Europol IOCTA 2026: Cybercrime Goes Industrial | SBCSG | The Small Business Cybersecurity Guy

Europol’s Internet Organised Crime Threat Assessment 2026 dropped on the 28th of April. It is the closest thing we have to an honest map of organised cybercrime, written by an agency with no product to sell and no certificate to renew. Three weeks later, the UK cyber security industry has, in the main, treated it as background noise.

That is not an accident. That is a problem.

The report is titled “How encryption, proxies, and AI are expanding cybercrime”. Its executive director, Catherine De Bolle, opens the foreword by writing that cybercrime now presents “progressively sophisticated threats to society, with harmful implications both online and offline”. That is not vendor marketing language. That is the head of European law enforcement telling business owners what they see on the ground.

What they see is an industry. Not a collection of threats. An industry, with supply chains, service providers, customer acquisition channels, and labour-saving automation. And the cyber security industry that is supposed to defend you against it is also an industry. Notice anything?

What the report actually says

The IOCTA covers four areas: cybercrime enablers, online fraud schemes, cyber-attacks, and online child sexual exploitation. The thing that makes the 2026 edition different from previous years is the framing.

For years, threat reports have treated these areas as separate categories. Ransomware in one bucket. Fraud in another. Dark web markets in a third. Crypto laundering in a fourth. AI threats in their own special section, usually written by someone who saw ChatGPT for the first time last week.

Europol have stopped doing that. The IOCTA 2026 describes a single integrated criminal economy where the same infrastructure underpins multiple crimes and the same business logic appears across multiple chapters. AI helps write the scams, and the same AI helps generate ransomware demand letters, and the same AI generates synthetic abuse material on the same platforms. SIM farms enable bulk fraud and bulk account creation for crypto laundering. Residential proxies hide both state-aligned hackers and Eastern European fraud rings. Bullet-proof hosting providers do not ask whether their customer is a ransomware operator or a payment scammer, because they do not care, because their customer base is both.

Europol’s term for this is the velocity gap. They mean the criminals can move faster than law enforcement can respond, because AI compresses skill requirements, service markets compress operational requirements, crypto compresses money movement, and encrypted platforms compress coordination costs. Every one of those is a labour cost being driven down. That is what an industrialising market looks like.

The number that should stop you scrolling: Europol observed more than 120 active ransomware brands in 2025. Not 120 attacks. 120 distinct brands operating concurrently, with affiliate programmes, negotiation services, leak-site hosting, and DDoS-as-an-extra. The dominant family last year, Qilin, was offering affiliates eighty to eighty-five percent of every ransom paid. Try finding an MSP that gives you that kind of margin on a renewal.

The cyber industry’s response, three weeks on

The report came out on the 28th of April. It is now the 19th of May. That is three weeks for the British cyber security industry to read it, digest it, and change its pitch. Three weeks for your MSP to update its sales deck. Three weeks for the Cyber Essentials industrial complex to issue a statement acknowledging that the framework was designed against a threat model that bears progressively less resemblance to what Europol have just described.

How many of you have had that conversation with your supplier? Anyone? Anyone at all?

I will save you the suspense. The answer is no, you have not, because nobody in the UK cyber security industry wants to tell you that the thing they are selling you is not designed for the threat that exists. The Cyber Essentials renewal is going out the door this quarter at the same price. The SIEM platform is still being sold on a per-user licence. The compliance audit is ticking the same boxes it was ticking five years ago, none of which would detect a SIM-farm-driven business email compromise even if it walked into reception with a name badge and a coffee for the receptionist.

This is what compliance theatre looks like. It is the thing standing between you and your bank account, pretending to be a security control. The framework was built for an old threat model. The new threat model has overtaken it. And the entire industry that depends on you renewing certificates and licences against the old model has a financial interest in not telling you that.

Europol use a phrase in the foreword of the IOCTA 2026 that should be on the inside of every UK SMB director’s eyelids. They describe the report as a “call to action”. They mean a call to action to law enforcement, to regulators, to platform operators. But it applies equally to anyone running a small business in the UK who is paying real money for cyber security and not getting industrial-grade defence in return.

A framework audited annually by someone reading off a checklist is not industrial-grade defence. It is a velocity gap on your side.

Exhibit A: seven Latvians, forty-nine million accounts

The receipt for all of this is one case from the IOCTA 2026 fraud chapter. It is not the biggest case in the report. It is not the worst. It is just clean.

Seven Latvian nationals. Twelve hundred SIM-box devices. Forty thousand SIM cards. The SIMs registered to numbers from more than eighty different countries. And the service these seven people were running was used to create more than forty-nine million online accounts.

Stop and think about what that means. Every UK bank, every UK insurance broker, every UK estate agent, every UK accountant who uses SMS verification as part of their onboarding process, has been quietly defeated by seven people in a warehouse. Your one-time passcode that you are so proud of, the one that lets you tick the MFA box on your Cyber Essentials assessment, has been bypassed at industrial scale by an operation that fits in a couple of server racks.

This is what Europol mean when they describe fraud as defined by velocity, concealment, and industrial-scale victimisation. It is not a guy in a hoodie. It is logistics. It is procurement. It is supply chain. The criminals run it like a business because it is a business.

When did your supplier last sit you down and say, “the SMS-based verification we set up in 2019 is no longer fit for purpose, and here is what we are going to do about it”? When did they last review your customer onboarding flow and say, “this is being defeated at scale, we need to add a second factor that is not SMS”? When did they even read the bloody Europol report?

