Every 60 seconds, $1.1 million is lost to cyberattacks.

That staggering stat comes to us by way of RiskIQ, which compiled proprietary and third-party research to crunch numbers around malicious activity. The resulting report, the appropriately named “Evil Internet Minute,” paints a stark picture of the cost of cybercrime.

Every minute, there are 5,518 records leaked from publicly disclosed incidents. Globally, when a large business is affected, the average cost is $11.7 million a year and $222 a minute. This, despite the fact that businesses are spending $171,000 every minute on defense.

The research also found that 1,861 people fall victim to scams every minute, and 1.5 organizations fall victim to ransomware attacks (with an average cost to businesses of $15,221). Overall, there are 2.7 million individuals falling victim to cybercrime every 60 seconds.

In comparison, phishing domains lag: These only appear every five minutes. Also, new sites running the CoinHive cryptocurrency mining script appear only once every 10 minutes.

Vulnerable third-party code, which many organizations may not even know they’re running, has become a central narrative in recent security events. Every minute, four potentially vulnerable web components are discovered, the analysis showed.

This has far-ranging effects: For example, the threat group Magecart hacks third-party Javascript—in the case of the Ticketmaster breach, it was analytics code–that allowed them to gain access to hundreds of e-commerce sites at once and inject credit card skimming scripts. There are .07 incidents of the Magecart credit-card skimmer uncovered every 60 seconds.

“When users input their credit-card details to purchase tickets, it was sent directly to the attacker server,” said Yonathan Klijnsma, head threat researcher at RiskIQ, in an interview with Threatpost. “There was no way for them to know this was happening.”

He added, “User awareness will always be an issue because attackers are continually tweaking their tactics to stay ahead—social engineering has been a problem since before the internet existed, and it will continue to be an issue throughout the digital age,” Klinjnsma said. “However, the real scary part is that when attackers compromise web assets, there’s often no way for anyone to possibly know, so there’s nothing a user can do to protect themselves.”

When viewed as a whole, the data shows that digital assets they create are increasingly subject to scores of malware, malvertising, phishing and cryptomining efforts on a massive scale, while rogue apps, domain and brand infringement, and social impersonation cause business disruption and material loss.

“Cybercrime on the web is growing—attackers are learning that when they target internet-exposed assets, their campaigns have a high degree of success,” Klinjnsma told us. “Attacks like malvertising, phishing, supply-chain breaches and hacking unsecured servers are lucrative.”