LONDON — A growing proportion of cyber-crime operations are now coupling digital extortion with explicit threats of physical harm against victims and their families, a shift that security researchers and law enforcement agencies say marks a dangerous new phase in the evolution of financially motivated online crime.
The tactic, sometimes called hybrid extortion or physical threat escalation, has been documented in incidents across at least 14 countries over the past 18 months. Threat actors who gain access to sensitive personal data through ransomware infections, credential theft, or data broker breaches are increasingly appending demands with specific warnings that non-payment will result in violence, visits to home addresses, or harassment of family members, according to a report published Tuesday by cybersecurity firm CertiGuard.
CertiGuard’s analysis, which drew on incident data from more than 340 corporate and individual clients, found that cases involving physical threat language rose 83 percent between the first half of 2024 and the first half of 2025. The firm said the pattern was most prevalent in attacks targeting high-net-worth individuals, healthcare executives, and small business owners, though it had also appeared in a smaller number of attacks against mid-size enterprises.
“This is not random. The perpetrators are selecting targets based on an assessment of who has something to lose and who they believe will pay to make a problem go away quietly,” said Detective Superintendent Helena Farrow of the National Cyber Crime Unit, who spoke at a briefing accompanying the report’s release. “When you add a home address and a photograph of someone’s children to a ransom note, you have crossed a line from a financial crime into something that looks very much like a threat to kill.”
Law enforcement officials said they had made a number of arrests related to hybrid extortion cases over the past year but declined to provide specific figures, citing ongoing investigations. Prosecutors in Germany, the Netherlands, and Canada confirmed independently that they were pursuing cases in which digital extortion charges had been combined with criminal threats statutes, a legal combination that carries significantly longer potential sentences in several jurisdictions.
The operational shift appears to be partly a response to the declining effectiveness of conventional ransomware as organizations have improved backup practices and incident response capabilities. When encrypted data can be restored from an unaffected backup, the traditional ransom leverage is sharply reduced. Physical threat escalation represents an attempt to create leverage that technical defenses cannot neutralize.
“You cannot patch your way out of a threat against your family,” said Dr. Amir Soleimani, a criminal psychology researcher at University College London who has consulted with several national cybercrime units. “The attackers understand that the human threat surface is different from the technical threat surface, and they are deliberately exploiting the gap.” Soleimani said his research suggested that a significant fraction of victims who received physical threats paid ransoms they would otherwise have contested, without reporting the incident to police.
Victim advocates and cybersecurity professionals are urging individuals targeted in such attacks not to pay demands without first consulting law enforcement, arguing that payments rarely end contact and may signal to operators that a target is susceptible to further demands. Several agencies have set up dedicated intake lines for hybrid extortion reports that allow victims to report confidentially without immediately triggering a full investigation if they are concerned about retaliation.
Security researchers said the trend was likely to intensify before it diminished, noting that the personal data necessary to mount credible physical threats is widely available through data broker aggregations, social media platforms, and the cumulative leakage from years of large-scale data breaches. “The raw material for this type of attack is essentially free at this point,” said CertiGuard lead researcher Ngozi Adeyemi. “The barrier to entry is low, and the payout, when it works, is high. That is not a combination that self-corrects without sustained law enforcement pressure.”
Insurance underwriters covering cyber liability policies are responding to the hybrid extortion trend by revising policy language and premium structures. Several major carriers have added specific riders covering costs associated with physical security measures — temporary relocation, private security consultation, home address removal services — that victims may need in the aftermath of a hybrid extortion attack. The development signals that the insurance industry now regards physical threat escalation as a systemic rather than peripheral risk within the broader cyber threat landscape.
International cooperation between cybercrime units has increased in response to the trend, with Europol, Interpol, and the U.S. Federal Bureau of Investigation all reporting expansions to bilateral information-sharing agreements covering extortion-related intelligence. Analysts said that despite improved cooperation, attribution in hybrid extortion cases remained difficult because threat actors frequently operated across multiple jurisdictions and employed money mules and cryptocurrency layering to obscure financial trails.