Europol ¦ How Encryption, Proxies and AI are Expanding Cybercrime – Lessons from IOCTA 2026

The velocity gap – why modern cybercrime outruns police

The Internet Organised Crime Threat Assessment (IOCTA) 2026 portrays a cybercrime ecosystem that is both faster and more elusive than in previous years. Criminals are shortening the time between reconnaissance and exploitation while automating many stages of the criminal workflow. End-to-end encrypted (E2EE) apps, layered anonymisation (VPN‑chaining, Tor, residential proxies), self‑deployed hosting and fragmented dark web markets create pervasive investigation blind spots. At the same time, readily available AI tools lower the skills needed to craft convincing social engineering, to generate malicious code variants, or to produce synthetic child sexual abuse material (CSAM). The combined effect is a widening “velocity gap” where law enforcement struggles to obtain timely data, trace transactions and preserve evidence before criminals move on.

Dark web fragmentation, specialisation and resilience

Europol’s IOCTA finds the old single‑hub model of large generalist marketplaces giving way to multiple smaller, specialised platforms. These markets and forums remain remarkably resilient: takedowns produce rapid user migration to successor sites and to alternative channels. Forums continue to be the main onboarding and migration spaces for criminals – acting as incubators for new talent, operational tradecraft and recruitment. Administrators increasingly plan controlled shutdowns and exit scams to protect themselves and their funds from seizure, reducing the time window for investigators to act.

At the same time, the distinction between surface web and dark web is blurring. E2EE apps and anonymising services are woven across both environments. Criminals use this hybrid landscape to reach broader audiences while keeping communication protected from interception – a development that complicates traditional policing strategies.

Bastian Schwind-Wagner _Follow

"Cybercrime today moves faster and hides better – encryption, proxies and AI let offenders scale operations, automate deception and erase evidence trails before investigators can act. To close this “velocity gap”, authorities must couple stronger lawful access and data preservation mechanisms with rapid public–private cooperation that shortens response times and preserves actionable evidence.

Targeting the enablers – infostealer services, SIM farms, mixing platforms and illicit hosting – will yield the highest leverage: disrupting upstream infrastructure breaks many downstream schemes. Simultaneously, law enforcement needs AI‑assisted tools for triage, link analysis and multimedia forensics so investigations can operate at the speed and scale of the adversary."

Cryptocurrency and the laundering pain‑point

Cryptocurrencies remain the main payment rail for ransomware, marketplace transactions and many online fraud schemes. IOCTA 2026 highlights a shift toward higher‑opacity coins, chain‑hopping via blockchain bridges, and increased use of on‑chain mixers and decentralised exchanges (DEXs) that avoid traditional KYC controls. These trends make forensic tracing harder and speed up the movement of illicit funds across chains and jurisdictions. Mixing‑as‑a‑service and smart‑contract mixers that settle instantly on‑chain are replacing slower coinjoin rounds , reducing investigators’ reaction time and complicating asset recovery efforts.

Criminal infrastructure: from commercial BPH to proprietary stacks

A significant operational change is that some criminal groups are moving away from public bullet‑proof hosting (BPH) providers toward self‑deployed infrastructure and nested leasing arrangements spanning multiple jurisdictions. By owning or tightly controlling the hardware, or by hosting on sub‑sub‑leased servers, they reduce external evidentiary footprints and make takedown or data seizure more difficult. Combined with residential proxies and routing through compromised home devices, these setups are deliberately engineered to frustrate attribution and to create long, cross‑border chains of technical intermediaries.

SIM farms, IMSI catchers and the telecoms vector

Online fraud schemes increasingly rely on telecoms exploitation. Large SIM farms, often created through bulk purchases and international supply chains, provide the scale to run mass phishing, SMS‑based credential harvesting and social engineering campaigns. The IOCTA also notes increased criminal use of interception technologies such as IMSI catchers and SMS‑capable devices – tools that can downgrade connections, intercept messages and send spoofed communications. These capabilities allow criminals to bypass two‑factor protections and to sustain high‑volume attacks while masking origin points.

Automation and AI – productivity tools turned weaponry

Automation and AI are a major accelerant across the entire cybercrime supply chain. Criminals use generative AI to compose highly personalised phishing messages, craft call centre scripts, automate voice interactions and generate malware variants. Large language models (LLMs) and off‑mine or jailbroken AI systems are being adapted to criminal use‑cases: building phishing kits, writing exploit code or creating synthetic CSAM. IOCTA warns of the rise of agentic AI agents that could eventually coordinate multi‑step criminal workflows autonomously – increasing speed, diminishing the need for skilled operators and deepening the challenge for investigators to attribute actions to human actors.

Ransomware – splintered brands, shared ecosystems

Ransomware remains a dominant and evolving threat. Rather than a few persistent brands, the landscape in 2025–2026 was marked by many short‑lived and rapidly rebranding operations. The IOCTA underlines the existence of public RaaS (ransomware‑as‑a‑service) platforms that let virtually anyone launch attacks, semi‑closed programs that vet affiliates, and closed groups that retain bespoke capabilities and self‑sufficiency. Extortion has matured beyond encryption; modern campaigns rely heavily on multi‑vector pressure that includes data exfiltration, public leak sites, DDoS and psychological tactics such as cold calling – all designed to compel payment even where data recovery is possible. The report also highlights overlaps in affil­iations, tooling and infrastructure between ransomware families, illustrating an interconnected marketplace of talent and services.

