Estimating Global Yearly Cybercrime Damage Costs

Direct losses: money stolen or extorted

Response costs: incident remediation and investigation

Defense spending: prevention measures We exclude harder-to-measure indirect costs such as intellectual property losses and reputational damage, and additional social harms such as national security considerations. We construct a composite estimate from three independent sources of evidence: (1) a nationally representative business victimisation survey from the UK government, scaled globally; (2) individual victimisation data from a US academic survey, scaled globally; and

global cybersecurity spending figures as a proxy for defense costs. Large-sample victimisation surveys capture losses directly from victims, which avoids both the reporting bias common in estimates and the heavy modeling assumptions required by approaches relying on macroeconomic estimates. | 1 We find:

Individual direct losses: ~$200 billion annually

Business direct and response costs: ~$200 billion annually

Additional defense spending: ~$100 billion annually

Total: ~$500 billion annually ○ 90% confidence interval: $100 billion to $1 trillion Implications for AI Risk Management If this report’s estimates are correct, a 20% increase would cross commonly cited damage thresholds. If current cybercrime damages approach $500 billion annually, an AI-driven increase of ~20% could add $100 billion or more, which would reach thresholds some companies identify as warranting additional risk mitigations. This is a relatively modest increase that could occur through efficiency gains in existing attack methods without requiring qualitatively new AI capabilities. However, data on cybercrime damage is too incomplete and ambiguous for incremental AI-driven increases to be directly detectable. There is no single data source that accurately captures total damages due to pervasive under-reporting, evolving crime definitions, and measurement inconsistencies. This means that even after-the-fact estimates of models’ contributions to cybercrime damage will necessarily be uncertain and require the use of multiple forms of evidence. Defensive adaptation also complicates net impact assessments. AI can substantially enhance defensive capabilities, not just offensive ones. The net effect of AI could be positive on the cybercrime landscape, but future modeling and data collection is needed to confirm this. Companies may also have regulatory obligations to consider potential cybercrime damage enabled by their AI systems. Companies’ safety frameworks typically focus on discrete events (e.g. individual cyberattacks) that cause large-scale harm. Cybercrime causes cumulative harm through many distributed incidents rather than a single catastrophic event. Yet regulatory obligations may not require this instantaneous framing. The EU AI Act’s Code of Practice identifies “enabling large-scale sophisticated cyber-attacks” as a systemic risk requiring assessment and mitigation, which could encompass AI-enabled scaling of many smaller attacks, not just single catastrophic events. | 2 Areas for Future Research

Developing indicators beyond aggregate cost estimates, such as monitoring for AI-generated code in malware samples, tracking criminal forum discussions of AI tool adoption, and observing labor market changes in fraud operations

Understanding the net impact of AI defenses across potential victims, including under-resourced government agencies, critical infrastructure providers, and organizations in developing countries

Developing harmonized data across multiple countries to reduce reliance on GDP scaling from Western nations Ultimately, although limitations remain, this report narrows plausible estimates of cybercrime damage from spans of multiple orders of magnitude to a more confident baseline. Our systematic methodology provides a foundation for more informed decision-making about AI-related cybercrime risks. This work represents the views of its authors, rather than the views of the organization, and does not constitute legal advice. GovAI technical reports have received extensive feedback, but have not gone through formal peer review. | 3 Global Cybercrime Damages A Baseline for Frontline AI Risk Assessment Kamile Lukosiute, John Halstead, Luca Righetti

In Section 2, we define cybercrime and cybercrime damages, establishing a taxonomy that distinguishes cyber-dependent crimes (attacks on systems) from cyber-assisted crimes (technology-enabled fraud), and categorising costs into direct losses, response costs, defense spending, and indirect impacts.

Section 3 reviews existing methods for estimating global cybercrime damages, examining 27 sources that employ approaches ranging from victimisation surveys to cryptocurrency flow analysis, and critically evaluates two commonly cited estimates in more depth: FBI complaint data and economic models by RAND.

Section 4 presents our own composite estimate of global cybercrime damages, grounded in business victimisation survey data from the UK, individual victimisation data from the US, and cybersecurity spending estimates to arrive at a total range of $200 billion to $550 billion annually.

Section 5 discusses the implications of our findings for AI safety policies, emphasizing that measuring AI’s impact on cybercrime will require building alternative measures of uplift because the error bounds in aggregate cost estimates are too large to see an effect.

The appendices provide detailed calculations, ransomware cost analysis, and additional estimates of scam center criminal revenues. | 6 Defining Cybercrime and Cybercrime Damages To measure cybercrime damages, we first need:

A definition of cybercrime: What exactly does a crime need to involve to be classed as ‘cybercrime’?

