From React2Shell's perfect CVSS 10.0 score to the first autonomous AI cyberattack, 2025 pushed cybersecurity to its limits. This comprehensive analysis covers the top 10 breaches, critical vulnerabilities, why ransomware economics is slowly collapsing and big LEA operations against cybercriminals.
If 2024 was the year we started worrying more about AI in cybersecurity, 2025 was the year we watched it happen in real-time. Not in movies. Not in think-pieces. In actual attacks that moved faster than human response teams could process.
As we close the books on 2025, the numbers tell a story that's equal parts terrifying and inspiring. Ransomware attacks surged 34% year-over-year, but here's the twist: only 23% of victims paid ransoms in Q3 2025, down from 50% just two years ago. Attackers got louder. Victims got tougher. And somewhere in the middle, 80% of ransomware attacks started using artificial intelligence.
This wasn't just another year of "more breaches." This was the year the digital foundation of healthcare, telecommunications, and enterprise software faced coordinated, AI-accelerated attacks while law enforcement pulled off the most ambitious takedown operations in cybercrime history.
The scale of data exposure in 2025 shifted from "incident reports" to "existential threats." While we didn't see a single 10-billion-record mega-breach, we witnessed surgical strikes against infrastructure that millions depend on daily.
Discovered by security researcher Bob Dyachenko and the Cybernews team, this was a catastrophic exposure of a 631-gigabyte database.
Gyana Swain
This remains the largest single-source data exposure in history.
This was a specialized strike on the "identity layer" of the internet. A threat actor known as "rose87168" targeted a critical vulnerability in Oracle's legacy Gen 1 infrastructure.
Oracle initially denied the breach. Multiple security firms confirmed it was real. The attack allegedly exploited CVE-2021-35587, a vulnerability in Oracle Fusion Middleware.
Australia's flagship carrier detected unusual activity on June 30, 2025, on a third-party platform used by its contact centers. The breach exposed personal data of up to 6 million customers, including names, email addresses, phone numbers, dates of birth, and frequent flyer information.
This incident proved that even the most robust internal security can be undone by a third-party vendor.
Cait Kelly
Lesson learned: Third-party call center platforms are now primary targets for credential harvesting.
In one of the most privacy-invasive breaches of the decade, a misconfiguration in the Mixpanel analytics integration exposed the data of 201 million users. The leak included usernames, email addresses, and detailed viewing habits. Because of the sensitive nature of the site, this breach led to widespread extortion attempts and "doxing" concerns across the globe.
While lower in "record count," this was the largest cryptocurrency theft in history. The North Korean-linked Lazarus Group compromised a developer’s workstation at a third-party multisig provider. By manipulating the user interface, they tricked Bybit employees into signing a "routine" transfer that actually drained 401,000 ETH (worth roughly $1.5 billion at the time) into attacker-controlled wallets.
This was the year’s most significant hit to the education sector. A threat actor used a contractor's stolen credentials to infiltrate the PowerSchool ecosystem, exfiltrating the records of 62 million students and 10 million teachers. The stolen data included Social Security Numbers, home addresses, and even sensitive student health and disciplinary records.
The South Korean e-commerce giant Coupang suffered a massive breach affecting 33.7 million accounts. A flaw in the app's API allowed attackers to scrape full customer profiles, including detailed purchase histories and partial payment information. This incident forced a nationwide reset of digital authentication protocols in South Korea.
In a rare and dangerous "network layer" attack, South Korea’s largest carrier admitted that 27 million USIM (SIM card) authentication records were stolen. This allowed sophisticated attackers to perform "SIM cloning" at scale, bypassing two-factor authentication (2FA) for bank accounts and personal emails for millions of users.
Aflac confirmed a massive breach involving 22 million customers. The incident involved a direct hit on their policyholder database, exposing sensitive personal identifiers and insurance policy details. This was particularly damaging as it provided attackers with the exact "scripts" needed to commit insurance and medical fraud.
