The 10 Biggest Cyber Stories of 2025: A Year of Record-Breaking Attacks
From the largest cryptocurrency heist in history to nation-state espionage campaigns targeting critical infrastructure, 2025 redefined the cyber threat landscape.
As 2025 draws to a close, the cybersecurity industry is reflecting on a year that shattered records and redefined our understanding of cyber risk. From a single cryptocurrency heist that netted $1.5 billion to nation-state campaigns compromising the phones of senior government officials, threat actors demonstrated unprecedented ambition and capability. Here are the 10 stories that defined cybersecurity in 2025.
TL;DR
- Bybit Heist: North Korea's Lazarus Group stole $1.5 billion in the largest cryptocurrency theft ever recorded
- UK Retail Attacks: Scattered Spider crippled Marks & Spencer for 46 days, causing up to £440 million in damages
- Salt Typhoon: Chinese hackers compromised 200+ telecom companies across 80 countries, including wiretap systems
- Treasury Breach: Chinese APT accessed Treasury Secretary Yellen's computer and CFIUS systems
- PowerSchool: 62 million students had their data stolen in the largest education sector breach
1. The Bybit Heist: $1.5 Billion Stolen in Minutes
The February 21 attack on cryptocurrency exchange Bybit wasn't just the biggest crypto theft of 2025—it was the largest in history. North Korea's Lazarus Group extracted approximately $1.5 billion in Ethereum from the Dubai-based exchange in a meticulously planned operation that took months to prepare but only moments to execute.
The attackers compromised a developer at Safe, a third-party wallet provider, through social engineering. They then planted dormant malicious code that activated when a Bybit employee opened the company's Safe account to authorize a routine transaction. The employee unknowingly approved a command that drained Bybit's holdings.
Within 48 hours, the hackers had laundered at least $160 million. By March, 86% of the stolen ETH had been converted to Bitcoin through mixers, decentralized exchanges, and cross-chain bridges. The FBI formally attributed the attack to North Korea's "TraderTraitor" operation.
The Bybit heist contributed to North Korea's record-breaking year: DPRK-affiliated actors stole $2.02 billion in cryptocurrency in 2025, accounting for roughly 60% of all reported crypto thefts. These funds directly support the regime's nuclear and ballistic missile programs.
2. Scattered Spider Devastates UK Retail
Easter weekend 2025 became a nightmare for British retail when Marks & Spencer discovered that the Scattered Spider hacking collective had been inside their network since February. The attackers had exfiltrated the company's entire Active Directory database—including password hashes for every domain user.
The attack began with a phone call. An attacker impersonated an M&S employee and convinced a third-party help desk operator to reset their password. From there, Scattered Spider deployed DragonForce ransomware across M&S's infrastructure.
The damage was catastrophic: contactless payments failed nationwide, Click & Collect services went dark, and online shopping was suspended for 46 days. More than £700 million was wiped from M&S's market value within days. The total financial impact is estimated between £270 million and £440 million.
The same group also hit Co-op, compromising data for all 6.5 million loyalty program members, and briefly targeted Harrods. UK authorities arrested four suspects in July and classified the attacks as a "single combined cyber event"—the most economically damaging in British retail history.
3. Salt Typhoon: China's Telecom Espionage Campaign
Perhaps no story better illustrated the intersection of cybersecurity and geopolitics than Salt Typhoon, a Chinese state-sponsored campaign that compromised telecommunications infrastructure on a global scale.
The FBI confirmed that Salt Typhoon hackers breached more than 200 companies across 80 countries, with at least nine major U.S. telecoms affected: Verizon, AT&T, T-Mobile, Spectrum, Lumen, Consolidated Communications, Windstream, and others. In June, satellite provider Viasat was added to the victim list.
What the attackers accessed was chilling. They penetrated America's "lawful intercept" systems—the infrastructure used to process court-authorized wiretaps. They also accessed personal communications of President Trump, Vice President Vance, and other senior political officials.
Salt Typhoon's methods included exploiting vulnerabilities in Cisco network devices, with researchers identifying over 1,000 compromise attempts in December 2024 and January 2025 alone. The U.S. Treasury sanctioned three Chinese companies for their involvement, but intelligence officials expect the campaign to continue due to the high value of telecommunications data.
