Iceland's cybercrime cases quadruple in four years, Chinese state hackers found probing network infrastructure

• CERT-IS caseload rose 40% year-on-year to 2,312 incidents in 2025 — more than six per day
• Payment fraud losses totalled two billion Icelandic krónur (roughly €13 million) between 2023 and 2025
• Attackers now infiltrate corporate email and Teams to silently monitor correspondence before redirecting payments
• China's Salt Typhoon group — confirmed in Norwegian telecoms by PST in February — obtained configuration files for Icelandic network equipment

Iceland's national cybersecurity team CERT-IS processed 2,312 cases in 2025, nearly four times the 598 cases it handled in 2021, RÚV reports. That works out to more than six incidents per day. Losses from payment fraud alone reached two billion Icelandic krónur — roughly €13 million — between 2023 and 2025, according to Central Bank of Iceland data, with recovery of stolen funds becoming harder than before.

The nature of the threat has changed. Magni R. Sigurðsson, head of CERT-IS, describes a shift from crude phishing toward patient, organised intrusions into corporate systems. Attackers gain access to an employee's email or Microsoft Teams account, then sit and watch. They read internal correspondence, learn payment routines, and wait. When an invoice arrives, they alter the bank details and the company wires money straight to the attacker. The victim firm often has no idea anything happened until the real supplier asks where its payment is. AI has accelerated the cycle: phishing emails are now drafted in fluent Icelandic, scam websites can be generated in minutes, and entire fraud campaigns can be launched for the price of a cheap subscription to off-the-shelf criminal toolkits.

But the most consequential finding is not about money. CERT-IS discovered traces indicating that Salt Typhoon — a hacking group linked to the Chinese military — accessed configuration files for Icelandic network equipment. Sigurðsson said no evidence was found that the group had exploited those files, but possession of configuration data for network infrastructure is itself a serious breach: it maps out how systems are built, where the entry points are, and what defences exist. Norway's PST (Police Security Service) confirmed in February that the same Salt Typhoon group penetrated Norwegian telecommunications networks. Former CISA director Jen Easterly, interviewed by RÚV's Kastljós, described Salt Typhoon's penetration of US critical infrastructure — water systems, power grids, transport, telecoms — as one of the gravest incidents of her career. The objective, she said, was not espionage but the ability to paralyse American society in the event of a conflict over Taiwan.

Iceland sits at the intersection of transatlantic submarine cables and hosts NATO-related infrastructure. A country of 380,000 people with that kind of strategic exposure would, in theory, invest heavily in cyber defence. The record suggests otherwise. CERT-IS's caseload has nearly quadrupled since 2021. Public institutions including the Icelandic government offices (Stjórnarráðið), the Alþingi (parliament), the utility company Veitur, and the Reykjavík bus service Strætó have all been hit by cyberattacks in recent years. Ýmir Vigfússon, CTO of cybersecurity firm Keystrike, estimates that most successful intrusions are never detected at all — they are designed to burrow in and remain hidden, collecting intelligence or preparing for future operations.

Easterly's advice to Icelanders was blunt: stop treating cybersecurity as a matter for the IT department. It is a national security issue. Sigurðsson and Vigfússon both emphasise the basics — two-factor authentication, unique passwords, scepticism toward urgent messages — but individual hygiene does not solve the structural problem. A state-backed group with access to your network equipment configuration files is not deterred by stronger passwords. The question is whether Iceland's government is matching its cyber defence spending to a threat that has quadrupled in four years. The public record does not contain an answer, which is itself informative.

CERT-IS now handles more cases per year than Iceland has police officers.

Sources: RÚV, PST – Nasjonal trusselvurdering 2026