2025's Cybercrime Half-Time Report

Ransomware: Key Bad Actors and Trends

  • Most Active Groups: The Cl0p and RansomHub ransomware operations have dominated the first half of 2025, each posting hundreds of victim listings on their leak sites (rapid7.com & trustwave.com). Both groups employ double extortion, encrypting victims’ files while also stealing data to threaten potential leaks, to pressure them into making payments.

  • New Entrants: Several new ransomware groups emerged, aiming at small and mid-sized businesses. Notably, a group dubbed “J Group” and another called “IMN Crew” began naming victims on leak sites in early 2025 (cyfirma.com). These newcomers typically engage in data theft and encryption similar to their larger counterparts, indicating that the ransomware ecosystem continues to fragment and expand with fresh actors.

  • Initial Access Brokers: The role of Initial Access Brokers (IABs) has grown in ransomware campaigns. IABs are hackers who breach organizations and then sell network access (VPN credentials, RDP logins, web shell access, etc.) to ransomware affiliates. By purchasing ready-made access, ransomware gangs can accelerate the speed and scale of attacks. IABs often exploit known vulnerabilities in Remote Desktop Protocol (RDP), VPN appliances, or other internet-facing applications to infiltrate networks. In some cases, they even leverage zero-day exploits to compromise targets. This outsourcing of the “break-in” phase enables ransomware operators to focus on deploying malware and extortion, thereby significantly increasing the volume of attacks (securitymagazine.com).

  • Crackdown on Leaders: Law enforcement efforts have started to unmask key individuals behind ransomware rings. In May 2025, German police (BKA) publicly identified the elusive actor “Stern” – long suspected to be the leader of the TrickBot malware gang and its ransomware offshoot Conti – as Vitaly Nikolaevich Kovalev, a 36-year-old Russian national (bleepingcomputer.com). Kovalev (aka “Bentley”/“Stern”) is accused of founding TrickBot (aka Wizard Spider) and overseeing its evolution into Ryuk and Conti ransomware operations. Under his alleged leadership, these groups infected hundreds of thousands of systems worldwide and reaped hundreds of millions in illicit profits. While Kovalev remains at large in Russia, the exposure of his identity (and an Interpol red notice for his arrest) reflects growing international pressure on ransomware masterminds.

Major Data Leaks and Breaches

  • 16 Billion Credentials Leak: An unprecedented 16 billion login credentials were reported exposed in what’s being called the largest breach in history. The trove, scattered across roughly 30 databases, includes usernames, passwords, and even session cookies for a who’s-who of online services (e.g. Facebook, Google, Apple, GitHub, Telegram, and government sites). Researchers note the data appears fresh (not just old recycled breaches) and likely originates from extensive info-stealer malware operations that have been siphoning passwords and account tokens from millions of infected devices. The exposure of such a vast quantity of valid credentials is an alarming “blueprint for mass exploitation,” enabling credential-stuffing attacks, account takeovers, identity theft, and highly targeted phishing at a massive scale (cybernews.com).


  • Other Major Breaches in 2025: The year has seen a string of significant breaches across industries:


    • TeleMessage (May 2025): TeleMessage, an encrypted communications app used by various U.S. government officials (notably even spotted in the hands of a former White House national security advisor), was breached by a hacker who exploited an insecure API endpoint. In just 15–20 minutes, the hacker extracted a memory dump containing plaintext credentials of users (including some with U.S. government email addresses) and clear-text chat logs from the system (wired.com). Dozens of government employees had some of their messages intercepted (reuters.com). The incident revealed serious flaws in a supposedly secure messaging service, such as weak client-side hashing and an exposed heap dump, and prompted an FBI investigation due to potential national security implications. (Service was temporarily halted, and U.S. agencies were alerted about the compromise of accounts and communications.)

    • Western Sydney University (Apr 2025): This Australian university suffered multiple breaches. One, discovered in early 2025, involved a compromised single sign-on system that exposed 10,000+ students’ data (demographic info, enrollment records, etc.) (bleepingcomputer.com). In a separate incident, hackers had leaked some university data on the dark web months prior. WSU’s case highlights the education sector’s continued struggles with securing student and staff data, and how insider threats or former students can sometimes be involved (in WSU’s case, police later charged a former student for a series of intrusions) (abc.net.au & westernsydney.edu.au.)

