Netcraft forecasts legacy system risks & advanced AI threats by 2026

Netcraft has outlined five predictions for the evolving cyber threat landscape in 2026, highlighting persistent vulnerabilities stemming from legacy systems, seasonal event-driven crime, and increased complexity in fraud detection influenced by Phishing-as-a-Service and AI advancements.

Legacy system risks

Netcraft anticipates that the end of support for Windows 10 in October 2025 will leave substantial numbers of unpatched systems vulnerable to exploitation throughout 2026. Many organisations and individuals are expected to delay upgrading operating systems, creating opportunities particularly for attackers targeting sectors dependent on older or specialised infrastructure.

"With Windows 10 reaching end of life in October 2025, many organizations and individuals are expected to resist upgrading, leaving vast numbers of unpatched systems exposed throughout 2026. This will likely lead to a surge in exploitation of legacy Windows vulnerabilities. Sectors reliant on outdated or specialized infrastructure, particularly in industrial goods and services, will be especially at risk as they often lack the resources or inclination to prioritize regular security updates," said Andrew Brandt, Principal Threat Researcher, Netcraft.

Event-driven threats

Netcraft's security researchers expect that seasonal triggers and large-scale events will create surges in cybercrime, with attackers exploiting occasions such as tax deadlines, the 2026 Winter Olympics, and the U.S. midterm elections for social engineering campaigns. The report also predicts that threat actors will increasingly target holiday travel and hospitality brands in large-scale scams, while scam call operations and fake investment platforms continue to expand.

The convergence of financially motivated and ideologically driven cybercriminal groups, typified by partnerships like that of DragonForce and Scattered Spider, is expected to intensify. Collaboration across ransomware and hacktivist groups is seen as a continuing trend.

"Seasonal and event-driven attack patterns, including phishing waves aligned with tax deadlines, the 2026 Winter Olympics, and the U.S. midterm elections, are all likely to be exploited for social engineering lures. Additionally, holiday travel and hospitality brands are expected to be impersonated in large-scale scams."

"The continued rise of scam call operations, fake investment platforms, and cross-group collaboration among threat actors is another area of the threat landscape to see expansion. Growing partnerships between ransomware and hacktivist groups, such as DragonForce and Scattered Spider, highlight the ongoing convergence of ideological and profit-driven cybercrime, a trend that will likely intensify through 2026," said Brandt.

Industry targets

Industries with extensive downstream reach, such as managed service providers, insurance, and consulting, are expected to remain attractive targets for cyber attackers looking to exploit supply chain relationships. Fintech companies, particularly those involved with under-regulated assets and crypto markets, face anticipated challenges in advancing their security maturity. Logistics, shipping, and retail may see attackers leveraging tariff and shipping-themed phishing lures.

"In 2026, industries with broad downstream impact, such as managed service providers (MSPs), insurance, and consulting, will remain prime targets for threat actors seeking access to other victims. Fintech, especially segments tied to under-regulated assets and crypto markets, will continue to struggle with maturing their security infrastructure. Meanwhile, logistics, shipping, and retail sectors may see phishing lures tied to tariffs or shipping-related themes," said Ginny Spicer, Threat Analyst, Netcraft.

AI system vulnerabilities

Netcraft points to the evolution of AI from simple chatbots to more autonomous agents as a source of new security and data integrity challenges. The increased complexity in these systems heightens the risk of data leakage, manipulation of workflows, and unauthorised access to sensitive data. Attackers may use AI agents to facilitate reconnaissance, automate elements of ransomware operations, or potentially exploit vulnerabilities within the AI systems themselves.

"As AI systems evolve from chatbots to autonomous agents and agentic browsers, new security and data integrity risks are continuing to emerge. The growing complexity of these systems will likely result in data leakage, workflow manipulation, and unintended access to sensitive information.

"Threat actors may leverage AI agents for reconnaissance, data exfiltration, and even automation of some ransomware operations. At the same time, the possibility of manipulating AI agents themselves presents a lucrative opportunity for fraudsters if developers fail to bake in robust protections," said Spicer.

Phishing landscape

According to Netcraft, Phishing-as-a-Service is expected to proliferate further after showing marked growth in 2025. The trend reduces barriers for cybercriminals, allowing for more organised and widespread phishing campaigns. Netcraft also notes the expansion of OAuth phishing, where attackers manipulate users into granting malicious app access, bypassing the need to steal credentials directly. This method is likely to spread to additional online platforms next year.

"Phishing-as-a-Service emerged as a defining shift in 2025, dramatically lowering the technical barrier for cybercriminals and enabling widespread, coordinated phishing campaigns across industries. The trend of 'OAuth phishing' also gained traction, where attackers manipulate users into granting malicious third-party app access instead of stealing credentials outright. This represents a new layer of deception and signals a likely expansion to more online platforms in 2026," said Gina Chow, Emerging Threat Specialist, Netcraft.