Top Cybersecurity Breaches and Attacks of 2025

The cybersecurity landscape of 2025 was defined by a relentless surge in sophisticated attacks, massive data breaches, and the alarming evolution of threat actor tactics. From record-shattering cryptocurrency heists to the widespread exploitation of artificial intelligence, the year presented unprecedented challenges for organizations and individuals worldwide. The following overview highlights some of the most significant and impactful security incidents that shaped the digital threat environment.

One of the most brazen extortion attempts involved the ShinyHunters gang targeting PornHub. The attackers stole approximately 94 gigabytes of data from a third-party analytics provider, containing over 200 million records of subscriber viewing habits. While financial data was not compromised, the potential release of such sensitive personal information carries severe reputational risks for users, echoing the real-world harm seen in past breaches like Ashley Madison.

A pervasive social engineering threat emerged with ClickFix attacks. These campaigns trick users by presenting fake error messages, security warnings, or update notices on malicious webpages. The pages then instruct visitors to run malicious PowerShell or shell commands to “fix” the issue, leading to self-inflicted infections. The tactic expanded beyond Windows to target macOS and Linux users, employing lures like fake software activation videos on TikTok. The attacks evolved throughout the year, with new variants like ConsentFix hijacking Microsoft accounts and FileFix abusing the Windows File Explorer. The commercialization of these attacks accelerated with the launch of paid platforms like ‘ErrTraffic’ that automate malware delivery.

The cryptocurrency sector suffered monumental losses, most notably a $1.5 billion Ethereum theft from ByBit linked to North Korea’s Lazarus group. Investigators found the breach originated from a compromised developer machine, which attackers used to manipulate transaction approvals and drain a cold wallet. This was part of a broader wave of crypto thefts targeting exchanges like Phemex and Cetus Protocol, alongside a pro-Israel hack that destroyed millions in digital assets on Iran’s Nobitex exchange.

Enterprise software faced critical threats, particularly through the exploitation of zero-day flaws in Oracle’s E-Business Suite. The Clop ransomware gang exploited an unpatched vulnerability to breach servers and steal data from numerous organizations, including several major universities and corporations. A second zero-day was later disclosed publicly after the ShinyHunters group leaked a proof-of-concept exploit.

Distributed denial-of-service (DDoS) attacks reached unprecedented scale, with incidents peaking at a staggering 22.2 terabits per second. The growth was largely driven by the massive Aisuru botnet, which leveraged hundreds of thousands of IP addresses. In response, global law enforcement coordinated takedowns of DDoS-for-hire services and disrupted hacktivist groups like NoName057(16).

Software supply chains came under sustained assault as attackers flooded open-source repositories with malicious packages. The npm registry was inundated by campaigns like IndonesianFoods and the damaging Shai-Hulud malware, which stole developer secrets. IDE marketplaces for VSCode and OpenVSX were similarly compromised, with threats like the recurring Glassworm campaign delivering cryptominers and ransomware. The Python Package Index (PyPI) also faced relentless attacks, prompting the introduction of new security controls.

A significant identity threat emerged from North Korean IT workers infiltrating Western companies. Using fake identities and intermediaries, these operatives secured legitimate employment to funnel earnings back to the DPRK regime. U.S. authorities uncovered “laptop farm” operations across multiple states and schemes where engineers rented their identities to help North Koreans pass background checks. Related “Contagious Interview” campaigns abused hiring processes, using deepfake Zoom calls and malicious coding assessments to deliver malware.

Cyber-espionage campaigns had profound impacts, particularly Salt Typhoon’s targeting of global telecommunications infrastructure. Linked to Chinese state-aligned actors, the campaign exploited unpatched Cisco devices to gain long-term access to telecom networks in the U.S., Canada, and elsewhere. The threat actors even breached military networks like the U.S. National Guard to steal configuration data and credentials.

The integration of AI into everyday tools introduced a novel vulnerability class: prompt injection attacks. These exploits manipulate how AI models interpret instructions, causing systems to leak data or perform unintended actions. High-profile examples included zero-click data leaks in Microsoft 365 Copilot from specially crafted emails and attacks manipulating Google Gemini via calendar invites. AI coding assistants were also tricked into suggesting harmful code.

Social engineering focused on help desks and outsourcing providers proved highly effective. Threat groups like Scattered Spider and Luna Moth impersonated employees or IT support to trick service desks into bypassing security controls and granting account access. These tactics facilitated major breaches at companies like Cognizant, leading to a $380 million lawsuit, and enabled ransomware attacks at retailers including Marks & Spencer.

Insider threats caused extensive damage through both malicious intent and negligence. Incidents ranged from a former Coinbase agent allegedly aiding hackers to a CrowdStrike insider feeding information to threat actors. In the financial sector, an employee sold credentials for $920, which were later used in a $140 million bank heist. Disgruntled former employees also posed risks, with one developer receiving a prison sentence for creating a system “kill switch.”

While not cyber attacks, massive IT outages at major cloud providers demonstrated critical dependencies in global infrastructure. Widespread service disruptions at platforms like Cloudflare and Salesforce highlighted the fragility of interconnected digital ecosystems and their impact on global commerce.

Salesforce became a major data theft vector as attackers targeted the platform through compromised accounts and third-party services. The ShinyHunters gang was particularly active, breaching connected services like Salesloft Drift to steal OAuth tokens and access customer data across numerous high-profile companies including Google, Cisco, and Chanel.

Zero-day exploitation remained a preferred initial access method, with network edge devices like firewalls and VPNs being prime targets. Flaws in products from Cisco, Fortinet, Ivanti, and Microsoft SharePoint were actively exploited for espionage and ransomware. Consumer tools like 7-Zip and WinRAR also had zero-days exploited in phishing campaigns to bypass security.

Artificial intelligence became a operational tool for attackers, moving beyond experimentation. Threat actors used large language models to write malware, automate reconnaissance, and speed up vulnerability exploitation. Criminals released specialized LLMs like WormGPT 4 without safeguards, while real-world attacks used AI to create adaptive malware and tools like HexStrike to rapidly weaponize known vulnerabilities.

(Source: Bleeping Computer)