A definition of cybercrime damages: How socially damaging is a given amount of cybercrime to society? Defining Cybercrime There is no commonly agreed upon definition of cybercrime,9 a problem that partly motivated Congress to pass the “Better Cybercrime Metrics Act.”10 As part of the congressional effort to improve cybercrime measurement, the National Academies of Science developed a taxonomy of cybercrime distinguishing cyber-dependent crimes (those targeted specifically against machines and data) from cyber-assisted crimes (other types of crime, such as fraud, enabled by technology). This taxonomy is shown in Figure 2. We adopt this framework for systematically categorising cybercrime throughout this work. This framework is focused on the method and target of the attacks to define what constitutes a cybercrime. Therefore, attacks that are ideological in motivation but ultimately lead to illegal and unauthorized access to networks would be included. In this way, damages from state-sponsored espionage as well as damages from hacktivism are included in our estimates. 10 Better Cybercrime Metrics Act, Public L. No. 117–116, 136 Stat. 1180 (2022). 9 United States Government Accountability Office, “Cybercrime: Reporting Mechanisms Vary, and Agencies Face Challenges in Developing Metrics,” June 2023. | 7 Figure 2 | Cybercrime Classification and Measurement. Reproduced from: “Cybercrime Classification and Measurement”, NAS, 2025, pg. 9 This work focuses exclusively on categories (1) and (2), where established methods exist for estimating economic damages with reasonable precision. Categories (3) through (6) have real costs to society but their economic damages are more difficult to quantify reliably. Other work on cybercrime uses different and varying definitions, and it is important to bear in mind that different estimates of cybercrime damages may often in part reflect differences in the underlying definition of ‘cybercrime’ being used. Box 1. Notes on Scope Choices In discussions of AI within the AI community, “cybercrime” is often equated with, or primarily concerned with, cyber-attacks, particularly the danger of AI enabling technical exploits. For example, the International AI Safety Report discusses AI’s increasing ability to “discover and patch exploitable software flaws,”11 while the Appendix 1.4 of the EU AI Code of Practice identifies “risks from enabling large-scale sophisticated cyberattacks” as a key systemic risk. This raises the question: why include category (2), which consists primarily of fraud, in this analysis? 12 European Union, “EU AI Act: General-Purpose AI Code of Practice.” 11 International AI Safety Report 2025, “First Key Update: Capabilities and Risk Implications,” October 2025, 18. | 8 There are two reasons. First, law enforcement organizations express great concern about AI-enabled fraud operations, and have already observed such cases. Second, we include category (2) because fraud is typically how the harms from data breach attacks are ultimately realized by consumers. A substantial portion of fraud relies on information acquired through data breaches, and the majority of data breaches are conducted specifically to steal personally identifiable information for resale and ultimate use in fraud operations. While not all cyber fraud requires breach-acquired data (such as “pig butchering” scams), category (2) losses in the NAS taxonomy should be at least partly attributed to cybercrime costs borne not by breached institutions, but by downstream individuals. Defining Cybercrime Damages In this subsection, we explain how we will define cybercrime damages, i.e. how much financial and social damage a given amount of cybercrime causes. This is a conceptually challenging issue. For example, a ransomware attack on a company may cause the company to send an amount of money to criminals, but the damages of the attack are often larger. For example, the attack might also cause reduced production and thereby decrease revenues; it might cause the company and other companies to invest more in cybersecurity; it might reduce the stock price of the affected company or affect their reputation, and so on. In Table 1, we set out our definitions of different types of cybercrime damages. These definitions draw on, but are in some respects different to, definitions given in several different sources.15 15 The FBI’s IC3 report focuses primarily on direct financial losses – currency leaving a victim’s account and going to a criminal. See FBI, “Internet Complaint Crime Center.” The UK government’s cyber security breaches survey expands this to include “short-term direct costs,” “long-term direct costs,” and “indirect costs,” encompassing clean-up expenses and lost asset value. See DSIT, “Cyber Security Breaches Survey 2025,” updated June 19, 2025. Anderson et al. include the costs of defense and “prevention efforts,” including “security products such as spam filters and antivirus; security services provided to individuals, such as awareness raising; security services provided to industry,” etc. 14 Kosinski, Matthew, “What is a data breach?” IBM, n.d. 13 Europol, “IOCTA” | 9 Cost Type Definition Direct

currency leaving the victim’s bank account or crypto wallet and going to the account/wallet of a criminal (with an error of exchange and laundering costs). Includes money that people were scammed out of, was stolen, or paid willingly as ransom. Response

payments to external IT consultants or contractors to investigate or fix the problem

the cost of new or upgraded software or systems

recruitment costs if you had to hire someone new

the cost of any devices or equipment that needed replacing

any legal fees, insurance excess, fines, compensation, or PR costs related to the incident

Includes money that people were scammed out of, was stolen, or paid willingly as ransom. Defense

incident prevention costs (personnel and equipment) Indirect

business interruptions (time when staff could not do their jobs, lost business revenue directly attributable to attack)

inability of citizens to access public services (government sector equivalent of “lost revenue”)

death, or loss of life quality (healthcare sector equivalent of “lost revenue”)

lost revenue due to reputational costs

lost revenue (incl. by other organizations) due to loss of trust in safety of online services

value of lost IP

Erosion of trust in digital systems Table 1 | Definitions of Cost Categories. This table defines four categories of economic damages resulting from cybercrime: direct costs (money transferred to criminals), response costs (post-incident remediation expenditures), defense costs (preventive security investments), and indirect costs (downstream economic impacts). We estimate direct, response, and defense costs; indirect costs are excluded. | 10 For the purposes of this work, we only attempt to estimate global direct, response, and defense costs. We exclude what we call ‘indirect costs’ because estimating these costs, including intellectual property losses and expected future revenue losses from reputational damage, is more challenging than estimating direct, response, and defense costs. Methods for estimating indirect costs are more likely to rely on subjective judgment. In economic cyber espionage, for example, even when theft is discovered, victims face protracted uncertainty in determining what was stolen, how it might be used, and the resulting financial impact to their competitive position. Even those estimates that attempt to use more objective measures, such as abnormal returns18 or studying litigated cases of corporate espionage,19 remain fraught due to the statistical difficulties of attributing firm-level outcomes to specific events. These losses, as well as other indirect costs such as reduced willingness to engage in online banking due to fraud concerns, represent real and important impacts. However, given the measurement challenges, we leave rigorous estimation of these costs for future work. We also exclude other non-financial costs, such as national security costs. In the next section, we discuss the viable methods we’ve identified for measuring these categories of costs against individuals and businesses/institutions due to cybercrime. 20 S. P Khotari and Jerold B. Warner, “Econometrics of Event Studies,” Working Paper (Center for Corporate Governance, Tuck School of Business at Dartmouth, May 19, 2006). 19 Dan Ciuriak and Maria Ptashkina, “Quantifying Trade Secret Theft: Policy Implications” (CIGI Papers No. 253, May 2021). 18 For example, see The Council of Economic Advisers, “The Cost of Malicious Cyber Activity to the U.S. Economy. 17 Tom Johansmeyer, “Insuring the Unseen: Closing the Protection Gap in Economic Cyber-Espionage” (American University CSINT Policy Paper Series, Fall 2025). 16 William Akoto and Trey Herr, “Primer on the Costs of Cyber Espionage,” American University Center for International Service, October 3, 2024; The Council of Economic Advisers, “The Cost of Malicious Cyber Activity to the U.S. Economy,” Figure 1. | 11 Reviewing Methods for Estimating Global Cybercrime Damages To identify and produce estimates of global cybercrime damages, we carried out a rapid review of the following sources:

Academic literature

Reports and data sources from national governments and intergovernmental organizations