Hybrid threats and geopolitically motivated attacks

DDoS campaigns and targeted disruptions are increasingly used as instruments of geopolitical influence or proxy destabilisation. Europol’s analysis shows hybrid threat actors contracting cybercriminal services (or operating alongside them) to mount DDoS, intrusion and extortion campaigns. In a CaaS economy, state‑linked or ideologically motivated actors are simply another customer, which complicates attribution and legal responses.

Online fraud schemes – industrialised, automated and scalable

Online fraud schemes – investment scams, business email compromise, romance fraud, tech support and payment system abuse – are the fastest growing organised crime area. These networks have industrialised processes that combine phishing, malvertising on very large online platforms (VLOPs), SIM‑based spoofing and virtual desktop infrastructure (VDS) to mask origins and scale operations. Fraudsters leverage AI to personalise messaging and use voice bots to pre‑screen victims at industrial volumes. The growing supply of CaaS components – from infostealer botnets to credential markets and virtual desktops – enables rapid campaign assembly and near‑real‑time fraudulent cash‑outs.

Infostealers, IABs and the initial‑access economy

Infostealers and initial access brokers (IABs) initial access brokers (IABs) are core enablers. Europol’s takedown operations in 2025 demonstrate that disrupting malware distribution networks and infostealer services can break the ransomware kill chain at source. Still, the persistent dynamism of the ecosystem means new services rapidly resurface or are replaced by variants. The defensive emphasis on these upstream enablers remains a high‑leverage law enforcement priority.

Child sexual exploitation: tech‑driven diversification of harm

Perhaps the most alarming theme in IOCTA 2026 is how technology multiplies both the scale of harm and the difficulty of investigation in child sexual exploitation (CSE). Offenders quickly adopt E2EE apps and decentralised platforms for grooming , sharing CSAM and operating closed communities. Financial extortion tied to CSAM has surged: victims are coerced to produce more images, to pay, or to perform violent acts. Meanwhile, AI‑generated CSAM is on the rise – both fully synthetic and AI‑altered real images. This complicates forensic verification, victim identification and legal thresholds. Trade in CSAM is also commercialising: platforms promising CSAM access sometimes operate as fraud fronts, and subscription models for AI‑generated material have been identified and disrupted by international operations.

Operational implications for investigations and prosecutors

IOCTA 2026 underscores several persistent, cross‑cutting investigative challenges. E2EE and jurisdictional fragmentation impede timely lawful access to content and metadata. Data retention policies vary widely and often produce gaps by the time a judicial request is served. Bullet‑proof and multi‑jurisdictional hosting arrangements, rapid platform migration and the use of residential proxies meaningfully increase both investigative workload and the number of cross‑border legal requests required to build a case. Because criminals rely on legitimate commercial services (cloud, social media advertising, neo‑banks) their activity often sits within the control of private providers – making public‑private collaboration essential, yet complicated by legal and policy constraints.

What to prioritise now

• Strengthen public–private cooperation, especially with VLOPs, cloud providers, payment processors and telecom operators, so abuse reporting, automated takedowns and data preservation are faster and more consistent. Faster takedown of malicious domains and ad campaigns reduces victimisation at scale.
• Close the gaps in forensic and jurisdictional practices by harmonising data retention and improving the rapid sharing of evidence across borders for cyber investigations requiring preserved traffic, logs and subscriber data.
• Invest in law enforcement AI capabilities and automation to close the velocity gap – for triage, anomaly detection, link analysis, blockchain tracing and to process large multimedia evidence sets. Law enforcement must be able to work at the same speed as adversaries while safeguarding civil liberties.
• Target the upstream enablers: infostealer botnets, IAB markets, SIM farms, and mixing services. Disrupting the supply chain creates disproportionate friction for large‑scale criminal operations.
• Update anti‑money laundering and crypto oversight to address bridges, DEXs and privacy‑enhancing coins, and enhance international cooperation to trace and freeze cross‑chain flows.
• Expand specialised units for CSE that combine technical expertise (image/AI provenance, platform forensics) with victim protection, trauma‑informed interviewing and cross‑border investigative reach.
• Regulate and harden telecom processes: enforce SIM registration requirements and anti‑spoofing measures, and provide lawful access pathways with appropriate safeguards to counter IMSI‑style interception misuse by criminals.

Conclusions

IOCTA 2026 paints a coherent picture: cybercrime has become faster, more automated and more opaque. The marriage of E2EE, anonymisation infrastructure, crypto laundering techniques and AI tools creates an environment where criminal operations can scale quickly, evade detection and monetise harm in multiple ways. Disruption requires a comparable acceleration in lawful access to data, smarter automated analysis, deeper public–private cooperation and targeted actions against the enablers that make industrialised online crime possible. Without those shifts, the velocity gap will only widen – allowing criminals to cause more damage with less exposure.

Dive deeper

• Europol, The evolving threat landscape. How encryption, proxies and AI are expanding cybercrime – Internet Organised Crime Threat Assessment (IOCTA) 2026, Publications Office of the European Union, Luxembourg, 2026. ¦ Link