In 2024, cybercrime became America's fastest-growing industry. The FBI's own data reveals a system so overwhelmed by the scale of digital fraud that what gets reported is still just a fraction of what's being lost.
Every day in 2024, the FBI's Internet Crime Complaint Center received more than 2,300 reports of cyber-enabled crime. By year's end, the total losses reported had reached $16.6 billion — a 33% increase from 2023, and a new record by a considerable margin. The report, released in April 2025, marks the 25th anniversary of IC3. In that time, the centre has received over nine million complaints. Four million of them came in the last five years alone.
The scale is staggering. But the official figures almost certainly represent only a fragment of reality. The FBI acknowledges this explicitly in its own report — ransomware losses, for example, are logged only when victims voluntarily report to IC3, excluding direct reports to FBI field offices and the vast majority of cases where companies quietly pay up or absorb losses internally to protect reputation. Chainalysis, which tracks ransom payments through blockchain analysis, estimates total ransomware payment flows at more than 60 times the FBI's reported figure. The $16.6 billion, in other words, is the floor, not the ceiling.
"The IC3 received more than 2,000 complaints every day in 2024. During IC3's infancy, it received roughly 2,000 complaints every month." — FBI, IC3 Annual Report 2024
The anatomy of cybercrime has shifted. Phishing remains the highest-volume attack vector — 193,407 reports in 2024, more than double the next most common crime type. But it is investment fraud, not ransomware, that is now doing the most financial damage. Crypto-investment scams alone cost $5.8 billion, up 47% from 2023, driven by what the FBI calls "pig butchering" schemes — long-form social engineering operations in which victims are cultivated over weeks or months on messaging apps before being lured into fake investment platforms that drain their savings.
The victims skew older. Americans over 60 filed 147,127 complaints in 2024 — a 46% increase from 2023 — and suffered $4.9 billion in losses. The average loss per complaint for this group exceeded $83,000. FBI Director Kash Patel, in introducing the report, described the trend as "scammers stealing Americans' hard-earned savings." But the structural question is harder: in a world where cybercriminals are innovating faster than regulators can act, who is responsible for closing the gap?
Signal Finding — The Reporting Gap
The FBI IC3 report captures only reported losses. Chainalysis estimates total ransom payments in 2024 at approximately $813 million — against the FBI's direct ransomware loss figure of $12.5 million. The multiplier between reported and actual cybercrime losses is likely in the range of 10–60× depending on crime type. If the same ratio applied across all IC3 categories, true annual US cybercrime losses likely exceed $150 billion.
Total losses reported to FBI IC3 by year, 2015–2024. The 2024 figure of $16.6 billion represents a 33% year-on-year increase and a 660% increase from 2015. Source: FBI IC3 Annual Reports 2015–2024.
Source: FBI Internet Crime Complaint Center (IC3) Annual Reports, 2015–2024. Figures represent losses voluntarily reported by US victims. The FBI explicitly notes these figures undercount true losses — ransomware losses alone are estimated to be 60× higher than reported. All figures in USD billions.
02 · Anatomy
Where the Money Goes
Losses by crime category in 2024. Investment fraud ($6.57bn) overtook BEC as the largest single category for the second consecutive year, driven overwhelmingly by cryptocurrency investment scams. BEC ($2.77bn) and tech support fraud ($1.46bn) follow. All figures from FBI IC3 2024.
Losses by Crime Type 2024 (USD bn) · Source: FBI IC3
Source: FBI IC3 Annual Report 2024. Personal data breach figure ($1.45bn) covers 64,882 reports.
Complaints Volume by Type 2024 · Source: FBI IC3
Source: FBI IC3 Annual Report 2024. Phishing (193,407) dwarfs all other crime types by volume. BEC complaints (21,442) are modest in number but catastrophic in loss value.
03 · Threat Landscape
The Six Attack Vectors
The 2024 IC3 report identifies six dominant attack vectors — each with distinct financial profiles, victim demographics, and enforcement challenges. Data from FBI IC3 2024, Chainalysis 2025, and Coveware Q4 2024.
Volume Leader
Phishing & Spoofing
193,407
Reports in 2024. Most common crime type by volume — more than double extortion and three times personal data breaches. Results in $70M in direct losses, but its primary role is credential harvesting for downstream fraud.
Loss Leader
Investment Fraud (Crypto)
$6.57B
Largest single loss category. "Pig butchering" scams dominate — victims cultivated on WhatsApp/Telegram for weeks, then funnelled into fake trading platforms. 41,557 reports. Up 47% in losses from 2023.
Enterprise Threat
Business Email Compromise
$2.77B
21,442 reports — relatively modest in volume, catastrophic in individual loss. Average loss per BEC incident: $129,000. Nearly $8.5bn in BEC losses reported to IC3 over 2022–2024 alone. 63% of organisations experienced BEC in 2024.
Infrastructure
Ransomware & Critical Systems
4,800+
Critical infrastructure complaints in 2024 — up 9% from 2023. Healthcare, manufacturing, and government services most targeted. Top variants: Akira, LockBit, RansomHub, FOG, PLAY. 67 new ransomware variants identified in 2024 alone.
Fastest Growing
Elder Fraud
$4.9B
Over-60s suffered the highest losses of any age group — up 43% year-on-year. 147,127 complaints, +46% from 2023. 7,500 individuals aged 60+ each lost more than $100,000. Average loss: $83,000. Tech support scams and romance scams dominate.
Emerging
Crypto ATM & Kiosk Fraud
+99%
10,956 complaints in 2024 — a 99% increase in one year. $246.7M in losses. Criminals instruct fraud victims to deposit cash at Bitcoin ATMs, bypassing traditional fraud detection. Disproportionately targets elderly victims in rural areas.