Rounding out the year, 700Credit—a major provider for the automotive industry—suffered a breach that exposed the Social Security Numbers (SSNs) of 5.6 million people. The data was pulled directly from credit reports, making it a high-value target for identity thieves looking to open fraudulent lines of credit in 2026.
| Date | Entity | Records | Impact / Detail |
| June 2025 | Chinese Surveillance | 4 Billion | Surveillance dossiers (WeChat/Alipay) exposed. |
| Dec 2025 | Pornhub/Mixpanel | 201 Million | Massive privacy breach of viewing habits and PII. |
| Jan 2025 | PowerSchool | 72 Million | Stolen student health and disciplinary records. |
| Nov 2025 | Coupang | 33.7 Million | Full e-commerce profiles and purchase histories. |
| April 2025 | SK Telecom | 27 Million | SIM-cloning risk via stolen USIM auth keys. |
| Dec 2025 | Aflac Insurance | 22 Million | Sensitive medical and insurance policy details. |
| Oct 2025 | Prosper Fintech | 17 Million | PII and loan data leaked via misconfigured bucket. |
| March 2025 | Oracle Cloud | 6 Million+ | Supply chain attack on identity/SSO infrastructure. |
| June 2025 | Qantas Airlines | 6 Million | Third-party vendor breach of loyalty member data. |
| Dec 2025 | 700Credit | 5.6 Million | Mass theft of SSNs from credit reporting systems. |
More than 23,600 vulnerabilities were published in the first half of 2025 alone, a 16% increase over 2024. But volume isn't the story—it's the velocity of exploitation. For the fifth year running, exploits remained the top initial infection vector, initiating 33% of all successful intrusions.
In 2024, the average time from vulnerability disclosure to exploitation was measured in weeks. In 2025, it was measured in hours.
The most critical vulnerability of 2025. React2Shell affected React Server Components (RSC) in React 19 and popular frameworks like Next.js, opening the door to unauthenticated remote code execution with nothing more than a single crafted HTTP request.
Disclosed in early December, this became the single most critical application-layer event of the year. Within 24 hours of disclosure, threat intel firms observed massive scanning from China-nexus groups and botnets targeting millions of exposed Next.js applications.
The Problem: Certain malformed payloads were not handled safely during deserialization, allowing attackers to influence how the server processed component data and ultimately execute arbitrary JavaScript.
Why it's still dangerous: Unlike a vendor appliance you can patch in one place, this requires rebuilding and redeploying your own web applications. Many organizations don't even know they're running vulnerable Next.js versions embedded in third-party tools.
Surfaced in early October 2025 after researchers began observing suspicious traffic targeting Fortinet FortiWeb appliances. By October 6, honeypot data showed active exploitation attempts using crafted POST requests designed to bypass authentication and create new administrator accounts.
The vulnerability allowed attackers to abuse encoded paths under /api/v2.0/ to reach an internal CGI handler that trusted client-supplied identity data. An unauthenticated attacker could add a persistent admin account in a single request.
The SharePoint vulnerability chain, internally dubbed "ToolShell," is among the most dangerous enterprise attacks discovered in 2025. CVE-2025-53770 constitutes a critical unauthenticated remote code execution flaw affecting on-premises Microsoft SharePoint Server 2016, 2019, and Subscription Edition.
On July 19-20, 2025, CISA confirmed active exploitation of this vulnerability, with confirmed victims including government agencies and financial institutions.
CVE-2025-61882 became the front door for one of 2025's most aggressive extortion waves. The flaw hit Oracle E-Business Suite's BI Publisher Integration and allowed pre-auth remote code execution over HTTP. If an EBS instance was exposed, an attacker could run code on it without logging in.
On October 4, 2025, Oracle issued an emergency advisory with patch guidance. Around the same period, Cl0p-linked activity intensified, using compromised email accounts to send data-theft extortion messages.
Disclosed on June 30, 2025, this vulnerability allows local low-privileged users to escalate to root privileges by manipulating configuration files when using the --chroot (-R) option.
CVE-2025-32463 was added to CISA's KEV catalog in July 2025. The vulnerability impacts critical infrastructure, cloud environments, and enterprise systems globally.
Dubbed "CitrixBleed 2" due to its similarities with the 2023 CitrixBleed vulnerability, this represents a critical out-of-bounds read vulnerability in Citrix NetScaler ADC and Gateway. Disclosed on June 17, 2025, and added to CISA's KEV catalog on July 11 with an unprecedented 24-hour patching deadline.
Exploitation started as far back as mid-June 2025, with one of the IP addresses linked to RansomHub ransomware activity.
CVE-2025-20333, with a CVSS score of 9.9, is a buffer overflow vulnerability in the VPN web server component, allowing authenticated attackers to execute arbitrary code as root. CVE-2025-20362 is a missing authorization vulnerability enabling unauthenticated attackers to access restricted URL endpoints.
CISA issued Emergency Directive 25-03 on September 25, 2025, confirming active exploitation and widespread scanning. The agency attributed exploitation to the same threat actor behind ArcaneDoor (UAT4356), a state-sponsored espionage campaign first observed in 2024.
Disclosed on September 17, 2025, and added to CISA's KEV catalog on November 12, 2025, this vulnerability allows remote unauthenticated attackers to execute arbitrary code on WatchGuard Fireboxes.
