, the malware was actually a destructive wiper that irreversibly locked computers and made data recovery impossible even if the ransom was paid.

NotPetya is widely attributed to Russian military hackers and is believed to have been a state-sponsored attack aimed at destabilizing Ukraine, making it more of a cyberweapon than typical financially motivated ransomware.

Equifax (2017)

In 2017, Equifax, an American credit reporting agency, experienced one of the largest data breaches in history when cyber criminals exploited a known vulnerability in the Apache Struts software used by the company.

The breach exposed the sensitive personal information of approximately 148 million Americans, as well as millions of individuals in the U.K. and Canada. The compromised data included names, social security numbers, birth dates, addresses, and, in some cases, credit card numbers.

The breach occurred between May and July 2017 but was not publicly announced until September 2017, giving attackers enough time to​​ extract vast amounts of data and put millions at risk of identity theft and fraud.

The incident highlighted serious concerns about cybersecurity practices in large organizations, particularly since Equifax was informed of the software vulnerability in March 2017 but did not apply the necessary patch despite repeated warnings.

Colonial Pipeline

In May 2021, the Colonial Pipeline, the largest refined oil products pipeline in the United States, was targeted in a ransomware cyber attack by the hacking group DarkSide. The cybercriminals gained access through a compromised VPN password on an inactive account that lacked multi-factor authentication.

In response to the attack, Colonial Pipeline shut down the entire 5,500-mile pipeline system, which disrupted fuel supplies along the East Coast and caused fuel shortages, panic buying, and increased prices.

The attackers stole about 100 gigabytes of data and demanded a ransom of 75 bitcoins, roughly $4.4 million at the time. Colonial Pipeline paid the ransom quickly to restore operations, and the FBI later recovered a portion of the ransom payment.

The attack highlighted serious vulnerabilities in critical infrastructure security, particularly related to insufficient security controls like the absence of multi-factor authentication.

WannaCry Ransomware Attack (2017)

The WannaCry ransomware attack began on May 12, 2017, affecting over 200,000 computers in more than 150 countries. It targeted Windows systems by encrypting files and demanding an initial ransom of $300 in Bitcoin, which doubled to $600 if not paid within a few days.

The attack spread rapidly using the EternalBlue exploit, which was developed by the U.S. National Security Agency (NSA) for Windows systems and leaked by a hacking group called the Shadow Brokers. Notable victims included the U.K.'s National Health Service (NHS), FedEx, Honda, and Nissan, causing major disruptions.

The attack highlighted the risks of unpatched software and was attributed to North Korea. Despite the widespread damage, paying the ransom was often ineffective because the attackers had coding faults that prevented victims from recovering their data even after payment.

MOVEit Exploit (2023)

In May 2023, a critical zero-day vulnerability (CVE-2023-34362) was discovered in MOVEit Transfer, a widely used file transfer software. The attack was orchestrated by ransomware group Cl0p, exposing the sensitive data of around 2,700 organizations, including government agencies, healthcare, finance, and other sectors, as well as 93 million individuals.

Despite Progress Software releasing a patch by May 31, mass exploitation continued, with notable breaches reported in the U.K. (BBC, British Airways), the Canadian government, U.S. government agencies, and many other institutions.

The incident caused massive financial damage estimated at around $9.9 billion and highlighted the vulnerabilities in software supply chains, showing how a single flaw in widely used software can lead to severe consequences.

Emerging Threats: AI & Supply Chains

In its 2025 Internet Organised Crime Threat Assessment report, Europol, the European Union's law enforcement agency, warned about the increasing use of AI in cybercrime.

According to Europol’s findings, AI can be used in the abuse of biometric data through harvested digital photos. Criminals use AI technologies, such as deepfake and synthetic media, to manipulate biometric information and carry out identity fraud and impersonation attacks.

A notable form of AI-driven cybercrime that has become increasingly prevalent in recent years is the deepfake CEO scam. In this type of scam, criminals use AI-generated audio or video to impersonate the CEO of a company and trick employees, often in finance or HR departments, into transferring money or revealing sensitive information.

For example, in March 2025, a finance director in Singapore was deceived by a deepfake video call impersonating the company’s CFO and other executives, leading to a fraudulent fund transfer of nearly $500,000.

Deepfake CEO scams are growing rapidly — according to Resemble AI's Deepfake Incident Report, more than 105,000 deepfake attacks were reported worldwide in 2024 and financial losses from deepfake scams exceeded $200 million in Q1 2025 alone.

Another critical emerging threat in cybercrime is supply chain attacks, a type of cyberattack in which criminals target less secure elements within an organization's supply chain to gain unauthorized access to the organization's systems or data.

Perhaps the most notable case of a supply chain attack is the CrowdStrike incident. In July 2024, American cybersecurity company CrowdStrike released a faulty update to its Falcon software, causing approximately 8.5 million Windows systems to crash with “blue screens of death.”

The outage disrupted many industries worldwide, including airlines, healthcare companies, and financial firms. Delta Air Lines alone faced losses of over $500 million with thousands of canceled flights. The incident caused significant reputational and financial damage to CrowdStrike, including a nearly 25% stock drop, and has been called one of the largest IT outages in history.

The Underreporting Problem

According to Chainalysis, a blockchain data platform, ransomware payments reached approximately $457 million in 2022. However, during the same period, the FBI’s Internet Crime Complaint Center (IC3) reported only about $34 million in ransomware-related losses.

Chainalysis captures all ransom payments made in cryptocurrency, providing a more complete picture of the actual financial impact. On the other hand IC3 reports only the incidents and losses victims choose to officially file.

This stark difference highlights a significant underreporting issue in cybercrime — suggesting that only about 1 in 10 ransomware victims officially report their attacks or losses to authorities.

Many victims fear reputational damage and negative publicity that could arise from disclosing an attack, especially businesses worried about losing customer trust or investor confidence. Others may simply be unaware of the importance of reporting or do not know where or how to report incidents to authorities.

Additionally, some believe that reporting will not lead to any meaningful assistance, viewing engagement with law enforcement as ineffective or a potential distraction from recovery efforts.

Conclusion

The financial impact of cybercrime is staggering, with global losses projected to be trillions of dollars annually. The burden falls unevenly across different groups, with investment scams and elder fraud causing particularly severe financial harm. Additionally, the evolving tactics of cybercriminals — accelerated by technological advancements like AI — mean that the landscape of threats is constantly shifting, demanding adaptive and proactive defense strategies.

Despite the daunting figures, understanding who is paying and how the costs are distributed provides critical insight for shaping effective cybersecurity policies and protections.