It’s that time of year where we re-visit the wins and challenges from 2025 in our special year-end edition of The Good, The Bad and the Ugly. Here are the biggest stories that defined the best, the worst, and the ugliest cybersecurity moments from this past year.

The Best

2025 has been a year of remarkable victories for law enforcement agencies worldwide, highlighting the power of cross-border coordination. From high-profile arrests to major asset seizures, authorities have steadily dismantled the infrastructure supporting criminal and state-aligned cyber actors.

In the last two weeks, Eurojust led a takedown of Ukrainian call centers defrauding Europeans of €10M and law enforcement seizing servers from E-Note crypto exchange laundering $70M through ransomware and account takeovers. Similarly, the arrest of Ukrainian national Victoria Dubranova for aiding Russian state-backed hacktivists, alongside Spanish authorities capturing a 19-year-old selling 64M stolen records, underscores the growing international effort to hold cybercriminals accountable.

Significant infrastructure disruptions further amplify these successes. Convictions of cybercriminals targeting sensitive systems, such as the prison sentence for the “evil twin” WiFi hacker and seizure of the Cryptomixer crypto mixer with €1.3B laundered since 2016, are tangible results in stopping large-scale fraud. Law enforcement groups also took on multifaceted approaches, combining legal action, sanctions, and operational disruption to arrest Russian and DPRK-related cybercriminals and place sanctions on bulletproof hosting providers and foreign actors.

Our 🆕 joint guidance on bulletproof hosting providers highlights best practices to mitigate potential cybercriminal activity, including recommended actions that ISPs can implement to decrease the usefulness of BPH infrastructure. Learn more 👉 https://t.co/cGQpuLpBPP pic.twitter.com/tM55acfuQv

— CISA Cyber (@CISACyber) November 19, 2025

International coordination has also been key this year. Interpol’s massive operations across Africa, including Operation Serengeti 2.0 and Operation Red Card, led to the arrests of thousands of suspects and the seizure of tens of millions in stolen assets. Europol dismantled SIMCARTEL, a global SIM-box fraud network, seizing servers, SIM cards, crypto, and luxury vehicles, while coordinated actions targeted Diskstation ransomware gangs and hacktivist infrastructures. In parallel, DOJ and CISA-led operations disrupted high-value schemes, including Prince Group’s $15B romance scam and multiple ransomware networks, while releasing decryptors for Phobos and 8Base victims to provide tangible relief. Law enforcement also extended their reach to regulatory and infrastructure initiatives as well, introducing the Cyber Trust Mark certification for IoT devices and HIPAA encryption and MFA updates to ensure cyber safety from the top down.

On the cybersecurity innovation front, CISA’s launch of Thorium, an open-source platform to help government agencies automate forensic investigations, and AI-enabled threat detection systems have allowed authorities to act on incidents more rapidly, from ransomware affiliate seizures to monitoring AI misuse.

The Worst

State-sponsored crime, supply chain abuse, and emerging malware strains have collectively challenged defenders worldwide.

North Korea’s DPRK-linked hackers were prolific throughout 2025, stealing over $2B in cryptocurrency, blending traditional heists with espionage campaigns like Operation Contagious Interview targeting remote workers. Similarly, Iranian-linked UNK_SmudgedSerpent and China-linked TA415 campaigns leveraged phishing, fake platforms, and developer tooling to compromise high-value targets, from policy experts to enterprise networks.

2025 saw developer platforms, open-source ecosystems, and smart contracts become prime targets for threat actors. VS Code extensions like Bitcoin Black and Codo AI exfiltrated credentials from crypto wallets, while NPM packages such as XORIndex and os-info-checker-es6 delivered multi-stage payloads. Novel malware families including SleepyDuck RAT and Betruger backdoors emerged, masquerading as popular extensions on the Open VSX open-source registry and supporting ransomware campaigns, respectively. Even AI-powered attacks emerged, with AkiraBot, Gamma AI phishing, and social engineering campaigns bypassing CAPTCHAs and traditional defenses to exploit SMBs and enterprise targets.

This year, financial and operational impacts were particularly severe. Holiday banking fraud alone netted $262M via account takeovers exploiting phishing, MFA bypasses, and impersonation. YouTube trading bot scams, cloud identity theft campaigns, and multi-stage ransomware attacks like EncryptHub and Katz Stealer drained millions, targeting both enterprise systems and individuals. Exploits in misconfigured cloud resources and abandoned subdomains further amplified these risks, showing how minor misconfigurations can fuel sophisticated attacks.

State-aligned and nation-state threat actors also pursued espionage alongside financial crime. Fake job schemes and AI/crypto talent lures enabled targeted malware deployment, while advanced persistent threats like UNC3886 delivered stealthy backdoors to corporate and diplomatic networks. Malicious actors increasingly weaponized cloud services, messaging platforms, and developer tools, blurring the line between operational convenience and attack vectors.

The Ugliest

The “Ugly” dimension of 2025 was defined by AI-assisted attacks, zero-day exploitation, and ransomware industrialization, which amplified the scale and complexity of cybercrime. Large ransomware operations like CyberVolk resurfaced with AI-driven VolkLocker, automating negotiation, phishing, and multilingual attacks while leveraging Telegram for orchestration. AI also enhanced the capabilities of smaller, fragmented ransomware crews, allowing rapid targeting and payload deployment, though operational flaws sometimes limited effectiveness.

Zero-day vulnerabilities were actively exploited across critical infrastructure and enterprise platforms. React2Shell in React/Next.js, Triofox (CVE-2025-12480), Oracle E-Business Suite (CVE-2025-61884), and ToolShell in SharePoint permitted full system compromise, highlighting that popular frameworks and business-critical software remain high-value targets. Cloud and AI services were similarly exploited; EchoLeak and Google Gemini LLM prompt injections enabled exfiltration of sensitive information without user interaction. Attackers in all these cases demonstrated a capacity to combine stealth, automation, and sophisticated payloads for maximum disruption.

Update: See newly added info to our #ToolShell Alert. We’ve included info on ransomware deployment, new webshells involved in exploitation, & detection guidance 👉 https://t.co/Y37FHSeAL0 pic.twitter.com/C5aMXNOmAU

— CISA Cyber (@CISACyber) July 24, 2025

2025 also saw cyber espionage intertwined with physical and geopolitical threats. Iranian-backed Crimson Sandstorm leveraged cyber reconnaissance to support missile strikes, while Chinese and DPRK actors continue to target aid operations, humanitarian NGOs, and government infrastructure, often exploiting IoT, industrial control systems, or open-source software to do so. In cross-border campaigns, long-dwell malware like BRICKSTORM and protocol-level exploits such as MadeYouReset created cascading impacts across critical networks and infrastructure.

The risk factor in many attacks this year were amplified by third-party risks. Breaches of Discord vendors, Mixpanel, and GitHub Actions exposed vast quantities of PII and credentials, enabling subsequent ransomware, phishing, or espionage campaigns. The combination of AI, automation, and high-impact vulnerabilities exemplifies a cybercrime industrial complex, where opportunistic and state-aligned actors scale operations with unprecedented speed and sophistication.

Conclusion

As 2025 draws to a close, one thing is clear: Cybersecurity has become more interconnected, more consequential, and more dependent on collective responsibility than ever before. From supply chain fragility and identity-based intrusion to the continued convergence of cybercrime and geopolitics, the challenges ahead demand deeper collaboration, stronger accountability, and a more deliberate approach to trust across the digital ecosystem.

From all of us here at SentinelOne, we wish you a happy, healthy, and secure New Year 2026!