Nobody chose you
Most people describe a compromise in the language of being chosen. I was hacked. They got into my account. Someone came after me. The grammar puts a person at the far end of the event, deciding to single you out. In the large majority of incidents that person does not exist.
In the first half of 2025 more than 97 percent of identity attacks observed across Microsoft’s cloud were password spray or brute force: automated attempts that throw known usernames at many accounts at once. When Microsoft compared the usernames being sprayed against the Have I Been Pwned database, 85 percent of them already sat in a known credential leak and each one appeared in roughly three separate logs on average. No analyst studied those accounts and picked them. They were eligible because they were exposed, the automation did the rest.
The assumption of personal targeting leads to the wrong defensive instinct. If you believe you were singled out, you go looking for a motive and a culprit. If you understand that you were surfaced — pulled into a testable population by data that was already public or already leaked — you look at your own exposure instead. The criminology behind this is older than the internet, and it predicts the pattern closely. Routine activity theory, set out by Cohen and Felson in 1979, holds that a crime needs only three things to occur together: a motivated offender, a suitable target, and the absence of a capable guardian. None of those three requires that the offender know, or care, who the target is.
Two regimes of compromise
It would be wrong to claim nobody is ever targeted. People are, and some of the work we do exists precisely because they are. The distinction that matters is that compromise runs on two tracks at the same time, and the two work differently.
The first is the volume track. It is automated, indifferent, and enormous. Credentials harvested from breaches and infostealer logs are replayed against services at scale, and the selection of who gets tested is performed by systems rather than by people. The 97 percent spray figure lives here. Routine activity theory describes this track almost exactly, with one adjustment that Majid Yar made when he applied the theory to cybercrime in 2005: online, the “suitable target” is rarely chosen for who they are. It is whatever the automation can reach cheaply enough to be worth a try.
The second is the targeted track. Here a human does decide. This is the world of executives, finance staff, people with privileged access, and principals of wealth. Exposure still matters on this track, but it plays a different role. It does not replace the decision to go after someone. It makes that decision cheap and reliable. We have written about this shift before: a findable footprint turns an attack from a gamble an attacker takes into a calculation they can run, and the timing of that attack is frequently read straight from signals the target published themselves.
The two tracks are not sealed off from each other. A credential swept up by the volume track can become a targeted operation the moment someone notices what it unlocks. The monitoring that catches the crowd reusing a commodity password will usually miss the operator who quietly buys a specific access while the log is still private. Movement runs in one direction in particular: mass exposure feeds targeted selection, because the cheapest way to build a target list is to read it off data that already leaked.
This is the honest version of the claim. Most people are surfaced. A smaller number, usually the most valuable, are selected and exposure is what makes selecting them worth the effort.
Exposure is what makes you eligible
When Leukfeldt and Yar tested routine activity theory against a sample of more than nine thousand people in 2016, the factors that raised the risk of victimisation were the ones the theory predicts: visibility and accessibility. The more reachable and findable you are, the more often you land in the population that gets tested. Exposure works less like a verdict on you and more like eligibility for a process that never had you specifically in mind.
How the data gets into these pipelines we have covered at length, and there is no need to repeat it here: what stealer logs are and how fast they sell, how infostealers actually execute on a host, and what a digital footprint gets used for once it is assembled. The narrower point for this argument is that exposure is not a static fact. It is structured input for automation.
Once an email address, a reused password, or a session token lands in a dump, it does not expire on any human schedule. Verizon’s 2025 Data Breach Investigations Report found that 54 percent of organisations later named on ransomware leak sites had their domains turn up in infostealer logs or marketplace listings, and 40 percent of those records carried corporate email addresses. Each leaked username, in Microsoft’s count, sits in around three separate logs. Europol describes the downstream effect plainly in its 2026 assessment: stolen data is sold onward and exploited again in what it calls a vicious loop, where the same people are relentlessly re-victimised. Exposure has a long half-life, and that half-life is measured in years.
Motivation is layered, and it is not the bottleneck
If opportunity drives the volume track, motivation still explains who does this and why the ecosystem holds together. The common mistake is to assume the motive is always money. Money is one of several, and which one is in play depends on where in the ecosystem you look.
The financial layer is the most visible. Ransomware, fraud, and the resale of access all sit here. Initial access brokers price and trade entry to compromised networks, and ransomware-as-a-service vendors rent out the tooling to people who could not build it themselves. Europol’s term for the wider pattern is crime-as-a-service: a participant no longer needs skill, only a budget.
Beneath that sits an opportunistic and experimental layer. A great deal of low-level intrusion is curiosity with a low cost of trying. Where the guardian is weak and the target is easy, the rational-choice calculation that Cornish and Clarke described in 1986 favours an attempt even without a clear payday in mind. Someone tries a credential because trying is almost free and sees what happens.
There is a social and reputational layer as well. Underground forums run on proof and access itself is a currency that buys standing in a community. Akers’ social learning theory, which Holt and colleagues have applied directly to cyber-deviance, describes how this kind of offending is learned and reinforced inside peer groups. The reward is not always cash. Sometimes it is reputation, which converts to cash later.