A critical stack-based buffer overflow vulnerability affecting several Fortinet products, including FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera. This flaw allows remote, unauthenticated attackers to execute arbitrary code by sending specially crafted HTTP requests with malicious cookies.
A critical flaw in one of the most popular open-source AI orchestration platforms, with over 79,000 GitHub stars. CVE-2025-3248 stems from unsafe code validation logic in the unauthenticated /api/v1/validate/code endpoint, enabling remote attackers to execute arbitrary code without any authentication.
Exploitation evidence emerged early, with CVE-2025-3248 added to CISA's Known Exploited Vulnerabilities catalog on May 5, 2025, indicating active weaponization in threat actor arsenals.
| CVE ID | Affected Product | CVSS | Primary Impact | Status |
|---|---|---|---|---|
| CVE-2025-55182 | React/Next.js | 10.0 | React2Shell RCE | Actively Exploited |
| CVE-2025-64446 | Fortinet FortiWeb | 9.8 | Auth Bypass + Admin Creation | Actively Exploited |
| CVE-2025-53770 | MS SharePoint | 9.8 | "ToolShell" Zero-Day RCE | Actively Exploited |
| CVE-2025-61882 | Oracle EBS | 9.8 | BI Publisher RCE | Actively Exploited |
| CVE-2025-32463 | Sudo (Unix/Linux) | 9.3 | Privilege Escalation to Root | CISA KEV |
| CVE-2025-5777 | Citrix NetScaler | 9.3 | "CitrixBleed 2" Memory Leak | Actively Exploited |
| CVE-2025-20333 | Cisco ASA/FTD | 9.9 | Buffer Overflow RCE | Emergency Directive |
| CVE-2025-9242 | WatchGuard Fireware | 9.3 | Buffer Overflow RCE | Actively Exploited |
| CVE-2025-32756 | Fortinet (Multiple) | 9.3 | Stack Buffer Overflow RCE | Zero-Day |
| CVE-2025-3248 | Langflow AI Platform | 9.8 | Unauthenticated RCE | CISA KEV |
Let's put this in perspective:
But here's what the numbers don't show: By mid-2025, roughly 38% of reported CVEs were rated High or Critical severity (CVSS score ≥7.0). Among 21,500 vulnerabilities, about 1,773 were Critical (CVSS 9-10) and 6,521 High (CVSS 7-8.9).
Translation: Security teams face a triage nightmare. You can't patch everything immediately, so you must prioritize—yet the sheer volume of urgent issues is overwhelming.
Here's where 2025 gets genuinely unsettling.
In mid-September 2025, researchers detected what is assessed to be the first documented case of a largely autonomous AI-orchestrated cyber espionage campaign. Conducted by a Chinese state-sponsored group designated GTG-1002, the campaign manipulated Claude Code (Anthropic's AI coding tool) to perform reconnaissance, vulnerability discovery, and data exfiltration.
The AI wasn't just a tool. It was the operator.
The AI was tasked to act as an "autonomous penetration testing orchestrator," performing 80-90% of tactical operations independently. While the AI occasionally "hallucinated" credentials that didn't work, it successfully mapped network topologies and generated tailored attack payloads at a speed human operators could not match.
What this means: We've crossed a threshold. Attack speeds are no longer limited by human decision-making. An AI can scan, identify, exploit, and exfiltrate data before your SOC team finishes their morning coffee.
80% of ransomware attacks in 2025 now leverage artificial intelligence—from generating phishing emails that pass the "human test" to creating polymorphic malware that evades signature-based detection.
The era of machine-speed exploitation is here.
If there's one bright spot in 2025, it's this: victims stopped paying.
In Q3 2025, only 23% of ransomware victims paid a ransom, with the rate dropping to a mere 19% for data theft incidents that involved no encryption. Compare that to 2019, when 85% of victims paid.
The median ransom demand dropped to $1,324,439 (down 34% year-over-year), while the median ransom payment fell to $1 million, a 50% decline.
What changed?
By Q3 2025, an organization somewhere falls victim to ransomware roughly every 19 seconds on average, contributing to a global cadence of thousands of attacks per day. Yet despite this volume surge, the median payment hit an all-time high of $250,000 in Q1 2024 before plummeting by 45% to $110,890 in Q4 2024.
The Paradox: More attacks, fewer payments. Attackers are working exponentially harder for each dollar.
The ransomware ecosystem in Q3 2025 remains highly active and structurally fragmented. The number of active data leak sites soared to a record-breaking 81 in Q3 2025, as smaller ransomware groups filled the gaps left by larger operations disrupted by law enforcement.