    • Mars Hydro (Feb 2025): In one of the largest IoT-related breaches on record, Chinese smart farming company Mars Hydro exposed a misconfigured cloud database containing 2.7 billion records (about 1.17 TB of data) (msspalert.com). The leak included sensitive details from IoT devices worldwide: Wi‑Fi network names and passwords, device IDs, IP addresses, email addresses, and extensive logs and error reports. Essentially, anyone could query this data trove to potentially pinpoint and access smart grow equipment or networks. Mars Hydro quickly secured the database once notified, but the incident underscores IoT vendors’ often lax cloud security and how a single open database can expose billions of datapoints.

    • Zapier (Feb 2025): Popular automation service Zapier disclosed that an “unauthorized user” accessed some of its internal code repositories and, in doing so, may have grabbed customer information that was inadvertently stored in those repos (theverge.com). The breach occurred via a 2FA misconfiguration on an employee’s account, allowing the attacker to bypass authentication. Zapier’s investigation found that certain user data (potentially connection credentials or tokens used in Zapier integrations) had been copied into logs for debugging and ended up in the compromised repositories. While no production systems were directly affected, this case is a reminder that development infrastructure leaks can expose live sensitive data. Zapier notified impacted customers to rotate any exposed credentials.

Supply Chain Attacks on the Rise

Sharp Increase in Supply Chain Incidents: The first half of 2025 saw a significant surge in software and IT supply chain attacks. Threat intelligence tracking shows that these attacks nearly doubled in frequency compared to the previous year. The monthly average of supply-chain related cyberattacks jumped from roughly 13 per month in early 2024 to about 25 per month by April–May 2025 (thecyberexpress.com). This represents a near-doubling of supply chain attacks year-over-year, indicating that adversaries are increasingly exploiting trust relationships between organizations and their third-party providers or software dependencies.

Cross-Industry Impact: Supply chain attacks are affecting virtually every sector. Of the 79 documented supply chain attacks in Jan–May 2025, a full 22 of 24 industry sectors had at least one incident. That is, only the Mining and Real Estate sectors were untouched – everyone else (from tech and finance to healthcare, manufacturing, government, etc.) saw some supply-chain compromise. Notably, about 63% of these incidents targeted companies in the IT, technology, or telecom sectors. The reason: by breaching a tech provider, attackers can pivot to its clients downstream. Threat actors know that a single successful hack on a widely used IT service or software can multiply to dozens or hundreds of end victims. (A vivid example was the Cl0p ransomware’s exploitation of a file-transfer appliance vulnerability – the MOVEit Transfer zero-day – which compromised hundreds of organizations through one software supply chain hole (thecyberexpress.com).

Attack Methods: These supply chain intrusions often involve exploiting vulnerabilities in software updates, third-party platforms, or managed service providers. Attackers insert malicious code or backdoors into products that enterprises trust, or they gain access to a vendor’s network to reach clients. For instance, breaches of software repositories or build systems can allow hackers to propagate malware to all users of a popular library or application. Others involve compromising MSPs/cloud providers to abuse their privileged connectivity into customer networks. In several 2025 cases, open-source libraries were poisoned with malware, and cloud service integrators were targeted as a way to indirectly breach multiple businesses. The common theme is abusing the inherent trust and access that supply chain relationships entail. Even initial access brokers have started selling supply chain access – e.g. access to a software maker’s environment – knowing it can be a gateway to many companies.

Geographic Spread: Supply chain attacks in H1 2025 were a global problem, but some regions saw more activity. About 39% of incidents (31 of 79) had targets in the United States t, making the U.S. the top country impacted (likely due to its large number of high-value companies and extensive IT vendor networks). Europe was hit by roughly 27 attacks, with France leading European countries (10 incidents) as a notable hotspot. The Asia-Pacific region saw ~26 supply chain attacks, with India (9 incidents) and Taiwan (4) being significant targets in that region. Additionally, at least 10 incidents affected the Middle East/Africa, including several in the UAE and Israel. These numbers show that while no region is immune, adversaries often focus on countries with advanced industries and tech ecosystems – and that includes Western economies as well as emerging tech hubs in Asia.

