The world’s 3rd largest economy: Cybercrime reaches $10.5T
Puerto Rico systems face heightened risk due to U.S. ties, expert warns.
The cost of cybercrime globally has been estimated at $10.5 trillion in 2025 — more per year than all natural disasters combined and generating more illegal profits than the global drug trade.
Alberto Rodríguez, cybersecurity expert and co-founder and CEO of Millennial Networks, presented the daunting figures, citing a recent Cybersecurity Ventures report, during the latest convention of the Puerto Rico Clinical Laboratories Association last week in Ponce.
“Cybercrime is the third largest economy in the world behind the U.S. and China, in terms of the sheer volume of money that’s being moved,” Rodríguez said. “It’s a huge industry. All nations are behind this, not only for defense but also for military or intelligence advantages. When we think of cybercrime, we think of the lone kid in the hoodie sitting in front of a laptop, but that’s not the reality. Oftentimes, there are big nations with big budgets behind this.”
Health care increasingly at risk
Rodríguez emphasized the increasing number and scale of attacks targeting the health care sector, pointing to the February 2024 attack on Change Healthcare, a UnitedHealth subsidiary and clearinghouse for 15 billion medical claims each year, accounting for nearly 40% of all claims in the U.S.
The attack created a massive backlog of unpaid claims, causing cash flow crises for medical providers and requiring federal government intervention. Despite UnitedHealth paying a ransom, the breach exposed the data of an estimated 190 million people.
Puerto Rico is by no means immune from the cybercrime wave. “If you visit the cybersecurity page of [the Puerto Rico Information Technology Service (PRITS)], you’ll see the alertness level is at red, as it has been for the past two years,” Rodríguez said. “Our ties to the U.S. make us potential targets.”
The expert referenced the 2023 breach at Hospital Español Auxilio Mutuo in San Juan. After the hospital’s initial announcement revealing a security incident that took place, which prompted a notification from the Department of Homeland Security, a second investigation confirmed nearly 1.2 million patients’ data was exfiltrated between August 2022 and September 2023.
“We have taken steps to strengthen our network systems to reduce the risk of a similar incident occurring in the future,” the hospital statement said, adding it notified and offered affected individuals credit monitoring and identity theft protection.
Ransomware evolves
Rodríguez highlighted findings from the 2024 Verizon Wireless Data Breach Investigations Report showing that 32% of breaches now involve ransomware — a rapidly growing extortion tactic, in which a cybercriminal “locks up” a victim’s computer or data in exchange for a ransom, frequently paid via bitcoin or other cryptocurrency.
Further complicating matters, access to what is called a RaaS kit has made it easier than ever for criminals to enter the racket. Short for ransomware-as-a-service, RaaS kits are widely available on the dark web and basically allow anyone to launch cyberattacks through subscription models that are more similar to a Netflix subscription than a typical hacker setup.
For as little as $40 a month, a subscriber to such a service becomes an “affiliate” to an operator who creates and sells ransomware code to said affiliates. The affiliates then spread attacks through a stylized dashboard interface, oftentimes earning a cut of the ill-gotten gains. Different business models abound within the RaaS kit space, but the principle remains the same, with certain RaaS gangs, such as Hive and LockBit, becoming infamous in recent years.
Considering the risks and dangers out there, Rodríguez stressed the importance of everyday “cyber-hygiene.” In particular, he recommended using password managers and remaining particularly mindful of email as a potential vector for cyberattacks. “It’s been proven time and again: No matter how fancy the security tech solutions you may have, humans are always the last line of defense,” he said.