Think tank reports

Reports and data sources from cybersecurity companies and insurers. We also consulted external experts to ensure completeness. Our summary sheet collects 27 different estimates of different subsets of cybercrime damages. 7 of these estimates are produced directly by the relevant source, while 20 are our own Fermi estimates inferred from different data sources and based on various uncertain assumptions. Table 2 shows all the sources we considered, grouped by method type. There are 6 shared common methodology types: Aggregate consumer reports. These estimates are based on cumulative losses reported to national centralized government agencies that collect crime reports for cybercrime and fraud, which we scale to world GDP with uncertainty bounds created using estimates of under-reporting rates. Victimisation surveys. To better calibrate under-reporting, researchers and national bodies ask random, large samples of businesses or individuals if they have been victims of a cybercrime; we can then scale to the full population using average loss and incident rate estimates. Illicit cryptocurrency flows. By tracking inflows into known crypto wallets of cybercriminals and assuming all inflows are due to cybercrime activity, it is possible to estimate direct losses in crypto payments. Scammer revenue reports. By tracking the daily revenues of scammers via self-reported earnings, it is possible to estimate the global earnings of scammers, which provides an estimate of direct losses due to scamming. | 12 Economic modeling. These estimates are based on extrapolations of individual hacking event data to the global economy. No published methods. We identify several sources providing estimates of cybersecurity spending or other cybercrime costs that do not publish a methodology. Method Type Methodology Issues Primary Source Individual or business cost estimate Loss Types Assessed Is the final estimate our own or reported directly in the original source? Infer from victimisation Incomplete taxonomy coverage, absence of verification. Norton (2023) Individual Individual Our own Breen et al. (2022) Individual Individual Our own AIC (2024) Individual Individual Our own Riek and Böhme (2018) Individual Individual Our own FTC Fraud Survey (2019) Individual Individual Our own NCVS Financial Fraud Survey (2021) Individual Individual Our own NCVS Identity Theft (2023) Individual Individual Our own European Commission (2022) Business Business Our own Accenture (2019) Business Business Our own DSIT (2025) Business Business Our own | 13 CBS (2023) Business Business Our own Infer from Aggregated Consumer Reports Incomplete taxonomy coverage, absence of verification, under-reporting bias UNODC (2024) Individual Direct Our own FTC Consumer Sentinel Report (2025) Individual Direct Our own Report Fraud (2025) Individual, business Direct Our own IC3 (2025) Individual, business Direct Our own Meurs (2024) and Meurs et al. (2025) Business Direct, response Our own Infer from illicit cryptocurrency flows Incomplete taxonomy coverage Chainalysis (2025) Individual, business Direct Our own Griffin and Mei (2024) Individual, business Direct Our own Infer from economic modeling Incomplete taxonomy coverage, severity selection bias RAND (2018) (Model 1) Business Direct, response, indirect Reported RAND (2018) (Model 2) Business Direct, response, indirect Reported RAND (2018) (Model 3) Business Direct, response, indirect Reported CEA (2018) Business Direct, response, indirect Our own Infer from scammer Incomplete taxonomy Various reports from Individual Direct Our own | 14 revenues in human trafficking reports coverage trafficking victims No published methods Incomplete taxonomy coverage eSentire (2024) Business Direct, response, indirect Reported Forrester (2025) Business Response, defense Reported Gartner (2025) Business Response, defense Reported IDC (2025) Business Response, defense Reported Table 2 | Estimates of global cybercrime costs. Summary table of sources and estimates of global cybercrime costs considered in this work Elaborating on Methodology Issues The methods we review and develop ourselves all face an overlapping set of issues. To conceptualise where these issues arise, consider a framework for how one would ideally measure total cybercrime damages. We can express total economic damages as the sum, across all crime types, of three terms: the average cost per incident, the relevant victim population, and the victimisation rate (Figure 3). Figure 3 | Cybercrime Cost Framework. A conceptual framework for estimating the total cost of all cybercrimes. We use this framework to discuss the limitations of methods commonly used to derive global estimates. Inaccurate estimation of any term in this equation leads to unreliable estimates. First, many methods cover only some crimes within the summation and are unclear about which are included; we call this problem incomplete coverage. For example cryptocurrency | 15 analysis provides payment data,21 but without knowing what fraction of total cybercrime payments flow through cryptocurrency, we cannot assess total cybercrime damages. Second, estimates of the average cost may be biased in two ways. Lack of verification can inflate reported costs: victims typically report losses at the time of the incident, yet may subsequently recover a portion through chargebacks, insurance, or law enforcement intervention. Alternatively, when surveys do not clearly define “cost,” victims may interpret it inconsistently. Without independent verification of victim reports, it is challenging to assess the accuracy of resulting estimates. In addition, average cost estimates derived from event databases suffer from severity selection bias: these databases capture only highly publicized or mandatorily disclosed incidents, which are not representative of the typical cybercrime experienced by smaller businesses and government institutions. Third, estimates of victimisation rate from central reporting agencies (such as UK Report Fraud or US FBI IC3) face under-reporting bias: only a fraction of crimes are reported, making true victimisation rates impossible to determine directly. The relevant victim population (e.g. adults over 18 in the US, or all registered businesses) can typically be obtained from census data or business registries with reasonable accuracy. However, scaling from a surveyed population to a broader one (e.g. UK to global, or businesses to all economic entities) introduces uncertainty, which we address in Section 4. Reviewing Commonly Cited Estimates The estimates outlined in Table 2 have different strengths and weaknesses. In this section, we review the strengths and limitations of two estimates which are commonly cited for global cybercrime damages: inference from FBI Crime Complaint Center data and RAND’s 2018 economic modeling-based estimates. We use this section to highlight the methodological problems we discussed in the previous section using real data. Inference from FBI Crime Complaint Center Data An Overview of the Original Data Source Many countries have centralized reporting systems which allow individuals and businesses to report cybercrime. The most prominent of these is the FBI’s Crime Complaint Center (IC3), which is the USA’s “primary destination for the public to report cyber-enabled crime and fraud as well as a key source for information on scams and cyber threats.”22 IC3 collects complaints from both individuals and from businesses. Cybercrime victims are “encouraged and often directed by law enforcement” to file cybercrime complaints to IC3.23 23 FBI Internet Crime Complaint Center, “Internet Crime Report 2024,” 3. 22 FBI Internet Crime Complaint Center, “Internet Crime Report 2024,” 6. 21 Chainalysis, “The 2025 Crypto Crime Report,” February 2025. | 16 The IC3 collects reports of a wide variety of cybercrimes, ranging from fraud and scams against individuals to corporate data breach reports and hacking. In terms of the NAS taxonomy, this encompasses direct losses for both individuals and businesses under categories (1) and (2). In 2024, the IC3 received nearly 860,000 complaints, around 256,000 of which were associated with an actual loss of money. The average loss per complaint was around $19,000, and thus total reported losses were $16.6 billion. A Description of Our Method Using the FBI IC3 Data The FBI IC3 data is not intended to be a direct, complete estimate of global cybercrime, despite often being used as such. Its limitations for that purpose include:

Covers predominantly US victims. The FBI IC3 collects reports of crimes predominantly from US nationals and uses the database to work with US local law enforcement agencies. While the system accepts international submissions, the vast majority of complaints are US-based. Approximately 15% of 2024 complaints listed a non-US complainant address,25 though this reflects reported location rather than nationality. This means we need to find some way to extrapolate predominantly US damages to global damages.

Suffers from under-reporting. The head of the IC3 stated that the number of complaints only represented 10% to 12% of cybercrime victims in the US in 2016.26 While the basis for this estimate is unclear, it aligns broadly with other estimates of cybercrime reporting rates. The UK National Crime Agency estimates a reporting rate of around 14%, while the reporting rate for businesses appears to be around 10% to 18%.27

Only includes direct cost. The IC3 data does not capture response and defense costs. When filing a report, transaction information is requested to back up claims about losses, suggesting that only direct financial losses are included.