AI in Cybercrime: A Double-Edged Sword

AI-Powered Threats: Cybercriminals are increasingly leveraging artificial intelligence (AI) to enhance their attacks. One major use is automating and turbocharging social engineering. AI language models can generate fluent, highly personalized phishing emails or chat messages at scale, far more convincingly than generic spam. Attackers feed in stolen personal info (from the billions of leaked credentials) to have AI craft bespoke phishing lures that mimic an individual’s writing style or a company’s communications, making them much more likely to trick users (cybersecuritynews.com). 

We’re also seeing AI used to create “deepfake” content – e.g. realistic fake audio or video. In 2025, there have been cases of fraudsters using AI-generated voice clips of CEOs to authorize bogus fund transfers, or deepfake videos in which an executive’s likeness on a video call instructs employees to divulge passwords. Such executive impersonation via deepfakes has emerged as a serious threat, as even savvy employees can be fooled by what looks and sounds like a legitimate superior. The scale of this problem is quickly growing: one report noted a staggering 1,740% surge in deepfake-related fraud cases in North America from 2022 to 2023 (lloydsadd.com), and the trend continues upward in 2025.

Malware That Adapts: AI is also being weaponized to create polymorphic malware – malicious code that continually changes itself to evade detection. Malware developers use machine learning to automate the mutation of their code’s signatures and behaviors. For example, an AI-driven malware can rewrite parts of its own code or use different encryption keys each time it runs, so that antivirus software can’t recognize a consistent pattern. Some advanced strains even employ AI to observe their environment and only execute malicious actions when they won’t be noticed (e.g. when the user or system is idle) (cybersecuritynews.com). By dynamically adjusting to defenses, such AI-enhanced malware can slip past traditional static security tools and even some behavior-based models. Security researchers have observed proof-of-concept malware that uses AI algorithms to decide when to strike and how to slightly alter payloads, frustrating investigators. This cat-and-mouse game is escalating as defensive tools also start incorporating AI to detect anomalies.

Surge in AI-Crime Tools: On underground forums, there’s been an explosion of interest and offerings related to malicious AI. One cybersecurity study in early 2025 reported a 200% increase in the development and sale of AI-driven hacking tools on the dark web (cybersecuritynews.com). These range from AI bots that can churn out malware code or vulnerability exploits, to “jailbreak” scripts that enable misuse of legitimate AI services (like tricking ChatGPT into generating disallowed content). Discussions about bypassing AI content filters (e.g. to produce phishing or hate speech) have spiked by over 50% on certain hacker forums. In short, the barrier to entry for cybercrime is being lowered further by AI-as-a-service. Less skilled threat actors can now use ready-made AI tools to amplify their attacks – for instance, using an AI bot to automatically scan for known vulnerabilities 24/7 or scrape social media for spear-phishing intel. This democratization of AI capabilities is a force multiplier for cybercrime, and it’s keeping defenders on their toes.

AI for Defense – and New Challenges: On the flip side, cybersecurity teams are adopting AI for threat detection and response – such as AI systems that can analyze network traffic for anomalies or quickly score alerts. This dual role of AI (both a weapon for attackers and a shield for defenders) is now a defining factor in cyber operations (sans.org). However, it comes with complexities. There are growing concerns that upcoming AI regulations (focused on data privacy, algorithmic transparency, etc.) might inadvertently hinder defensive security measures. For example, stricter rules on data usage could limit how much data a security AI is allowed to ingest or share, potentially blinding some threat monitoring tools. Defenders are thus in a tricky spot: they need to leverage AI to keep up with AI-empowered attackers, yet ensure they do so in a compliant and ethical manner. The consensus is that organizations should invest in “responsible AI” strategies – using AI for cybersecurity in ways that respect privacy and legal norms, while also lobbying for clarity in laws so that defense isn’t hamstrung. In summary, AI is transforming the threat landscape on both sides, and staying ahead will require creativity, vigilance, and careful governance from security leaders.

