Stolen Credentials Drive the Rise of Financially Motivated Cyberattacks

Throughout the first half of 2025, the FortiGuard Incident Response team investigated dozens of security breaches across multiple industries driven by financially motivated threat actors.

What emerged from these investigations was a striking pattern: attackers are abandoning complex, malware-heavy approaches in favor of a deceptively simple method—simply logging in using stolen credentials and leveraging legitimate remote access tools to blend seamlessly into normal business operations.

This shift represents a fundamental change in how modern cybercriminals operate. Rather than deploying sophisticated implants or zero-day exploits, financially motivated adversaries are weaponizing the tools that defenders often overlook: valid user accounts and remote management software.

The findings align closely with FortiRecon Threat Intelligence Report data from H1 2025, showing that external credential exposure trends mirror those observed during active incident response engagements across diverse industry sectors.

The initial access vector in most investigated cases followed a consistent ...