4. Chinese Hackers Breach U.S. Treasury
The year began with disclosure that Chinese state-sponsored hackers had penetrated the U.S. Treasury Department, accessing the computers of Secretary Janet Yellen and two of her deputies.
The attackers compromised BeyondTrust, a cybersecurity vendor providing remote support services to Treasury. By stealing a key used for authentication, they bypassed security controls and gained access to Treasury workstations and unclassified files.
The breach specifically targeted the Committee on Foreign Investment in the United States (CFIUS), the powerful body that reviews foreign investments for national security implications. The timing was notable: CFIUS had recently gained expanded authority to scrutinize real estate sales near U.S. military bases.
The Department of Justice attributed the attack to APT27 (Silk Typhoon) in March 2025. Treasury subsequently sanctioned the hacker Yin Kecheng and Sichuan Juxinhe Network Technology Company for their roles in the compromise.
5. PowerSchool: 62 Million Students' Data Stolen
The PowerSchool breach demonstrated that no sector is immune to sophisticated attacks. The education technology giant, which serves approximately 75% of the U.S. K-12 market and operates in over 90 countries, disclosed that hackers had stolen data on 62 million students and 9.5 million educators.
The attack began on December 19, 2024, when an attacker used compromised credentials to access PowerSource, the company's customer support portal. The lack of multi-factor authentication allowed the intrusion to continue undetected for nine days.
The stolen data included names, addresses, Social Security numbers, grades, and in some cases medical records. Some districts reported that data going back to 2009 was compromised.
PowerSchool paid an extortion demand of approximately $2.85 million in Bitcoin after receiving what it believed was proof of data deletion. But in May 2025, schools in Canada and North Carolina began receiving extortion emails containing samples of the supposedly deleted data—a stark reminder of why experts advise against paying ransoms.
The attacker, 19-year-old Matthew D. Lane, pleaded guilty and faces at least nine years in prison.
6. Jaguar Land Rover: UK's Most Economically Damaging Attack
A September ransomware attack against Jaguar Land Rover stalled production at the automaker's UK plants for months, triggering a cascading crisis that rippled through the British economy.
The attack's impact extended far beyond JLR itself. Suppliers across the UK were unable to deliver components or receive payment, with some smaller firms going out of business entirely. The disruption was so severe that the UK government ultimately guaranteed a £1.5 billion bailout.
British security experts characterized it as the most economically damaging cyberattack in UK history—surpassing even the Scattered Spider retail attacks from earlier in the year. The incident highlighted the fragility of just-in-time manufacturing supply chains and the catastrophic consequences when key nodes are disabled.
7. South Korea's Year of Breaches
South Korea experienced what security researchers called a "data breach every month" in 2025, with two incidents standing out for their scale.
In April, SK Telecom—the country's largest mobile carrier—was hacked, exposing 23 million customer records. The breach was attributed to a sophisticated persistent threat actor who maintained access for weeks before detection.
Even more damaging was the Coupang breach. The e-commerce giant, often called "the Amazon of South Korea," suffered a months-long intrusion that began in June but wasn't detected until November. By then, hackers had exfiltrated personal information on 33 million customers. The breach's severity led to the resignation of Coupang's CEO.
Together, these incidents exposed data on a significant portion of South Korea's 51 million population and prompted calls for stricter data protection regulations.
8. SAP NetWeaver Zero-Day Mass Exploitation
On April 24, SAP disclosed CVE-2025-31324, a critical zero-day vulnerability in NetWeaver Visual Composer that enabled unauthenticated remote code execution. Within days, security researchers identified over 581 NetWeaver instances under active attack.
The exploitation campaign was attributed to multiple threat actors, including the Clop ransomware gang and state-linked groups. Attackers uploaded web shells to compromised systems, establishing persistent access for follow-on operations.
The incident was particularly alarming given NetWeaver's prevalence in enterprise environments. SAP systems often contain an organization's most sensitive business data, making them high-value targets for both espionage and ransomware operators.
In October, Oracle faced a similar crisis when Clop began exploiting vulnerabilities in unpatched E-Business Suite instances, with ransom demands reaching $50 million.