Emerging Attack Techniques in 2025

The evolving threat landscape has given rise to several new attack techniques and trends that were not prominent just a couple of years ago. Here are some of the most dangerous emerging tactics seen in 2025:

  • Authorization Sprawl Abuse: As companies move to the cloud, many have accumulated authorization sprawl – an overabundance of user permissions and single sign-on tokens across cloud and SaaS apps. Attackers are now exploiting this by using stolen legitimate credentials and OAuth tokens to pivot through cloud services at will. Instead of relying on malware, an intruder who snatches an employee’s authenticated session (for example, via phishing an SSO token) can access a wide array of services (email, document storage, support ticket systems, devops platforms, etc.) because those services trust the SSO. This technique lets attackers move laterally within an organization’s cloud environment while largely blending in with normal user behavior. Cases like the 2024–2025 Scattered Spider attacks on MGM and others showed this in action – the hackers logged in with valid credentials and escalated privileges by leveraging misconfigured Identity and Access Management (IAM) settings (techtarget.com). With excessive cloud permissions, attackers can find one weak account and use it to jump between dozens of interconnected systems (often without setting off alarms since they use authorized pathways). To counter this, organizations are urged to tighten IAM practices: enforce least privilege, weed out unused or overlapping rights, and improve logging of user activities in cloud apps.

  • ICS Ransomware & Automation Attacks: Industrial Control Systems (ICS) and Operational Technology networks – the systems that run factories, power grids, pipelines, etc. – have become prime targets for ransomware and destructive attacks. In 2025, experts warned of ransomware actors deliberately targeting ICS environments, where the stakes are high and downtime can be extremely costly. A worrying twist is that automation in ICS, which is meant to improve efficiency and safety, can backfire during an attack. Highly automated industrial processes often lack manual fallback options; if ransomware encrypts crucial PLCs or HMIs (interfaces that operators use), it’s not as simple as reverting to pen-and-paper – operations may grind to a halt. We’ve seen attacks on manufacturing and utility companies where recovering systems took weeks, partly because automated control left few manual overrides (techtarget.com). Additionally, some ransomware has started to deliberately target control system software and not just IT data. Organizations with OT systems are advised to bridge the IT-OT gap in security monitoring, test incident response with scenarios assuming loss of control systems, and maintain offline backups of configuration data and even manual operating procedures (sans.org). In essence, digital transformation introduced fragility – and attackers know it.

  • Destructive Attacks (Beyond Ransomware): An alarming trend is the rise of attacks aimed not at extortion but at causing physical and irreversible damage. Officials and researchers have noted that certain adversaries (particularly nation-state or advanced threat groups) are probing industrial systems’ safety controls – the very mechanisms meant to prevent dangerous conditions – with the intent to disable or manipulate them. An example would be malware that alters the setpoints on a chemical plant’s safety system to create an unsafe state, or that sabotages emergency shutdown systems. These destructive ICS attacks go further than typical ransomware: instead of just encrypting data for money, they seek to trigger real-world impacts (power outages, equipment breakdowns, and even endangering lives). We have seen precursors in attacks like Triton/Trisis (which targeted oil refinery safety systems in 2017) and, more recently, hints of state-aligned groups developing malware for electric grids. In the first half of 2025, no publicly confirmed catastrophic attack occurred, but the intent and attempts have been observed on (sans.org). This trend expands the definition of “cybersecurity” to include safeguarding physical processes. Defenders in critical infrastructure must not only guard data, but also ensure that emergency controls, fail-safes, and safety instrumented systems are secure and can’t be maliciously altered.

  • Zero-Day Exploitation for Initial Access: Cybercriminals are increasingly willing to find or buy zero-day exploits to breach targets. Traditionally, nation-states were the predominant users of zero-days, but 2024–2025 has shown more ransomware gangs investing their profits to obtain zero-day vulnerabilities in common enterprise software. For instance, leaked chats from the Black Basta gang revealed they were offered an exploit for an Ivanti VPN zero-day at $200,000 and were actively in the market for unpatched flaws (rapid7.com). Likewise, the Cl0p group’s massive breach spree via the MOVEit Transfer zero-day in 2023 underscored how a single unknown bug can be a goldmine for criminals. Initial Access Brokers also use zero-days as a quick route into well-defended networks, which they can then sell. 

  • The window of exposure for organizations is essentially the time between a zero-day’s exploitation in the wild and when a patch or mitigation is applied – during that gap, attackers face minimal resistance. This has put pressure on vendors to accelerate patch development and on companies to improve their zero-day detection (through anomaly-based intrusion detection) and response plans. It’s a reminder that even fully up-to-date systems can be compromised, so defense in depth and monitoring for unusual activity remain critical.