Finally there is an ideological layer, though “ideological” overstates how lofty the motive usually is. At one end it is genuine hacktivism, where the cause is political in the conventional sense and the intrusion is meant to make a point. Far more common is a smaller and more personal kind of politics: rivalries between groups, status contests inside a forum, and harassment driven by personal grievance, mutual hatred or envy of someone’s visibility. The “politics” here is often nothing more than who in a community dislikes whom. Doxing scenes run on that fuel as much as on any principle. Gabriella Coleman’s ethnographic work and the earlier analysis of Jordan and Taylor document how these groups form and how their members drift over time. The drift tends to run toward monetisation and the roles blur as it does. We have traced one version of this collapse between subculture and organised fraud elsewhere.
Separating these layers matters for one reason: the incentives are interchangeable. A skill learned for status gets rented for money. An access taken out of curiosity gets sold to someone with a plan for it. Because the motives are fluid, building a defence on the assumption that your adversary wants only one thing, whether money or a political point, misreads the system. The one constant underneath every motive is that you have to be reachable before any of them can apply to you.
The model: eligibility plus cheap testing
The model that fits the volume track is not persuasion. Nobody is being convinced of anything, and there is no funnel of attention to win. The model is eligibility plus low-cost testing.
Exposure puts you in the population. Automation tests the population. Where the cost of an attempt sits near zero and an occasional success is valuable, the rational move is to test everything reachable and keep whatever works. Cohen and Felson’s three conditions reduce, online, to a single practical question for the attacker: can the automation reach this account cheaply enough to be worth one try? For most accounts the answer is yes, because the username is already in a leak and the password was reused somewhere it should not have been.
This is also why one widely shared statistic is so easily misread. In Microsoft’s spray data, only 1.5 percent of attempts used a correct username and password and were then stopped by multifactor authentication. That number is not evidence that the attacks rarely work. Microsoft is explicit that it reflects how few of those accounts had MFA in the way, rather than how often the technique succeeds. When testing is this cheap, a low success rate per attempt still yields a large number of compromises in absolute terms. Scale does the work that skill does not have to.
If you want to know which of your credentials and accounts already sit in the leaked data being tested right now, that is what a Lockdown investigation establishes before it decides what to contain.
Talk to an AnalystDefence is exposure containment, not prevention
Once you accept that you cannot stop being surfaced, the defensive posture changes shape. You stop trying to prevent the breach that has, statistically, already happened to your data somewhere, and you start containing what that exposure can be turned into. The working assumption becomes that exposure already exists and that your credentials will be tested. Everything useful follows from that assumption.
The single highest-value control is phishing-resistant multifactor authentication. Microsoft puts its effectiveness above 99 percent against identity-based attacks, and the entire volume track runs into a wall against it. The qualifier matters: it has to be phishing-resistant and aware of session-token theft, because a stolen session can sidestep a login prompt entirely, which is the failure mode behind a large share of account takeovers.
The next is to stop reusing passwords. Microsoft found that 45 percent of spray attempts paired a valid username with the wrong password, which is what password reuse looks like once it reaches scale. Reuse is the mechanism that turns a leak somewhere you had forgotten about into a live compromise of something that matters.
Monitoring leaked data helps, as long as it is read for what it is. It lags exploitation rather than preventing it, and an alert that your credential has surfaced is the start of triage, not a save. Reducing the footprint sits alongside it: fewer findable signals means a smaller and less reliable calculation for anyone working the targeted track. For the smaller group who genuinely are selected, footprint reduction and active monitoring stop being hygiene and become the protection itself.
None of this is exotic. The NIST Cybersecurity Framework already organises itself around the assumption that compromise is continuous rather than a one-time wall to be defended: identify, protect, detect, respond, recover. Read in the light of how victims are surfaced, that sequence reads less like a compliance exercise and more like an admission that prevention is only ever partial, and that containment carries most of the load.
Surfaced, not selected
The question most people ask after an incident is why me, and it usually has no answer, because there was no me in the decision. There was a username in a leak, a password reused across services, and an automated process that tested both because testing costs almost nothing. Above that runs a smaller, deliberate track where people are chosen, and even there the choice is made cheap by the same exposure that drives the volume below it.
Hold the whole model in view and it is simple enough to act on. Exposure makes you eligible. Automation surfaces you. A minority are then selected because their exposure made selecting them worthwhile. Defence means shrinking that exposure and breaking the link between a leak and a loss, not standing guard against a particular person who, in most cases, was never there.
In most modern cybercrime, the victim is not selected. They are surfaced.
Sources
- Cohen, L. & Felson, M. (1979). Social Change and Crime Rate Trends: A Routine Activity Approach. American Sociological Review 44(4).
- Yar, M. (2005). The Novelty of ‘Cybercrime’: An Assessment in Light of Routine Activity Theory. European Journal of Criminology 2(4):407–427.
- Leukfeldt, E. & Yar, M. (2016). Applying Routine Activity Theory to Cybercrime: A Theoretical and Empirical Analysis. Deviant Behavior 37(3):263–280.
- Cornish, D. & Clarke, R. (1986). The Reasoning Criminal: Rational Choice Perspectives on Offending.
- Holt, T. & Bossler, A. Cybercrime in Progress; Akers, R. social learning theory applied to cyber-deviance.
- Coleman, G. (2014). Hacker, Hoaxer, Whistleblower, Spy. Jordan, T. & Taylor, P. Hacktivism and Cyberwars.
- Microsoft Digital Defense Report 2025.
- Verizon 2025 Data Breach Investigations Report.
- Europol Internet Organised Crime Threat Assessment (IOCTA) 2026.
- NIST Cybersecurity Framework 2.0.