I do not know your supplier. But I do know the industry. The answer, for most of you reading this, is never.

The data publication shift

The IOCTA 2026 makes one more point that UK SMB leadership teams need to internalise. Ransomware extortion has shifted. It is no longer primarily about denying you access to your own data. It is about threatening to publish it.

Europol’s analysis is blunt. Modern enterprises are generally better prepared to recover from data being lost or encrypted than from data being published. The criminals have worked that out. So the business model has shifted to data theft first, encryption second or sometimes not at all. The leverage is reputational, legal, and contractual exposure, not operational downtime.

If your ransomware response plan assumes the attackers want you to pay for a decryption key, your plan is out of date by at least two years. Your backup strategy does not protect you against a data leak. Your communications plan, your legal exposure plan, and your customer notification plan do. Find out which of those you actually have.

How to Turn This Into a Competitive Advantage

UK SMB procurement processes increasingly include security questionnaires. Most respondents tick “yes” to “are you Cyber Essentials certified”. A small number can credibly add “and our security posture has been reviewed against the Europol IOCTA 2026 threat assessment”.

That second sentence is currently a differentiator. Most of your competitors will not be saying it for at least another year, because most of them have not read the report and their suppliers are not telling them about it. The procurement question this opens up, “what does your supplier think about the data-publication extortion model?”, is a question your competitors cannot answer credibly.

Three concrete ways to convert this into commercial advantage:

Lead with current threat awareness in client conversations. When a customer asks about your security, mention that you reviewed your authentication controls in light of the Europol assessment. That is a verifiable, defensible position that signals you are paying attention. The vendor talking points your competitors will fall back to do not.

Build the IOCTA review into your annual customer security update. Most SMBs send an annual letter to clients confirming their security posture. Most of those letters are templates from 2021. A genuinely current letter, dated this quarter, referring to specific 2025 trends in ransomware operations and identity attacks, is the kind of thing that gets forwarded around procurement teams.

Use it in supplier negotiations. Your IT supplier or MSP has a contractual obligation to provide security services. The Europol report is now a published benchmark for what those services should be calibrated against. Ask, in writing, what the supplier’s IOCTA 2026 response is. The answer tells you what kind of relationship you have.

How to Sell This to Your Board

Boards respond to three things: financial risk, regulatory exposure, and competitive positioning. The IOCTA 2026 gives you a fact base for all three.

Financial risk argument. Ransomware extortion has moved from operational disruption to data exposure. Your existing cyber insurance policy may not cover data publication scenarios in the same way it covers operational interruption. The board needs to know whether the current policy is calibrated against the current threat. The Europol report is sufficient grounds to commission a review.

Regulatory exposure argument. The ICO does not care what your Cyber Essentials certificate says when 49 million accounts have been created using a SIM-farm operation to defeat your customer onboarding. They care about whether your controls were reasonable, given known threats. The IOCTA 2026 is now part of the public record of known threats. After the 28th of April, your supplier and your board have notice. That changes the standard you will be judged against if something goes wrong.

Competitive positioning argument. You can be the SMB whose security posture is calibrated to 2026 threat intelligence, or you can be the SMB whose supplier last updated its threat model in 2022. One of those wins procurement competitions. The other loses them. The cost difference is a couple of hours of supplier engagement and a sensible review of your authentication and incident response plans. The revenue difference is a contract.

Make the board approve the supplier review, not a new product purchase. The anti-hero rule applies even at the board level: the answer is rarely “buy another tool”. The answer is “make sure the tools you already have are aimed at the right threat”.

What to do this week

Three actions, all achievable inside a twenty-person company by Friday.

Email your IT supplier. Two questions. Have you read the Europol IOCTA 2026 report. And if so, what in our current security posture has changed as a result. Put it in writing. If the answer is “we will get back to you”, that is your answer. They have not, and nothing has.
Audit your SMS-based authentication. Wherever you are still using SMS one-time passcodes as a second factor, particularly for customer onboarding, password reset flows, or money movement, that is now a known weak control. The Latvian SIM-farm case is the receipt. Move to app-based authentication, hardware keys, or passkeys. Not next quarter. This quarter.
Re-read your ransomware response plan. Specifically, the section about what happens if attackers exfiltrate data and threaten to publish it rather than encrypt it. If that section does not exist, your plan is calibrated against the wrong threat. Bring in your legal counsel, your communications lead, and your senior manager and write the missing section this week.

Three actions. No new vendor purchases. No fresh framework. Just current threat intelligence applied to existing controls. The anti-hero rule.

Europol have done the hard work. The report is forty pages of operationally-informed analysis written by people who arrest cybercriminals for a living. It is the most useful free document available to UK SMB leadership in 2026.

Your supplier is unlikely to mention it. That tells you something about your supplier.

Source	Article
Europol	Internet Organised Crime Threat Assessment (IOCTA) 2026: How encryption, proxies, and AI are expanding cybercrime
Europol	IOCTA 2026 report landing page
Europol	New 2026 IOCTA highlights sophisticated tactics and emerging challenges in the digital landscape
European Commission, DG Migration and Home Affairs	Europol published report on the latest trends in the cybercrime landscape
NCSC	Ransomware: NCSC guidance and resources
Industrial Cyber	Europol IOCTA 2026 report flags shift to industrialised cybercrime powered by AI, ransomware and data theft
European Association for Secure Transactions (EAST)	Europol publishes 2026 Internet Organised Crime Threat Assessment (IOCTA)