  • “Vanishing” Evidence and Anti-Forensics: (Emerging as a side effect of the above trends) Modern attackers are getting better at covering their tracks, which complicates incident response. Techniques such as log poisoning or deletion, timestamp manipulation, and running malware in memory (fileless attacks) mean that digital forensics teams often find far fewer traces of an intrusion than before. Some advanced malware will wipe system logs or disable monitoring agents upon entry. Others use living-off-the-land tactics (using legitimate admin tools) that leave minimal malicious footprints. In cloud environments, attackers who compromise API keys can sometimes do damage without triggering the kind of detailed auditing that on-prem systems might have. All of this leads to “vanishing evidence,” where incident responders in 2025 frequently encounter intrusions that are hard to reconstruct because key artifacts are encrypted or erased. This isn’t a single attack type but rather an evolution in attack tradecraft. The implication is that organizations should improve real-time detection and durable logging (e.g., sending logs to an immutable storage or a third-party SIEM that attackers can’t reach) and adopt forensic-ready practices. Assuming that any given compromise may try to self-destruct its evidence, companies might invest in endpoint detection tools that capture behaviors in memory or use deception technologies (honeypots) that can record attacker actions in a controlled environment. This trend forces a shift in incident response: responders must be prepared to investigate with partial information and leverage threat intel to fill gaps.

Key Takeaways

The period January through July 2025 has underscored a cyber threat landscape that is escalating in both scale and sophistication. A few high-level conclusions can be drawn:

  • Ransomware Remains King, but Evolving: Ransomware attacks grew in number and boldness. Established gangs like Cl0p and newcomers like RansomHub carried out hacks of unprecedented scope, aided by an underground economy of specialists (brokers selling network access, developers selling exploits, money launderers, etc.) (securitymagazine.com & rapid7.com). Double extortion has become the norm, and ransom demands (and payouts) have continued to rise for big targets. Law enforcement crackdowns, such as identifying Conti’s leader, show some progress, yet the ransomware-as-a-service model has proven resilient – when one group falls, affiliates splinter off and rebrand. Organizations must therefore remain on high alert, practice rigorous patching (especially for VPNs and other common entry points), enforce least-privilege access, and have tested incident response plans including data restoration and leak response.

  • Data Breaches Exposing Massive Data: The first half of 2025 saw massive data leakage incidents – not only corporate breaches like Sony or Sabre, but aggregate leaks like the 16 billion credentials dump (cybernews.com). The availability of billions of fresh usernames and passwords (many with accompanying cookies or MFA tokens) is a boon for cybercriminals and a bane for security teams. It means that password reuse is more dangerous than ever – chances are, many users’ login combos are already compromised. The immediate takeaway is the importance of strong authentication practices: organizations and individuals must use multi-factor authentication (MFA) wherever possible (rendering a stolen password alone insufficient), and adopt password managers/passphrases to avoid reuse. The breach epidemic also emphasizes having processes to rapidly ingest threat intelligence (like leaked credential lists) to see if your organization’s emails or accounts appear, so proactive password resets can be done. Encryption of sensitive data at rest, network segmentation, and “zero trust” principles can limit damage when intrusions occur, but given the sheer volume of data out there, monitoring for misuse (such as credential stuffing attacks against your users) is equally critical.

  • Supply Chain and Third-Party Risk is Critical: Nearly every industry learned in this period that it can be collateral damage from an attack on someone else. Supply chain attacks almost doubled and hit tens of downstream victims in one go (thecyberexpress.com). Whether it was a compromised software update (as seen in past incidents like SolarWinds) or a hacked service provider (like a cloud CRM or an outsourced IT support firm), the blast radius of these attacks is wide. Businesses should reassess the risk posture of their vendors and partners: perform due diligence, demand certain security standards in contracts, and possibly limit the access that third parties have to their systems (so that if the third party is breached, your network isn’t wide open). Techniques like maintaining an up-to-date software bill of materials (SBOM) can help track if you’re using a component that suddenly is reported as compromised. Incident response plans should include scenarios where a critical supplier is hit – do you have an alternative, can you disconnect quickly, how do you communicate to customers if you’re indirectly affected? The surge in supply chain exploits is a wake-up call that your security also depends on others’ security.