The scope of covered costs is ambiguous. While IC3 documentation indicates that remediation costs are excluded for ransomware incidents, substantial loss amounts are reported for business data breaches ($364M29). This is notable given the lack of an obvious wire transaction or direct financial transfer in such incidents. It is also 30 It might be that these “direct losses” are extortion payments, though this is not mentioned in the FBI IC3 report. See e.g. recent data extortion campaign in Peter Ukhanov et al., “Oracle E-Business Suite Zero-Day Exploited in Widespread Extortion Campaign,” Mandiant, October 9, 2025. 29 FBI Internet Crime Complaint Center, “Internet Crime Report 2024,” 10. 28 FBI Internet Crime Complaint Center, “Internet Crime Report 2024,” 10. 27 National Crime Agency, “Fraud,” n.d.; European Commission, “SMEs and Cybercrime,” May 2022; See DSIT, “Cyber Security Breaches Survey 2024,” April 9, 2024. 26 Al Baker, “An ‘Iceberg’ of Unseen Crimes: Many Cyber Offenses Go Unreported,” The New York Times, February 5, 2018. 25 FBI Internet Crime Complaint Center, “Internet Crime Report 2024,” 16. 24 FBI Internet Crime Complaint Center, “Internet Crime Report 2024,” 4. | 17 unclear whether all of the losses recorded in IC3 data ultimately represent permanent financial losses. For example, FBI sources indicate that the Recovery Asset Team is able to freeze or recover roughly 70% of funds in certain domestic business email compromise cases,31 though this applies to only a subset of incidents (far smaller than the $2.7 billion in losses reported overall in 2022).32 In our simple model, we correct for the first two factors by making adjustments to the headline FBI IC3 loss estimates. For a ‘simple’ estimate, we can scale the loss estimates to the world by assuming that cybercrime losses scale with GDP. Since world GDP is 3.8x US GDP,33 we scale the losses by 3.8x. Secondly, to account for under-reporting, we assume a reporting rate of 10%, and assume that the average loss for unreported cybercrime is the same as for reported cybercrime. Table 3 below summarizes this calculation. Variable Value Description Source Aggregate losses (2024) $16.6B Hard-coded input FBI IC3 Under-reporting scale-up 10X Subjective assumption Claim by former IC3 Director (Baker, 2018) US to global scale-up 3.8X Subjective assumption World GDP/US GDP Inferred damages (Simple) $630.8B Calculation Table 3 | Inferring Cybercrime Damages. A simple model inferring global cybercrime damages from FBI data. Limitations Even making these adjustments, this estimate has several limitations that could bias it in either direction. For example, the under-reporting scale-up may be too large and therefore creating an overestimate. The under-reporting rate assumed (10%) is at the lower end of other estimates. Moreover, the assumption that the average loss for unreported cybercrime is the same as for reported cybercrime, may not be correct. It is plausible that victims suffering larger losses are 34 The full calculations are in .[Cybercrime] Incidence Rates and Lossess 33 World Bank, “GDP (Current US$),” World Bank Group, 2024. 32 FBI Internet Crime Complaint Center, “Internet Crime Report 2022.” 31 FBI Internet Crime Complaint Center, “IC3 Asset Recovery Team,” n.d. | 18 more likely to report the loss to IC3. Thus, the 10X “under-reporting scale-up factor” may be too high. If we assume a 90% reporting rate (i.e. minimal under-reporting, which seems extreme), the implied damages are around $70 billion. Second, scaling damages by GDP may not be appropriate. This assumes that wealthier countries present more lucrative targets; however, some countries may be targeted more than others for non-economic reasons. As we noted above, this estimate only includes direct costs, and so only captures a subset of cybercrime damages, excluding damages from response and defense. Overall, we have low to moderate confidence in this estimate as an estimate of direct losses. A plausible range of losses that assumes that the percentage of cybercrimes that are ultimately reported to the FBI is between 10% and 90% is $70 billion to $630 billion. RAND Economic Modeling-Based Estimates An Overview of the Original Data Source The RAND Corporation published a 2018 report attempting to estimate global cybercrime costs through economic modeling. The report employs two distinct modeling approaches across three models, producing estimates that range from hundreds of billions to tens of trillions of dollars. All methods aim to capture direct, response, and indirect costs to businesses across all industry sectors globally. All three models seem to cover all cyber-attacks on the networks of economically productive sectors; this implies that this covers costs of category (1) of the NAS taxonomy (“Acts Targeted Against Machines, Data, or Systems”) discussed in Section 2. A Description of the Methods Used Models 1 and 2 share a common framework: they calculate the value that could be “successfully destroyed, stolen, or otherwise lost” across different cyber-attack types (“perils”), financial exposures (IP, capital assets, income), and industry sectors. Both models go sector-by-sector, estimating how much economic value could be destroyed by cyber-attacks, then add the downstream effects when one sector's disruption ripples through to others. Model 1 derives both its exposure fractions (what fraction of each asset type is vulnerable) and peril impact rates (what fraction of vulnerable assets would actually be lost in an attack) from a 2016 analysis by Deloitte of approximately 50 Dutch companies, adapted and mapped to the RAND taxonomy. Model 2 uses the same peril impact rates but estimates exposure fractions 36 B. Jacobs, J. Bulters, and M. van Wieren,“Modeling the Impact of Cyber Risk for Major Dutch Organizations,” in Proceedings of The 15th European Conference on Cyber Warfare and Security, ed. by Robert Koch and Gabi Rodosek (Academic Conferences and publishing limited, 2016); Deloitte, “Cyber Value at Risk in the Netherlands,” 2016. 35 Paul Dreyer et al., “Estimating the Global Cost of Cyber Risk: Methodology and Examples,” (Santa Monica, CA: RAND Corporation, 2018). | 19 differently, using regression analysis of financial data from 4,447 publicly traded companies in SEC filings, relating R&D spending (as a proxy for IP), total assets, and net income to revenue across sectors. Model 3 takes a different approach to estimate the total “value at risk” in cyber-attacks using the Advisen database of approximately 900 cyber events with cost estimates from 2005-2015.37 The approach then computes the fraction of revenue lost for a given company in a given incident; this fraction of revenue is then applied to the total output of a given sector, and scaled to a number of industry sectors. This process is done a number of times (what they call “bootstrap resampling”) to create distribution of values at risk. The resulting estimates are:

Model 1: Direct costs of $275 billion; total costs of $799 billion

Model 2: Direct costs of $3.2 trillion; total costs of $10.1 trillion

Model 3: Direct costs of $6.6 trillion; total costs of $22.5 trillion Limitations and Biases All three models face significant methodological challenges that severely limit their reliability. Models 1 and 2 share a fundamental limitation: neither incorporates any probability of attacks occurring. In risk terminology (risk = likelihood × impact), these models estimate only the “impact” component while ignoring likelihood. They calculate what could be lost if all identified exposures were successfully attacked, not what is lost in practice. Model 1 relies on survey responses about cyber-vulnerable assets (exposure fractions) from just 50 Dutch companies. Model 2, while based on larger-scale data, attempts to adjust for the subjectivity by assuming that all assets are vulnerable: the report acknowledges it “includes all exposures, regardless of whether they could be affected by cyberattacks (e.g. a cornfield would be included).”38 This explains why Model 2's estimates are over 10 times larger than Model 1’s despite using the same framework. Model 3 suffers from severe unjustifiable probability and cost extrapolations. The method makes the implicit assumption that all businesses in a sector experience the same fraction of lost revenue as the business with a recorded incident in the Advisen database. However, the sample of 900 events is drawn from incidents severe enough to be recorded in the Advisen database – these represent atypically costly events rather than typical cyber damages. Overall, we have very low confidence in these estimates as measures of actual realized cybercrime costs. This is only natural, since it wasn’t the objective of the authors of the RAND 38 Paul Dreyer et al., 17, 37 See section “Alternative Method for Directly Estimating Potential Economic Damage” for full details on this method. | 20 report. All three models are better understood as theoretical maximum exposure analyses rather than empirical cost estimates. Interpreting $22.5 trillion as realized cybercrime damages would imply that costs are about 22% of World GDP, which is not reasonable. The range in estimates (2 orders of magnitude between the lowest and highest) illustrates the fundamental uncertainty in model-based approaches. These estimates may have value for scenario planning or understanding theoretical worst-case exposures, but should not be interpreted as estimates of current annual cybercrime damages. | 21 Our Composite Estimate of Global Cybercrime Damages Our best estimate of global cybercrime costs combines three distinct estimation approaches, each targeting different categories of costs within our taxonomy. This composite method is necessary because different sources measure losses separately for different victim types and cost categories, and no single source provides comprehensive coverage of all cybercrime costs. Specifically, we estimate: (1) business and institutional direct and response costs, (2) business defense spending, and (3) individual direct losses. While this approach involves some overlap between categories – particularly where defense spending may encompass some response costs – it represents the most methodologically sound approach given available data sources. In the following subsections, we detail each component of our estimate. Businesses: Direct and Response Costs An Overview of the Original Data Source The UK Department for Science, Innovation and Technology (DSIT), in partnership with the Home Office, conducts an annual survey of businesses and charities to assess cybersecurity spending and breach experiences. The 2025 survey included 2,180 UK businesses (that have employees) via random probability telephone and online survey. It provides the most comprehensive publicly available data on business cybersecurity costs. The survey found that 43% of businesses reported experiencing some form of cyber security breach or attack in the last 12 months. However, not all breaches result in material harm. Among businesses that experienced breaches, approximately 16% reported a “negative outcome” such as stolen money, corrupted software, temporary loss of access to files or networks, or other material impacts. The survey collects financial cost data for the most disruptive incident experienced by each organization. The DSIT categorizes these costs into four groups, though their taxonomy does not perfectly align with our own framework but it helpfully breaks down costs into sub-categories that we can then use to reconstruct: short-term direct costs, long-term direct costs, staff-time costs, and indirect costs. According to the survey, the average total cost of the most disruptive breach or attack from the last 12 months, among those identifying a breach or attack with an outcome was £8,260.42 The DSIT values represent the financial cost of the most disruptive incident – not the total annual cost across all incidents. Such a total number is not provided. However, the survey 42 DSIT, “Cyber Security Breaches Survey 2025,” Tab 4.5b. 41 DSIT, “Cyber Security Breaches Survey 2025,” Section 4.8. 40 DSIT, “Cyber Security Breaches Survey 2025,” Section 4.2. 39 DSIT, “Cyber Security Breaches Survey 2025,” Section 1.3. | 22 does separately ask about the frequency of any cyber-attacks. Among those identifying a breach in the last 12 months, 19% reported experiencing only one, 28% less than once a month, 23% once a month, and 29% weekly or more (Fig 4.5, DSIT, 2025). This implies an ‘average’ of ~20 attacks a year, again not all of which may have resulted in a “negative outcome” let alone “most disruptive”.43 Advantages of this Data Source Victimisation surveys represent one of the more methodologically sound approaches to estimating cybercrime costs, as they address the severe under-reporting problem that plagues aggregated complaint databases. By randomly sampling organizations and directly asking about their experiences, these surveys can establish more accurate prevalence rates and average losses. While several other business cybercrime victimisation surveys exist, including surveys from the Netherlands,45 the European Commission,46 and Accenture,47 the DSIT survey offers several unique advantages. First, it provides transparency around survey design and question phrasing, publishing technical annexes and thorough explanations of their cost categories. Second, it reports losses as mean monetary amounts rather than just percentages or medians, enabling us to make more transparent inferences. Third, it surveys broadly across businesses of all sizes and sectors, making it more representative of the full business population. These methodological strengths make it our preferred source for estimating business cybercrime costs. In terms of the conceptual framework from Section 3.1, the DSIT survey provides estimates of all three key inputs: victimisation rate, average cost per incident, and victim population. Our Estimation Method Using the DSIT data The DSIT survey data does not directly provide a global estimate of cybercrime damages and explicitly cautions about extrapolating financial cost data, since margins of error are likely to be very wide. However, since we are primarily interested in an approximate order-of-magnitude estimate of cybercrime damages, we still believe there is still value for us doing so. Nonetheless, we follow DSIT’s suggested best practices of clearly labelling the extrapolation and calibrating the resulting estimate against other evidence as well. To construct a global estimate, we first calculate the estimated ‘most disruptive breach’ costs experienced by the average surveyed UK businesses. This is done by multiplying the 48 DSIT, “Cyber Security Breaches Survey 2025,” Annex 1.7. 47 Accenture Security, “The Cost of Cybercrime,” Accenture, 2019. 46 European Commission, “SMEs and Cybercrime.” 45 Central Bureau voor de Statistiek, “Cybersecuritymonitor 2023,” June 28, 2024. 44 Anderson et al. 43 The ~20 attacks per year is derived from an approximation by the authors of this work as follows: 19% * 1 [only once] + 28% * 5 [less than once a month] + 23% * 12 [once a month] + 29% * 52 [weekly or more]. | 23 percentage of businesses experiencing breaches (43%), the percentage of those breaches resulting in negative outcomes (16%), and the average total cost of the ‘most disruptive’ breach of those affected (£8,260 total cost). Table 4 below shows it implies a point estimate of ~$726 per surveyed business. Second, we now try to extrapolate this average per business to the entire UK economy and then the world. As mentioned, this relies on making several critical assumptions:

Estimating Annual Cost: As noted, the DSIT survey only estimated the cost of the “most disruptive” incident, not the total of all incidents. To bound this we can consider two approaches. A conservative approach would be that the worst incident is the only cost. An aggressive approach would be to assume each of the ~20 cyber-attacks experienced by the average business in 12 months is as bad as the “most disruptive” one. We think the truth is likely closer to the former than the latter since incidents are plausibly fairly right-tail distributed and so the ‘worst incident’ carries a lot of the total damages. Thus, we make a subjective judgement of assuming the total cost is ~3X the “most disruptive incident,” though we remain highly uncertain about the true value.