9. Healthcare Under Siege: 5.6 Million Patients Exposed
Healthcare remained the most expensive sector for data breaches in 2025, with an average cost of $7.42 million per incident—a dubious distinction the industry has held for 12 consecutive years.
The year's largest healthcare breach affected Yale New Haven Health System, exposing data on approximately 5.6 million patients. The Medusa ransomware group also claimed a notable victim in SimonMed Imaging, exfiltrating records on 1.2 million patients and demanding $1 million for their deletion.
Anne Arundel Dermatology disclosed a breach affecting 1.9 million individuals, while Conduent Business Services—a healthcare payment processor—reported 4.3 million victims from an incident spanning late 2024 into early 2025.
The healthcare sector's vulnerability stems from a combination of factors: legacy systems, complex vendor relationships, valuable data, and life-safety implications that can pressure organizations to pay ransoms quickly.
10. The 16 Billion Credential Leak
In what researchers called one of the largest data aggregations ever compiled, threat actors leaked over 16 billion credentials from major platforms including Google, Facebook, and Apple.
Unlike a traditional breach, this compilation aggregated credentials harvested by infostealer malware and combined them with data from numerous previous breaches. The dataset included reused passwords—a reminder that credential stuffing attacks remain effective because users continue to recycle passwords across services.
The leak highlighted the industrial scale of the credential theft ecosystem. Infostealer malware distributed through phishing campaigns, malicious ads, and trojanized software continuously harvests credentials that flow into underground markets and compilation datasets.
Key Trends That Defined 2025
Third-Party Risk Became Primary Risk
From BeyondTrust (Treasury breach) to Safe (Bybit) to PowerSource (PowerSchool), attackers increasingly targeted the vendors and service providers that organizations trust. The common thread: compromising one vendor can unlock access to hundreds or thousands of downstream victims.
Social Engineering Evolution
Scattered Spider's help desk manipulation attack demonstrated that sophisticated social engineering can defeat technical controls. The 2025 Verizon Data Breach Investigation Report found that 60% of breaches involved a human element like phishing or stolen credentials.
Nation-State Attacks Intensified
China's Salt Typhoon and Treasury campaigns, North Korea's cryptocurrency operations, and Russia's continued targeting of critical infrastructure showed that geopolitical tensions increasingly manifest in cyberspace.
AI-Enabled Attacks Emerged
Verizon's analysis found that 16% of 2025 breaches involved attackers using AI, with 37% leveraging AI-generated phishing content and 35% incorporating deepfake technology.
Looking Ahead
If 2025 taught us anything, it's that the cybersecurity landscape continues to evolve faster than defenses can adapt. The record-breaking scale of attacks—$1.5 billion stolen in a single incident, 62 million student records exposed, telecommunications infrastructure of 80 countries compromised—suggests that 2026 will bring new challenges.
Organizations should prioritize fundamentals: multi-factor authentication on all systems, rigorous third-party risk management, employee security awareness training, and incident response planning. The threats will continue to evolve, but strong foundations remain essential.
The stories covered in this article represent the most significant cyber incidents of 2025 based on financial impact, scale of affected individuals, and strategic implications. Some incidents remain under investigation, and details may continue to emerge.
Related Articles
The 10 Worst Vulnerabilities of 2025: Ranked by Real-World Impact
Beyond CVSS scores, these vulnerabilities caused the most damage in 2025—from nation-state exploitation to mass ransomware campaigns and breaches affecting millions.
Jan 1, 2026Dartmouth Breach Exposes 44,000 in Clop Oracle Campaign
Russian ransomware gang exploited CVE-2025-61882 to steal SSNs and financial data from the college. The same vulnerability hit Harvard, UPenn, and 100+ organizations.
Jan 7, 2026Federal Contractor Sedgwick Hit by TridentLocker Ransomware
New Year's Eve attack on Sedgwick Government Solutions compromises file transfer system serving DHS, CISA, and ICE. TridentLocker claims 3.4GB of stolen data.
Jan 5, 2026New Zealand Health Portal Breach Exposes 126,000 Patients
ManageMyHealth confirms Kazu ransomware gang compromised Health Documents module, threatening to leak 108GB of medical records unless $60,000 ransom is paid.
Jan 3, 2026