  • AI: New Opportunities and Threats: The advent of widely available AI tools in 2025 has been a double-edged sword. On one hand, defenders are deploying AI for threat detection, user behavior analytics, and automating routine security tasks. On the other hand, attackers are weaponizing AI faster than many anticipated – using it to craft more convincing attacks and even to drive new attack types (like deepfakes) that were formerly niche (cybersecuritynews.com & lloydsadd.com). This dynamic will only intensify. Security teams should consider augmenting their capabilities with AI-driven solutions (while being mindful of false positives and ensuring human oversight). At the same time, user education must adapt: employees need to be aware that not all scams come via poorly written emails now – some may come via a very professional-sounding AI correspondence or a voice call that “sounds just like the CFO”. A culture of zero-trust verification for any unusual request can help mitigate AI-powered social engineering. Policies may need updating too, e.g., code of conduct for using generative AI at work (to prevent inadvertently leaking data to AI services, or to curb employees from trying illicit AI “jailbreaks”). In summary, AI will be integral to both cyber offense and defense; organizations that harness it wisely and guard against its malicious use will fare better in the coming years.

  • New Threats Demand Adaptation: Finally, the emergence of novel attack techniques – from cloud token abuse to ICS sabotage – means that what constituted a strong security posture a few years ago might not be sufficient now. Businesses should update their threat modeling: consider scenarios like “an attacker uses a helpdesk SaaS account to pivot into our cloud,” or “ransomware hits our factory floor control system,” or “someone deepfakes our CEO”. These may have seemed far-fetched before, but are quite real now. Mitigating these threats involves cross-disciplinary efforts: IT, OT engineers, fraud departments, and executive leadership all need to be in the loop for a holistic approach. Regulatory compliance is also tightening (data privacy, critical infrastructure mandates, etc.), so aligning security improvements with compliance can create win-wins (e.g., better logging helps forensics and satisfies regulators). Resilience is a key theme – assume breaches will happen and focus on limiting impact (through network segmentation, backups, incident response drills, and clear communication plans). The first half of 2025 has proven that cyber adversaries are innovative and unrelenting. To protect assets and stakeholders, organizations must be equally innovative in defense, proactive in risk management, and agile in response. The cybersecurity battle is increasingly one of speed, intelligence, and adaptability, and those qualities will define the winners in the years ahead.

Sources:

  1. Rapid7 – “2025 Ransomware: Business is Booming” (Apr 2025 )rapid7.com

  2. Trustwave – “Key Ransomware Trends in 2025” (July 2025) trustwave.com

  3. Cybernews – “16 Billion Passwords Exposed in Colossal Breach” (June 2025) cybernews.com

  4. Wired – “How TeleMessage Got Hacked in 20 Minutes” (May 2025) wired.com

  5. Reuters – “Hacker breached app used by U.S. officials” (May 2025) reuters.com

  6. BleepingComputer – “Western Sydney University data leak” (Apr 2025) bleepingcomputer.com

  7. MSSP Alert – “Mars Hydro IoT Breach (2.7B records)” (Feb 2025) msspalert.com

  8. The Verge – “Zapier code repo breach” (Feb 2025) theverge.com

  9. The Cyber Express – “Supply Chain Attacks Surged in Apr–May 2025” (June 2025) thecyberexpress.com

  10. SecurityMagazine – “Initial Access Brokers fueling ransomware” (Apr 2025) securitymagazine.com

  11. BleepingComputer – “Germany doxxes Conti/TrickBot leader (Stern)” (May 2025) bleepingcomputer.com

  12. SANS Institute – “Top 5 New Attack Techniques – RSAC 2025 Keynote” (May 2025) sans.org

  13. TechTarget – “Authorization Sprawl – Attacking Cloud Access” (June 2025) techtarget.com

  14. CybersecurityNews – “Malicious AI Tools Spike 200%” (Mar 2025) cybersecuritynews.com

  15. Lloyd’s Saddle – “AI-Driven Deepfake Scams in 2025” (2025) lloydsadd.com



cybersecurity, preventionJay Twitchellcybersecuirty, Cyber Threat Intelligence, cybercrime, AI, ransomware, databreach, leaks, threat actors, APT, malwareComment