Extrapolating to all UK businesses: As per the DSIT survey, there are ~1.43M UK businesses with employees that such average costs can then be extrapolated too. The margins of error here are notably smaller than the other parameters.

Extrapolating to the UK economy: The financial cost numbers taken from the DSIT survey only cover private-sector businesses. It does not include cybercrime damages accrued by government organizations, which in the UK includes hospitals and other services. Given ~44% of UK GDP is government expenditure,49 we might employ GDP scaling and assume cybercrime costs scale proportionally with economic activity. This gives a scale-up factor of 1.8X.

Extrapolating to the world: Similarly, to scale from UK to global costs, we might employ GDP scaling under the assumption that cybercrime costs scale proportionally with economic activity. Since world GDP is approximately 30X times larger than UK GDP,50 our subjective judgement is centered on that, but we include uncertainty. Table 4 summarizes the key assumptions and calculations underlying this estimate. We see that the total is ~$200B, of which ~$125B is what per our taxonomy may be considered ‘remediation costs’. 50 World Bank, “GDP (Current US$).” 49 International Monetary Fund, “Government expenditure, percent of GD,” 2025. | 24 Variable Value Description Source Percentage of businesses having a breach in last 12 months 43% Hard-coded input DSIT Survey, 2025; Sec 4.2 Percentage of businesses having negative outcome, of those affected 16% Hard-coded input DSIT Survey, 2025; Fig 4.6 Mean reported total cost of worst incident of those affected £8,260 Hard-coded input DSIT Survey, 2025; Tab. 4.5b Mean reported total direct cost of worst incident of those affected £3,110 Hard-coded input DSIT Survey, 2025; Tab. 4.1b Of which remediation £5,150 Calculation Average GBP to USD Exchange Rate in 2024 1.3x Hard-coded input IRS (2025) Mean reported total direct cost of worst incident (USD 2024) $726 Calculation [=43%*16%* £8,260*1.28] Worst incident to Total incident 3.0x Subjective assumption DSIT Survey, 2025; Fig 4.6 Total business population of the UK 1.4M Hard-coded input DBT, 2024 Private Sector to Economy scale-up 1.8x Subjective assumption UK GDP / (1- UK Gov. Exp.) UK to Global scale-up 32x Subjective assumption World GDP/UK GDP Inferred business damages $200B Calculation [=$700*3x* 1.4M*1.8x*31x] Of which remediation $125B Table 4 | Business Cybercrime Damage. A simple model inferring global business cybercrime damages from DSIT data | 25 Limitations This estimate faces several limitations that could bias the results in either direction. First, as noted, many of the subjective assumptions are uncertain. Including these is inherently required for arriving at an aggregate global estimate of cybercrime – and we have attempted to be very transparent about our assumptions. Nonetheless, future work may benefit from surveying a larger group of subject matter experts to better estimate these parameters. Second, GDP scaling assumes that cybercrime victimisation rates and costs scale proportionally with economic activity across all countries. This assumption may not hold for several reasons. Different sectors of the economy may experience different victimisation rates and losses than businesses, yet we apply business victimisation rates and average losses uniformly. For example, hospitals may be a more or less frequent target than average. Moreover, countries vary substantially in many factors, such as different levels of contributions of various sectors to the total economy, cyber defense capabilities, regulatory environments, and exposure to cyber threats. For instance, nations more involved in geopolitical conflicts (such as the United States, China, or European nations in the context of the Russia-Ukraine war) may face higher rates of state-sponsored attacks that could disproportionately increase costs. Future work may want to do such robustness checks. Third, we note it is possible that the DSIT survey’s sampling strategy might result in underestimating the average financial cost of incidents. We note that the DSIT survey defines a “Large business” as having 250 or more employees and surveyed <80 of these for its financial cost data. However, this definition of “large business” hides a very long tail: some large businesses have over 100,000 employees. Thus, if, as appears reasonable to us, the costs of cybercrime scales with size, the average recorded in the survey might be heavily determined if one of these mega-employers is included in the sample or not. Fourth, the DSIT cost categories do not align perfectly with our taxonomy. The survey’s “indirect costs” category includes items such as staff time when they could not do their jobs,52 which we classify as response costs rather than indirect costs. Conversely, some of their “long-term direct costs” overlap with our response cost category. Additionally, the DSIT survey distinguishes between “cyber security breaches and attacks” and “cyber crimes”53 when, for our purposes, this distinction has limited practical impact because we focus exclusively on breaches that resulted in material negative outcomes. Despite these limitations, we believe this presents the best attempt at quantifying business cybercrime costs globally in spite of some inherent limitations. The DSIT survey’s rigorous methodology, large sample size, and transparent reporting make it substantially more reliable 53 DSIT, “Cyber Security Breaches Survey 2025,” Section 6.2. 52 DSIT, “Cyber Security Breaches Survey 2025,” Section 4.6. 51 See e.g. Tesco, “Sustainability Factsheet 2023/24.” | 26 to build an estimate from – especially when comparing to alternative approaches such as analyzing stock price movements following breach disclosure or modeling based on small samples of high-profile incidents. Defense Costs Several market research firms have published estimates of global spending on cybersecurity or information security, which we consider to be an estimate of global defense costs. These figures are drawn from proprietary reports that are prohibitively expensive to purchase, so we rely on publicly available summaries and cannot verify the underlying methodologies:

