KamilÄ LukoÅ¡iÅ«tÄ, John Halstead, Luca Righetti
AI companies and governments are increasingly concerned about frontier AI systems enabling cybercrime, yet defining meaningful capability thresholds requires knowing the scale of cybercrime today. Current estimates of global cybercrime damages vary from tens of billions to tens of trillions of dollars, with little systematic evaluation of their reliability. We establish a more rigorous baseline by surveying 27 existing estimates, critically evaluating their methodologies, and constructing a composite estimate from three independent sources: a nationally representative UK business victimization survey scaled globally, US individual victimization data scaled globally, and global cybersecurity spending figures. Large-sample victimization surveys capture losses directly from victims, avoiding both the reporting bias in law enforcement and industry databases and the heavy modeling assumptions of macroeconomic approaches. We focus on quantifiable economic damages -- direct losses, response costs, and defense spending -- excluding harder-to-measure costs such as intellectual property theft and reputational damage. We estimate total global cybercrime damages at approximately \$500 billion USD annually (90% CI: \$100 billion-\$1 trillion). At this baseline, an AI-driven increase of about 20% would add \$100 billion or more, reaching thresholds some companies identify as warranting additional mitigations. However, cybercrime data remains too incomplete for such incremental increases to be directly detectable, and defensive applications of AI may partially offset offensive gains. Our methodology narrows plausible damage estimates from multiple orders of magnitude to a more confident baseline, providing a foundation for decision-making about AI-related cybercrime risk.