Ransomware presents a particular accounting problem. The FBI's reported ransomware loss figure — $12.5 million — is almost comically small given what the private sector data suggests. Chainalysis, which tracks on-chain payment flows, recorded approximately $813 million in ransomware payments in 2024 — a 35% decline from the record $1.1 billion paid in 2023, which Chainalysis attributes to a combination of law enforcement action (the disruption of LockBit in February 2024 was significant), increased victim resistance, and the growing influence of a no-pay norm in corporate incident response playbooks.
The decline in payments does not mean ransomware is in retreat. The number of IC3 ransomware complaints rose 9% in 2024. Researchers at Coveware note that with fewer victims paying, criminal groups have responded by increasing attack volume and targeting larger organisations more aggressively. The average initial ransom demand rose 78% between 2023 and 2024. The criminal calculus is straightforward: if the conversion rate is falling, you need more shots on goal.
"Ransomware groups responded to falling payments by increasing attack frequency and lifting ransom demands. The average demand rose 78% in 2024." — Coveware Q4 2024
Cryptocurrency's role in cybercrime has become structurally inseparable. Of the $16.6 billion in total reported losses, $9.3 billion — 56% — involved cryptocurrency. This represents a 66% increase from 2023, driven primarily by investment scams and money laundering infrastructure. The FBI's Recovery Asset Team froze $561 million in fraudulently obtained funds in 2024 using the Financial Fraud Kill Chain — a significant figure, but less than 4% of total reported losses.
The geographic concentration of complaints follows population: California, Texas, and Florida report the highest totals. But the most financially vulnerable victims are often the least likely to be in major urban centres. Elder fraud losses, which disproportionately affect retirees in areas with lower digital literacy and weaker formal support networks, now exceed total US motor vehicle theft losses by a factor of more than twelve.
Ransomware payments (Chainalysis blockchain data) versus IC3 reported ransomware losses (FBI). The gap between the two figures illustrates the scale of under-reporting. Note that Chainalysis 2024 figure reflects a 35% year-on-year decline — enforcement actions against LockBit and growing victim resistance have begun to suppress payments, even as attack volume continues to rise.
Chainalysis data: On-chain ransom payment flows (Chainalysis Crypto Crime Report, Feb 2025). FBI IC3 data: Voluntarily reported ransomware losses (FBI IC3 Annual Report 2024). Gap illustrates structural under-reporting. IC3 acknowledges figures exclude lost business, wages, equipment, remediation costs, and direct field office reports.
05 · Context
Putting $16.6 Billion in Perspective
US cybercrime losses benchmarked against other well-known financial figures. The $16.6 billion in reported losses is already larger than the GDP of several nations — and represents only what was reported to a single federal intake system.
US Cybercrime Losses 2024FBI IC3 reported only
$16.6B
Crypto Losses Alone66% increase YoY
$9.3B
Investment FraudLargest single category
$6.57B
Elder Fraud LossesOver-60s · +43% YoY
$4.9B
FBI Funds FrozenRecovery Asset Team · 66% success rate
r/cybersecurity and r/netsec sentiment: elevated and rising
Signal's Reddit sentiment tool (in development) tracks anxiety levels across cybersecurity subreddits. Preliminary analysis of r/cybersecurity, r/netsec and r/hacking suggests a sustained elevated anxiety baseline throughout 2024 — driven primarily by ransomware frequency, AI-enabled phishing volumes, and a perception that enterprise defences are not keeping pace with attack sophistication. Full real-time tracker launching Q3 2025.
71
/ 100 · Anxiety Index Preliminary · 90-day avg
The regulatory response to cybercrime remains fragmented. The US has no single federal cybercrime statute equivalent to GDPR — organisations are governed by a patchwork of sector-specific rules, state breach notification laws, and an FTC enforcement regime that moves considerably more slowly than criminal innovation. The SEC's 2023 cybersecurity disclosure rules — which require public companies to report material cyber incidents within four business days — represented a significant step, but apply only to listed companies and have already faced legal challenge from affected registrants.
In the EU, NIS2 (Network and Information Security Directive 2) entered force in October 2024, extending mandatory cybersecurity obligations to a broader range of sectors including healthcare, digital infrastructure, and food supply chains. The directive requires incident reporting within 24 hours of detection — a standard that most US companies would struggle to meet, given that the average detection-to-disclosure time for a data breach in 2024 was still measured in days, not hours.
The enforcement gap is stark. The FBI's Recovery Asset Team froze $561 million in 2024 — impressive operationally, but less than 4 cents in every dollar of reported losses. For the criminals operating from jurisdictions beyond US extradition reach — Russia, North Korea, China, and Iran account for the majority of attributable state-sponsored attacks — the risk calculus remains favourable.
Sources: FBI IC3 2024; SEC Cybersecurity Disclosure Rules (2023); EU NIS2 Directive; CISA 2024 Year in Review.
Methodology
Primary Data
All financial figures in this investigation are drawn directly from the FBI IC3 Annual Report 2024 (ic3.gov/AnnualReport/Reports/2024_IC3Report.pdf). This is the primary US government dataset for internet-enabled crime losses, compiled from voluntary victim reports submitted to IC3.
Ransomware Data
Chainalysis Crypto Crime Report 2025 (February 2025) is used for on-chain ransomware payment estimates. Coveware Q4 2024 Ransomware Report provides ransom demand and payment trend data. These sources measure actual blockchain payment flows — a different methodology to FBI victim reporting.
Limitations
FBI IC3 data is based on voluntary US victim reports only. It excludes: unreported incidents, direct field office reports, non-US victims, and incidents where victims pay without disclosure. The FBI explicitly states these figures undercount true losses. All figures should be read as floors, not totals.