What I’m seeing right now on the dark web tells me the next major attack wave is not a question of if. It is a question of how ready you are when it arrives.
I monitor dark web/underground ecosystems for a living. I have been doing it for nearly two decades. What I am going to describe in this article is not a forecast based on trend extrapolation or vendor data. It is based on what I am watching happen right now this week, this month inside the underground communities where tomorrow’s attacks are being planned, staffed, and tooled.
The short version: the conditions for a significant surge in cyberattacks targeting both corporate revenue and critical infrastructure are converging toward Q1 2027. The workforce is being recruited now. The tools are being built now. The economic pressures driving the recruitment are intensifying, not easing. And AI is making the entire pipeline faster, cheaper, and accessible to people who would not have qualified as threat actors twelve months ago.
Here is what that looks like from the inside.
New groups are forming every week
Over the past two weeks alone, on just two forums that I monitor directly, I have observed multiple new criminal groups either forming from scratch or actively recruiting to expand. These are not established operations adding a few members. These are new entities new names, new channels, new recruitment threads appearing at a rate that is meaningfully higher than what I have observed at any point in the past several years.
The groups are forming predominantly from individuals based in Eastern Europe, but they are not operating regionally. They are building distributed teams across multiple continents. The operational structure is global from day one. A recruiter in one country, a developer in another, an access broker in a third, a money-laundering channel in a fourth. The groups are born international because the tools and platforms they useencrypted messaging, cryptocurrency, dark web forums make geography irrelevant to operational structure.
This is not a blip. Every week I check, there are new groups. Every week, the recruitment threads have more responses. The underground labour market is growing because demand for what it produces access, tools, and operational capability is growing.
The economic pressure is the driver
People do not wake up one morning and decide to become cybercriminals. They arrive there through a sequence of economic calculations, each one small and each one rational within its own frame. The sequence starts with financial pressure wages that do not cover expenses, opportunities that do not materialise, a gap between what a person can earn legitimately and what they need to survive or to achieve the standard of living they believe they deserve.
That financial pressure is intensifying across multiple regions right now. Economic disruption driven by geopolitical instability collapsing commodity revenues in states that depend on energy exports, sanctions-driven contraction in economies adjacent to conflict zones, inflationary pressure in developing economies is producing a generation of technically literate young people with skills, internet access, and no legitimate path to the income they want.
The underground is where those skills find a market. The groups forming right now are not staffed by career criminals with decades of dark web history. They are staffed by people who crossed the line recently pushed by economic circumstances that make the risk calculus of cybercrime look rational. They are willing to take risks that established actors would not, because established actors have something to protect and these new entrants do not. They are more reckless, more aggressive, and more willing to target high-value infrastructure because the potential payout justifies the risk in their calculation.
When economic pressure increases, the underground labour supply increases. When the labour supply increases, the operational output increases. When the operational output increases, your company is more likely to be targeted. The chain is direct and observable.
AI is the accelerant
Every observation I have made about the underground over the past year comes back to the same structural shift: AI has lowered the barrier to entry for offensive cyber operations in a way that is difficult to overstate.
Twelve months ago, launching a credible attack against a well-defended corporate target required genuine technical expertise the kind of expertise that takes years to develop and that naturally limited the pool of capable threat actors. Today, AI tools can generate phishing content that is contextually convincing in any language, produce malware variants that evade signature-based detection, automate vulnerability scanning at a speed that manual operators cannot match, and assist in lateral movement decisions that previously required experienced human judgment.
Become a Medium member
The new recruits I observe entering the underground are not experts. Many of them would have failed the vetting tests that established groups administer except that they are using AI to pass those tests. They arrive in the ecosystem with AI-augmented capability that exceeds their actual skill level. Their OPSEC is weak because they do not understand the tools they are using at a fundamental level. But their operational capability is sufficient to cause serious damage, because the tools do not require deep understanding to produce results.
This is the AI-assisted mediocrity problem, and it is the single most important shift in the threat landscape right now. The previous generation of threat actors was small and skilled. The next generation will be large and adequate. Adequate is enough to breach a network, encrypt critical systems, exfiltrate data, and demand ransom. The damage is the same whether the attacker is an expert or an AI-assisted beginner. The difference is that there will be far more of them.
Why Q1 2027 specifically
The timeline is not arbitrary. It follows from the recruitment-to-deployment cycle that I have observed consistently across the ecosystems I monitor.
The groups recruiting now in June and July 2026 will spend the next three to six months building capability: assembling teams, acquiring tools, purchasing access from initial-access brokers, testing their operational workflows, and selecting targets. The operational output of this recruitment wave will begin appearing in Q4 2026 and will reach full volume in Q1 2027.
Simultaneously, the geopolitical pressures driving the recruitment are not easing. Energy-dependent economies facing revenue collapse are producing more economic pressure, which produces more underground labour supply, which produces more operational capability. The cycle is self-reinforcing. Each quarter’s economic pressure funds the next quarter’s recruitment, and each quarter’s recruitment funds the following quarter’s attack volume.
The attack increase data supports this trajectory. Credible industry reporting indicates a 40–50% increase in attacks in 2025 over the prior year. Based on what I observe in the underground right now, 2026 is on track for a 60–80% increase. And the recruitment wave currently underway suggests that Q1 2027 through mid-2028 will see a further acceleration driven by the largest cohort of new threat actors to enter the ecosystem in a single cycle.
What companies and critical infrastructure operators should be doing right now
The window for preparation is the next six months. After that, the wave arrives and the question shifts from prevention to response.
Invest in primary-source intelligence. Threat feeds and SIEM alerts tell you what happened yesterday. Understanding what is being built in the underground right now which groups are forming, what tools they are acquiring, what targets they are discussing tells you what will happen next quarter. The gap between reactive and proactive intelligence is the gap between paying ransom and preventing the breach.
Hire people who think like attackers. The security industry is full of talented technical professionals who excel at defence. What most teams lack is someone who can stand in the attacker’s shoes who can look at your infrastructure the way a threat actor would and identify the path of least resistance before the attacker finds it. This requires adversarial imagination, not just technical skill.
Accept that AI has changed the threat model. Your defences were designed for a world where capable attackers were rare and unskilled attackers were not dangerous. That world no longer exists. AI has created a middle category adequately skilled attackers in large numbers — and your detection, response, and recovery capabilities need to be calibrated for volume, not just sophistication.
Stress-test your critical infrastructure dependencies. The groups I observe forming right now are not all targeting corporate data for ransom. Some are explicitly discussing critical infrastructure energy, logistics, communications, financial systems. Whether their motivation is profit, disruption, or alignment with state interests they may not even fully understand, the targeting is real and the capability is being assembled now.
The uncomfortable truth
The cybersecurity industry has spent two decades building defences optimised for a threat landscape that is about to change structurally. The change is not theoretical. It is observable. I can see the groups forming. I can see the recruits arriving. I can see the tools being built. I can see the access being purchased. The pipeline is full, and it is flowing toward Q1 2027.
React later, pay more. See it now, prevent it.
The next six months are the preparation window. What companies and infrastructure operators do in this window will determine whether Q1 2027 is a crisis they managed or a crisis that managed them.
Adrian Alexandru is the founder and Lead Analyst at Aether Intel, an independent cyber threat intelligence operation based in Brașov, Romania, specialising in dark web HUMINT, behavioural threat actor profiling, and adversarial infrastructure analysis. He publishes open intelligence research at https://aether-intel.com
This article is based on direct observation of underground ecosystems. No specific forums or channels are identified by name. No classified intelligence is cited or implied.*
Top comments (0)