Annual Cyber Threat Report 2024–25 – by the numbers

“Using malware designed to covertly harvest information from Australian victims, cyber criminals used stolen data, usernames and passwords to launch subsequent attacks, compromise corporate networks and accounts,” Marles said.

The Deputy Prime Minister also noted that state-sponsored actors were targeting Australian organisations in order to steal sensitive data.

“Australia joined multi-country advisories warning of the threat of state-sponsored actors targeting critical infrastructure for the purposes of positioning for potential disruptive attacks,” Marles said.

“One such advisory details how People’s Republic of China-affiliated threat actors targeted the networks of major global telecommunications providers to conduct a broad and significant cyber espionage campaign.

“Another details a Russian state-sponsored cyber campaign targeting Western logistics and technology businesses.”

With high-profile breaches exposing everything from Frequent Flyer data to sensitive medical information, it has certainly been a busy year in the sector, but let’s look at the raw numbers to see just how busy it’s been.

VIEW ALL

By the numbers

The Australian Cyber Security Hotline fielded 42,500 calls over the reporting period, representing a 16 per cent year-on-year increase and an average of 116 calls per day.

ReportCyber received 84,700 cyber crime reports – one every six minutes – which is a slight decrease of 3 per cent.

But while reporting didn’t shift that much, the cost of responding to an incident rose sharply for businesses. The average self-reported cost of cyber crime for an individual rose by 8 per cent to $33,000, but the costs for businesses skyrocketed by 50 per cent to an average of $80,500.

Breaking those figures down further showed that larger businesses are bearing the brunt of cyber crime costs. The self-reported costs for small businesses rose by 14 per cent to an average of $56,600, while for medium-sized businesses, the cost rose by 55 per cent to $97,200. Larger organisations reported an average cost of $202,700, however, up a staggering 219 per cent.

Fully 11 per cent of all reported cyber crime is related to ransomware, which remains consistent year on year, while denial-of-service (DoS) attacks rose sharply. The ACSC responded to more than 200 DoS and distributed denial-of-service (DDoS) attacks over the last 12 months, a year-on-year increase of 280 per cent.

As last year, the most reported form of cyber crime remains identity fraud, however, at 8 per cent of all reported incidents.

ACSC in action

The ASD’s ACSC responded to more than 1,200 cyber security incidents in the 2024–25 period, an 11 per cent rise over the last period, and it notified entities of potential cyber activity more than 1,700 times, a worrying 83 per cent increase.

The Australian Protective Domain Name System blocked 334 million malicious domains, which is a 307 per cent increase, but on the positive side, the ASD’s newly enhanced Cyber Threat Intelligence Sharing (CTIS) platform grew its partner numbers by 13 per cent. The CTIS has so far shared more than 2,984,000 indicators of compromise with its partners.

The ACSC is now delivering more reports to more organisations, as well, with 14,400 reports shared with about 3,900 organisations, marking respective increases of 125 per cent and 95 per cent. Government uplift programs have continued, alongside similar critical infrastructure initiatives.

The report also highlights the important role of sanctions in disrupting malicious cyber activity targeting Australian victims.

“In February 2025, the Australian government imposed cyber sanctions on a Russian business and its employees for storing and facilitating the theft of millions of incredibly personal digital records posted by cyber criminals on the darkest corners of the internet,” Marles said.

“The sanctions were preceded and enabled by ASD’s targeted offensive cyber activity, which disrupted criminal infrastructure used to host stolen personally identifiable information (PII) of millions of victims around the world.

“This was the first time Australia imposed cyber sanctions on an entity responsible for providing the infrastructure facilitating cyber crime. It was made possible by ASD’s hard work and delivered collaboration with domestic and international industry, intelligence and law-enforcement partners.”

You can read the full report here.