“Worldwide end-user spending on information security … $193 billion in 2024”54

“global cybersecurity IT investment reached $244.4 billion in 2024”55

$154.6 billion in 202456 An approximate midpoint gives us an estimate that global spending on cybersecurity is about $200 billion a year. However, this figure represents the total revenues of cybersecurity firms globally, encompassing both defensive spending and incident response (remediation) spending. Our previous estimate in Section 4.1 computed global business direct and remediation spending, meaning that there’s a partial overlap between these two estimates. Because we do not know how much of the $200 billion of global cybersecurity spending is spent on defense versus incident response by end users, we assume that it’s simply half each. Therefore, our best estimate of global defense spending is $100 billion per year. Individual Cybercrime Costs An Overview of the Original Data Source Breen et al. conducted a large-scale victimisation survey of approximately 10,000 American adults (18 years and older) in the summer of 2020.57 The survey assessed experiences with six specific types of cybercrime: non-delivery scams, non-payment fraud, extortion (including ransomware), overpayment scams, advanced fee fraud, and credit card or banking fraud. Unlike many cybercrime surveys that rely on vague or technical terminology, this study used plain language descriptions to ensure respondents understood what types of incidents to report. 57 Breen et al., “A Large-Scale Measurement of Cybercrime Against Individuals,”CHI '22: Proceedings of the 2022 CHI Conference on Human Factors in Computing Systems, no. 122, (2022): 1–41. 56 Merrit Maxim, “Global Cybersecurity Spending To Exceed $300B By 2029,” Forrester, October 3, 2025. 55 IDC, “China Cybersecurity Market to Jump from US$11.2B (2024) to US$17.8B (2029) at 9.7% CAGR,” Cyber Security Mew, August 25, 2025. 54 Gartner, “Gartner Forecasts Worldwide End-User Spending on Information Security to Total $213 Billion in 2025,” July 29, 2025. | 27 For each crime type, respondents who reported being victimised were asked to provide the amount of money they lost. The study reports victimisation rates for each crime category as well as the distribution of losses, including median values and at the 10th and 90th percentiles. In the code release for their paper, the authors also report mean losses for each crime type. These distributions are notably right-skewed,58 indicating that while most victims experience modest losses, a small subset experiences substantially larger losses. It also noted that “Based on the most recent FBI crime report statistics, the six cybercrimes we study represent 30% of cybercrimes against individuals.” The study’s primary objective was to estimate prevalence rates and typical losses for American victims, making it well-suited for generating national and, with appropriate scaling, global cost estimates. The large sample size is particularly important given that cybercrime victimisation is a relatively rare event, requiring substantial sampling to achieve statistically meaningful results. Why We Prioritize It As mentioned before, a major advantage of victimisation surveys over other methods like aggregate complaint databases – such as the FBI’s IC3 – is that they help to address the severe under-reporting problem. Several other individual cybercrime victimisation surveys targeting individuals exist, including surveys from Australia,59 the Netherlands,60 the US Federal Trade Commission,61 and various industry-sponsored surveys. However, the Breen et al. survey offers several methodological advantages that make it our preferred source. First, the sample size of 10,000 respondents provides sufficient statistical power to detect relatively rare victimisation events. This is substantially larger than many other academic surveys and reduces sampling uncertainty. Second, the survey design uses clear, accessible language to describe crime types rather than technical terminology, reducing the risk of misclassification by respondents. Third, the authors provide clear definitions and quantities for losses, allowing us to understand what drives the data. Fourth, this survey covers several cybercrimes against individuals directly, as opposed to some other surveys that cover, for example, only identity theft. In fact, Breen et al.’s terminology map onto the FBI’s IC3 definitions, allowing us to do an additional sense check of our results. In terms of the conceptual framework from Section 3.1, this survey provides estimates of all three key inputs: victimisation rates and average costs per incident for each crime type, with victim population drawn from US census data. 61 Keith B. Anderson, “Mass-Market Consumer Fraud in the United States: A 2017 Update,” Federal Trade Commission, October 2019. 60 Central Bureau voor de Statistiek, “Online Veiligheid en Criminaliteit 2024,” April 15, 2025. 59 Isabella Voce and Anthony Morgan, “Cybercrime in Australia 2024,” Australian Institute of Criminology, 2025. 58 See Figure 2 in Breen et al. | 28 The Australian survey,62 while comprehensive, suffers from a potentially self-selected sample and reports mean losses “after recoveries” based on only 40 respondents – far too small a sample for reliable extrapolation. Additionally, the survey questions appear to conflate personal and work-related cybercrime experiences, making it unclear whether reported costs represent individual or business losses. The Netherlands survey64 does not collect data on monetary losses, making it unsuitable for cost estimation despite its value for measuring prevalence. A Description of Our Method Using the Breen et al. 2022 Data To estimate global individual cybercrime costs from the Breen et al. survey data, we combine its data with several additional assumptions. First, we combine the prevalence rate and mean reported loss for each crime type to estimate the expected loss per person per year. This value is $49.23. See Appendix A for details. Second, we must account for the fact that these six crime types represent only a subset of all cybercrime against individuals. In the original work, Breen et al. calculate this by looking at what fraction of total individual cybercrime incidents these six types represented in the FBI IC3 complaint data, suggesting it is ~30%. Using the IC3 data for 2024 gives us a similar estimate when using prevalence as the weighting. We follow the authors’ original methodology of using prevalence weighting but caveat that the correct weighting may be by dollar amount, as other areas of individual cybercrime not represented in the survey have grown a lot since 2020, especially via cryptocurrency and investment fraud. Third, having now estimated the average total individual cybercrime loss, we can now scale this up first to the US and then the global cost. We do this by noting that there are 260M adult individuals in the US (as per the original Breen paper). Then, we scale from US to global costs using GDP ratios. Table 5 below summarizes the key assumptions and calculations underlying this estimate. 64 Central Bureau voor de Statistiek, “Online Veiligheid en Criminaliteit 2024.” 63 Voce and Morgan, 3. 62 Voce and Morgan. | 29 Variable Value Description Source Average estimated individual loss due to 6 tested cyber crimes $49 Calculation Breen et al., 2022; Tab 5.; See

Psychological trauma and stress experienced by fraud and investment scam victims

Human suffering of people trafficked to perform fraud and investment scams (see

Erosion of public trust in digital systems and online commerce, potentially constraining economic growth

