Cyber Attacks in 2026: Login as a Weapon

Cybercriminals and nation-state actors are increasingly shifting their focus away from complex system intrusions, according to Cloudflare's 2026 Threat Report. Instead, they are more likely to rely on the more efficient method of logging in with stolen credentials. Cloudflare states that it analyzed trillions of network signals from its global infrastructure for its report, blocking an average of around 230 billion threats daily.

The report introduces a new concept: the Measure of Effectiveness (MOE) framework. It describes how attackers choose their tactics based on the ratio of effort to operational outcome. Stolen session tokens, for instance, have a higher MOE than expensive zero-day exploits. The most dangerous actors employ automated, industrialized systems to achieve their goals quickly.

Particularly alarming are the findings on AI-powered attacks. Attackers are using Large Language Models for real-time network mapping, exploit development, and deepfakes. This allows even less sophisticated actors to carry out complex operations. One example is North Korean actors who use AI-generated personas and forged identity documents to infiltrate the hiring processes of Western companies.

Cloud Services as Attack Tools

Another trend is the use of legitimate cloud services for criminal purposes. Attackers abuse tools like Google Calendar, Dropbox, GitHub, or Microsoft Teams to mask command-and-control traffic. The Chinese group FrumpyToad, for example, uses Google Calendar for C2 loops, while Russia's NastyShrew uses paste sites as dead drops.

Chinese state actors like Salt Typhoon and Linen Typhoon are focusing on North American telecommunications providers, government agencies, and IT services. They pursue a so-called pre-positioning strategy: permanently placing code in critical infrastructure for future attacks. Over-privileged APIs in SaaS integrations significantly expand the blast radius – as seen in the GRUB1 breach at Salesloft, which affected hundreds of companies.

Token Theft Bypasses Multi-Factor Authentication

Info-stealers like LummaC2 harvest session tokens to bypass multi-factor authentication. In the past three months, 94 percent of login attempts came from bots. Independently, 63 percent of all logins used compromised credentials. In phishing attacks, 46 percent of analyzed emails fail DMARC checks; nevertheless, relay blind spots enable brand spoofing.

Hyper-volumetric DDoS attacks are reaching new dimensions. Botnets like Aisuru achieve throughput rates of 31.4 terabits per second and require autonomous defense systems. During dogfooding (self-testing) by an AI coding agent (OpenCode), Cloudflare discovered the vulnerability CVE-2026-22813 with a CVSS score of 9.4 – an unauthenticated remote code execution in markdown rendering pipelines.

The full report is available on the Cloudflare website.

(fo)