The newly released INTERPOL Asia and South Pacific Cyber Threat Assessment 2025/2026, published by the organisation's dedicated cybercrime desk in Singapore, is the kind of document that underwriting committees should read carefully and then read again. It is not a general warning about digital risk. It is a granular, operationally grounded account of a cybercrime ecosystem that has become, in INTERPOL's own formulation, industrialised - and which is directly relevant to the pricing, aggregation management and policy language decisions facing every London market firm with Asia-Pacific cyber exposure.
The headline figures alone demand attention. Transnational organised crime groups operating scam centres across Cambodia, Laos, Myanmar and the Philippines - in some cases using trafficked labour - are generating close to $40 billion a year, according to estimates cited in the report. The region recorded more than 135,000 ransomware-related attacks in 2024. Discussions about deepfakes on criminal forums and Telegram channels popular with Southeast Asian threat actors increased by 600% between February and June of that year. DDoS attacks surged by 92%. System intrusions accounted for approximately 80% of all data breaches in the region, with malware present in 83% of those cases and ransomware in 51%.
Those are not background statistics. They are the loss environment in which cyber policies written in London are operating.
Data analysis
Each bubble is one of the top five cybercrime types ranked by INTERPOL across 18 member countries. Horizontal: case volume. Vertical: insurance claims severity. Bubble size: pace of escalation. Hover for detail.
Ransomware avg claim
$508,000
+16% YoY · At-Bay 2025
Scam centre losses
~$40bn/yr
UNODC est · INTERPOL
Deepfake forum activity
+600%
Feb–Jun 2024 · INTERPOL
Sources: INTERPOL Asia and South Pacific Cyber Threat Assessment 2025/2026; Willis Cyber Claims in Focus 2026; DUAL Global Cyber Outlook April 2026; At-Bay 2025 Cyber Claims Report; Aon APAC Cyber Risk Report 2025; UNODC TOC Convergence Report 2024. Axis positions are indicative indices.
INTERPOL's report documents what it describes as an immediate operational reality, not a future concern: AI-generated deepfakes are already being used at scale to perpetrate financial fraud across the region. In February 2024, an employee at a multinational firm in Hong Kong was tricked into transferring $25 million after deepfakes were used to impersonate executives in a video call. In March 2025, a finance director in Singapore nearly lost over $499,000 in an almost identical Zoom-based attack. These are not isolated incidents. The report characterises them as representative of a rapidly growing pattern in which AI personas, voice clones and synthetic video are used to bypass the human controls that technical security measures cannot reach.
This has direct implications for the London cyber market. As Insurance Business UK reported earlier this year, social engineering fraud driven by deepfakes has become the largest driver by frequency of UK cyber claims, with AI-generated voice and video increasingly used to deceive victims. The crossover between the threat environment INTERPOL documents in Asia-Pacific and what is showing up in UK claims data is not coincidental. The same criminal infrastructure, the same malware families and increasingly the same organised crime groups are operating across both geographies.
The INTERPOL report identifies the five most prevalent infostealer families operating across the region following Operation Secure, its February 2025 joint operation involving 26 countries. RedLine Stealer, LummaC2, Loki, Negasteal and ZBot are all active across multiple Asia-Pacific countries, targeting finance, healthcare, manufacturing and e-commerce. LummaC2, described in the report as the world's largest infostealer and available as a malware-as-a-service product since 2022, was the subject of a joint disruption operation by Europol, Microsoft and Japan's Cybercrime Control Centre in May 2025. Europol confirmed the operation dismantled the infostealer's infrastructure - a significant intervention that nonetheless does not eliminate the broader infostealer ecosystem from which it emerged.
KEY FIGURES FROM THE INTERPOL ASIA AND SOUTH PACIFIC CYBER THREAT ASSESSMENT 2025/2026
The London market's Asia-Pacific cyber exposure sits within a broader context that is already under scrutiny. International cyber insurance rates have fallen 43% since the fourth quarter of 2023, a softening that specialist underwriter DUAL has described as pushing the sector towards an inflection point. S&P Global Ratings has forecast a 15 to 20% premium increase in 2026 as claims severity catches up with pricing. The average ransomware claim reached $508,000 in 2025, up 16% year on year. Third-party liability claims jumped 70%.
Asia-Pacific is the fastest-growing region in the global cyber insurance market, expected to overtake all others in growth rate as digitalisation accelerates, according to Gallagher's 2026 Cyber Insurance Market Outlook. The region currently accounts for a fraction of global cyber premiums - North America holds 60 to 70% - but the expansion trajectory is clear, and with it comes the aggregation challenge of underwriting a region whose threat environment INTERPOL has now formally characterised as one of the most acute in the world.
The INTERPOL report is candid about a structural vulnerability that insurers writing the region must factor into their models. Jurisdictions with less robust legislation, fragmented enforcement and limited technical capacity are precisely those most attractive to threat actors who "often operate with a low likelihood of being identified or prosecuted". The Pacific island states and less developed Southeast Asian economies are described as functioning as gateways for malicious activity into broader regional and global networks. That is, in underwriting terms, a correlated exposure problem. A successful attack that enters via a low-maturity jurisdiction and propagates through a multinational's regional network does not stay local.
Among the emerging threats the INTERPOL report identifies, one deserves particular attention from the London market's coverage design perspective. Ransomware groups are now actively exploiting their victims' regulatory obligations as leverage. Rather than simply demanding payment to restore encrypted systems, threat actors are threatening to report alleged compliance violations to regulators unless ransoms are paid. This significantly raises the financial and reputational stakes, creating a second layer of coercion that operates regardless of whether the insured has a working backup.
The implication for policy wording is direct. As Tokio Marine Kiln's Laila Khudairi noted in a recent analysis for Insurance Business UK, the market is evolving from indemnity cover towards proactive cyber resilience partnership - a shift that requires policies to contemplate scenarios that do not fit the traditional "breach, contain, notify" model. A ransomware attack that threatens regulatory disclosure but does not encrypt a single file presents a claims scenario that many existing wordings have not been written to address.
"Our adversaries are organised, innovative, and relentless."- Neal Jetton, Director of Cybercrime, INTERPOL, foreword to the Asia and South Pacific Cyber Threat Assessment 2025/2026
The INTERPOL assessment arrives at a moment of acute tension between the threat environment and market pricing. QBE's recent analysis of UK cyber risk found that 22% of UK businesses experienced a cyber event causing more than one working day of disruption in 2026, up from 16% in 2025, with 82% of businesses expressing concern about the threats they face in the coming year. That data, domestic as it is, reflects the same threat dynamics the INTERPOL report documents in Asia-Pacific: the same malware families, the same attack vectors, the same criminal infrastructure operating across geographies.
Lloyd's itself flagged in its Q4 2025 market briefing that rapid cyber expansion may be outstripping the market's capacity to absorb risk, warning of the importance of underwriting discipline as pricing momentum moderates. The INTERPOL report, read alongside that warning, presents an uncomfortable picture: the threat environment it documents in Asia-Pacific is not contained to that region, it is not in retreat, and it is not being matched by premium adequacy in a market that has spent three years softening.
The INTERPOL report covers January 2024 to March 2025. The attacks it documents - the $25 million deepfake transfer in Hong Kong, the Singapore Zoom fraud, the ransomware strike that disrupted 280 essential services through Indonesia's National Data Centre - were not theoretical scenarios. They are the historical record. The question for London underwriters writing Asia-Pacific cyber risk today is whether the premium they are charging reflects the environment INTERPOL has taken the trouble to formally document.