National security implications of persistent compromise of critical infrastructure and government institutions While these costs are difficult to quantify in monetary terms, they represent genuine social harm that our estimates do not capture. They may well exceed the direct costs estimated in this report. 68 For example, Kaspersky, an incident response firm based in Russia, finds that the Russia-complex of countries experience ransomware less frequently than the global average, likely due to many ransomware operators being based in Russia. See Assolini et al, “State of Ransomware in 2025,” Kaspersky, May 7, 2025. 67 Cybersecurity and Infrastructure Security Agency, “PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure,” February 7, 2024. | 32 Measurement uncertainty. As discussed throughout Section 3, all available measurement methods face substantial limitations – from under-reporting in complaint databases to sampling uncertainty in victimisation surveys. The wide confidence intervals in our final estimates reflect this fundamental measurement challenge. Future work improving cybercrime cost estimation should prioritize: developing more frequent and harmonized victimisation surveys across multiple countries, creating alternative indicators for detecting shifts in cybercrime patterns that don’t rely solely on aggregate cost estimates, and establishing methodologies for quantifying the broader social costs of cybercrime beyond direct financial losses. While limitations constrain the precision of our estimates, we nonetheless believe our work is helpful to decision makers. Prior to this work, estimates of global cybercrime damages ranged from tens of billions to tens of trillions of dollars, with little systematic evaluation of underlying methodologies and explanations of rationale. By critically examining 27 different sources, establishing a clear taxonomy of costs, and prioritizing the most methodologically sound approaches, we narrow this range considerably. Our estimate of ~$500 billion in annual cost (though still uncertain) provides a more solid foundation for evaluating cybercrime risk, including transparent assumptions for future work to expand upon. Relevance to AI Policy Aggregate cybercrime estimates are insufficient for detecting AI-enabled uplift or setting risk thresholds. The uncertainties in global cybercrime damage estimates are simply too large to detect incremental changes caused by AI. There is no single data source that accurately captures total damages due to pervasive under-reporting, evolving crime definitions, and measurement inconsistencies across jurisdictions. Consider again the framework presented in Figure 3, which conceptualizes total damages as the sum of products of average cost, victimisation rate, and victim population across crime types. Frontier AI developments could independently affect any of these factors. AI might increase victimisation rates through more automated targeting of existing attack chains. It might increase average damages per incident – for example, by enabling adversaries to more efficiently identify high-value assets during data exfiltration, as suggested by recent report of a threat actor using Claude to “independently query databases and systems, extract data, parse results to identify proprietary information, and categorize findings by intelligence value.”69 Or AI might expand the summation entirely by enabling novel attack surfaces that create additional damage categories (e.g. prompt injection attacks on AI-enabled services.70 70 Brave, “Agentic Browser Security: Indirect Prompt Injection in Perplexity Comet,” August 20, 2025. 69 Anthropic, “Disrupting the first reported AI-orchestrated cyber espionage campaign,” November 13, 2025. | 33 Given these measurement challenges, future work should focus on developing alternative indicators that could collectively signal meaningful shifts. Promising approaches include: monitoring for AI-generated code signatures in malware samples, tracking criminal forum discussions of AI tool adoption, observing labor market changes in fraud operations (see

Identify a set of attack chains spanning the major categories of cyber-dependent and cyber-enabled crime, weighted by their contribution to overall damages.

For each category, establish measurable signals that could indicate AI adoption or capability uplift, such as indicators of AI-generated code in malware samples, changes in labor dynamics within fraud operations (see Appendix B), or shifts in attack sophistication observable through security telemetry.

Establish a standing panel of cybersecurity practitioners, researchers, and economists who periodically synthesise evidence across these indicators to estimate whether cumulative uplift has crossed policy-relevant thresholds (e.g. a 20% increase in damages for a given crime category). Cybercrime represents substantial economic harm and triggers regulatory obligations, even if it does not constitute a “catastrophic risk.” Frontier safety frameworks and similar policies typically focus on catastrophic or existential risks characterized by instantaneous, irreversible harm. Cybercrime does not fit this pattern. It causes cumulative harm through many distributed incidents rather than a single catastrophic event. However, this framing may create a blind spot. Our estimates suggest that even under our conservative assumptions, annual cybercrime damages are on the order of $500 billion a year, meaning that even a modest increase in damages due to AI usage may exceed the $100 billion damages threshold. Whether cumulative annual harm of this magnitude warrants similar attention to instantaneous catastrophic risks is a question that current frameworks do not clearly address. | 34 Regardless of how one resolves this conceptual question, AI developers may face concrete obligations. The EU AI Act’s Code of Practice explicitly identifies “enabling large-scale sophisticated cyber-attacks” as a systemic risk requiring assessment and mitigation. Notably, this language does not require a single catastrophic event. It could reasonably encompass scenarios where AI enables a large-scale increase in smaller-impact attacks that collectively pose systemic risk. Compliance with these requirements does not depend on whether cybercrime qualifies as “catastrophic” under other individual company frontier safety frameworks. Future work should clarify how cybercrime risk fits within the broader landscape of AI safety concerns and establish appropriate management approaches even where it falls outside traditional catastrophic risk definitions. Defensive adaptation is real but unevenly distributed, complicating net impact assessments. Cybersecurity differs from many other risk domains because AI can substantially enhance defensive capabilities, not just offensive ones. Just as criminal actors face economic incentives to adopt AI tools, cybersecurity firms face strong market incentives to develop AI-powered defensive solutions. Any assessment of AI’s net impact on the cybercrime landscape must account for these defensive improvements. Defensive adaptation is unlikely to be uniform. Cybersecurity spending is concentrated among large enterprises and wealthy nations. Small and medium businesses, under-resourced government agencies, healthcare systems, and organizations in developing countries may not benefit equally from AI-enhanced defenses. Future modeling should account not only for aggregate defensive improvements but also for the distribution of those improvements across potential victims. If AI primarily benefits well-resourced defenders while enabling attacks on under-protected targets, the net effect could be harmful even if aggregate defensive capabilities improve. Under our estimates, a 20% increase in cybercrime damages would reach commonly cited catastrophic thresholds. Our central estimate of approximately $500 billion in annual damages implies that only 20% uplift would be needed to cross the $100 billion incremental damage threshold that some frameworks identify as catastrophic. This is a relatively modest increase that could plausibly occur through efficiency gains in existing attack methods without requiring qualitatively new AI capabilities. Moreover, this calculation likely understates the concern. As discussed above, our estimates exclude several categories of harm, such as psychological trauma, erosion of trust in digital systems, and national security implications. If these unquantified harms were included, the 71 European Union, Appendix 1.4. | 35 baseline would be higher and the uplift required to reach any given threshold would be correspondingly smaller. This finding underscores the need for developing better measurement approaches. If AI-enabled uplift of even modest magnitude could cross policy-relevant thresholds, the current inability to detect such changes represents a significant gap in our capacity to govern AI-related cyber risks. In conclusion, this report narrows plausible estimates from spans of multiple orders of magnitude to a more transparent baseline. While limitations remain, our systematic methodology provides a foundation for more informed decision-making about AI-related cybercrime risks. Additionally, we have pointed to several further useful directions of research. | 36 About the Authors Kamile Lukosiute Research Scholar, GovAI Kamile's research focuses on threat modeling of cyber adversary misuse of advanced AI systems. Previously, she worked at Cisco Security as an AI Security Researcher and at Anthropic as a Resident in AI alignment research. She holds an MS in Physics from the University of Amsterdam. John Halstead Research Fellow, GovAI John works on threat modeling, with a particular focus on CBRN and cyber misuse risk. Before joining GovAI he worked at the Forethought Foundation and Founders Pledge. He holds a DPhil in Political Philosophy from the University of Oxford. Luca Righetti Senior Research Fellow, GovAI Luca is a Senior Research Fellow at the GovAI, where he leads a team to investigate national security risks from advanced AI systems. He previously worked at Open Philanthropy, the UK Office for AI, and the University of Oxford’s Future of Humanity Institute.