Top Groups:
Throughout 2025, 45 newly observed ransomware groups emerged, with 14 new groups beginning to publish victims in Q3 alone.
The Fragmentation Effect: In Q1, the ten most active groups accounted for 71% of all data leak site postings. In Q2, their share fell to 63%, and by Q3, to just 56%.
What does this mean? Big brands like LockBit getting taken down doesn't stop ransomware—it just redistributes it across dozens of smaller, hungrier groups.
2025 wasn't just about cybercriminals—it was about nation-states treating cyber operations as primary weapons of statecraft.
North Korea stole over $2 billion in cryptocurrency in 2025, including a massive $1.5 billion heist from the ByBit exchange. This isn't cybercrime—it's state-sponsored revenue generation to fund weapons programs.
Iran saw a 35% surge in custom malware families, focusing destructive wiper attacks on Israel and exfiltrating research data from global universities.
Russia focused on disrupting European infrastructure, including an April attack on a Norwegian dam and a July attack on a Polish hydropower plant. These weren't data breaches—they were acts of sabotage.
Miranda Bryant
Microsoft reported tracking over 600 distinct nation-state groups, with Chinese groups leading in volume and sophistication. The Salt Typhoon campaign (disclosed in 2024 but impacts extended through 2025) breached major U.S. telecom carriers, intercepting communications of high-ranking government officials.
If 2024 was about disruption, 2025 was about decapitation.
On July 24, 2025, an international law enforcement operation resulted in the seizure of domains used by the BlackSuit ransomware group. The operation involved HSI, IRS Criminal Investigation, U.S. Secret Service, FBI, Europol, and multiple international partners, resulting in the seizure of servers, domains, and digital assets.
A DOJ announcement on August 11, 2025, explained that laundered cryptocurrency valued at $1,091,453 had been seized, along with four servers and nine domains.
Impact: BlackSuit had attacked over 450 victims in the U.S. and obtained more than $370 million in ransom payments. The group immediately rebranded as "Chaos," but the takedown forced costly infrastructure rebuilding.
Europol coordinated a major multinational effort between 10–14 November 2025 to dismantle large-scale malware infrastructure worldwide. The operation targeted multiple notorious cyber threats — including the Rhadamanthys infostealer, the VenomRAT remote access trojan and the Elysium botnet — and resulted in the seizure of 1,025 malicious servers and disruption of criminal infrastructure used to steal credentials and facilitate cyberattacks.
Why it matters: These malware families were widely used by cybercriminals to compromise devices, steal data, and support further attacks; their removal significantly weakened parts of the cybercrime ecosystem and protected potentially hundreds of thousands of victims globally.
Law enforcement agencies from 26 countries worked together during Operation Secure. 41 servers were seized, and 32 suspects arrested. The operation took down over 20,000 malicious IP addresses and domains across 25 Asian countries.
Following the operation, authorities notified over 216,000 victims and potential victims so they could take immediate action—such as changing passwords, freezing accounts, or removing unauthorized access.
Law enforcers from the UK and 18 African countries teamed up between June and August on Operation Serengeti 2.0. They claimed to have busted a 1000-person cybercriminal network and recovered $97.4 million in stolen money from over 88,000 victims, as well as dismantling 11,432 malicious infrastructure assets.
| # | Operation Name | Target | Date | Countries Involved | Key Results |
|---|---|---|---|---|---|
| 1 | Operation Serengeti 2.0 | African Fraud Syndicates | June-Aug 2025 | 19 (18 African + UK) | 1,209 arrests, $97.4M recovered, 11,432 infrastructure assets dismantled, 88,000 victims protected |
| 2 | Operation RapTor | Dark Web Drug Trafficking | May-Aug 2025 | 10 (US, Germany, UK, France, Brazil, etc.) | 270 arrests, $200M seized, 2+ metric tons of drugs, 144kg fentanyl, 180+ firearms |
| 3 | Operation Secure | Infostealer Infrastructure | Jan-Apr 2025 | 26 (Asia-Pacific) | 20,000+ malicious IPs/domains taken down, 41 servers seized, 32 arrests, 216,000 victims notified |
| 4 | Operation Checkmate | BlackSuit/Royal Ransomware | July 2025 | Multi-national (US, Europol, Secret Service) | 4 servers, 9 domains seized, $1.09M in crypto recovered, $370M ransomware operation disrupted |
| 5 | Operation Henhouse 4 | UK Fraud Networks | February 2025 | United Kingdom (all forces) | 433 arrests, £7.5M seized, 362 cease & desist notices, £3.9M frozen accounts |
| 6 | Operation Sentinel | African Cybercrime (BEC, Ransomware) | Oct-Nov 2025 | 19 (African nations) | 574 arrests, $3M recovered, 6,000+ malicious links taken down, 6 ransomware variants decrypted |
| 7 | Operation Chargeback | International Fraud & Money Laundering | November 2025 | European (Germany-led) | 18 arrests, 4.3M cardholders affected, €300M damage prevented, €35M assets seized |
| 8 | 8Base/Phobos Ransomware Takedown | 8Base Ransomware Gang | February 2025 | 14 (incl. Thailand, Belgium, US) | 4 Russian nationals arrested, dark web leak sites seized, RaaS infrastructure dismantled |
| 9 | Operation Talent | Cracked/Nulled Forums | January 2025 | Multi-national (Europol-led) | Major hacking forums taken down, customer & victim data seized, follow-up investigations ongoing |
| 10 | Lumma Stealer Takedown | Lumma Stealer Malware | May 2025 | Multi-national (US, Europol, Microsoft) | Control servers seized, largest infostealer malware operation disrupted |
| 11 | Operation Red Card | Mobile Banking Fraud | Nov 2024-Feb 2025 | 7 (African nations) | 306 arrests, 5,000+ victims protected, 1,842 devices seized, 26 vehicles, 16 houses, 39 plots of land |
| 12 | Archetyp Market Takedown | Longest-Running Darknet Market | June 11-13, 2025 | 6 (Germany, Netherlands, Romania, Spain, Sweden, US) | 300 officers deployed, €250M in transactions, 600,000 users, 17,000+ product listings |
| 13 | Operation Magnus | RedLine & Meta Infostealer | October 2024 (impact 2025) | Netherlands-led | Infrastructure seized, 1B+ stolen passwords recovered, MaaS platforms disrupted |
| 14 | Prince Group Crypto Fraud Seizure | Forced-Labor Scam Centers | 2025 | US-led | $15 billion in Bitcoin seized, largest crypto seizure to date, scam compound victims freed |
| 15 | Crypto-Fraud Network Takedown | Fake Investment Platforms | 2025 | 3 (Cyprus, Spain, Germany) | 9 arrests, fake investment platforms dismantled, victims defrauded via ads and endorsements |
| 16 | Scattered Spider Arrests | Scattered Spider Group | Throughout 2025 | United States | 7+ members arrested (including Remington Ogletree, 19, Texas), MGM/Caesars attacks disrupted |
| 17 | Rhadamanthys/VenomRAT Takedown | Infostealer & RAT Infrastructure | Throughout 2025 | Multi-national (Greece, Europol, FBI) | Key developer arrested in Greece, malware infrastructure dismantled |
| 18 | Operation Moonlander | Anyproxy/5socks Botnet | 2025 | 3 (US, Netherlands, Thailand) | 20-year botnet operation dismantled, proxy services shut down |
| 19 | Wazawaka Arrest | Multi-Group Ransomware Actor | November 2024 (impact 2025) | Non-NATO country | Well-known ransomware actor tied to multiple gangs arrested |
| 20 | AT&T/Verizon Hacker Arrest | Telecom System Intrusion | December 31, 2024 | United States | US soldier arrested for hacking AT&T and Verizon systems |
After watching 2025 unfold, here's what security leaders need to internalize for 2026:
Stolen credentials became the second most common entry vector, accounting for 16% of all investigated intrusions in 2025. With 16 billion leaked credentials surfacing on the dark web this year, password-based authentication is officially a liability.
Action: Enforce FIDO2-compliant multi-factor authentication across all accounts. Not "important" accounts. ALL accounts.
82% of breaches involved cloud-based data in 2025. Your third-party vendors are already breached. Your SaaS providers have been compromised. Your supply chain has attackers in it right now.
Action: Implement zero-trust architecture. Verify everything. Trust nothing. Segment everything.
If 80% of ransomware attacks use AI, and the first autonomous attack has already happened, your SOC needs AI-enhanced operations to analyze data and prioritize alerts at machine speed.
Action: Deploy AI-powered EDR, automate threat hunting, and integrate behavioral analytics. Human-speed analysis is no longer sufficient.
2025 taught us that cybersecurity is no longer a technical problem—it's an economic, geopolitical, and existential one.
We're not fighting hackers in hoodies. We're fighting:
But we're also seeing unprecedented international cooperation, victims who refuse to pay, and law enforcement operations that actually work.
The perimeter is dead. Identity is the battlefield. And in 2026, the organizations that survive will be the ones who accepted that reality in 2025.
