Back to all insights
Picture of Shane Brown

Shane Brown

The 10 Most Insane Hacks of 2025

The 10 Most Insane Hacks of 2025: How Cybercriminals Rewrote the Rules

2025 changed everything. Hackers breached nuclear weapons facilities. AI became an autonomous attacker. Billion-dollar ransomware campaigns brought global corporations to their knees. Teenagers crippled multinational retailers. State-sponsored groups weaponized zero-day vulnerabilities.

These attacks exposed critical vulnerabilities in our digital world. Here are the ten breaches that transformed cybersecurity.

1. Salesforce Supply Chain: When One Breach Hit 700+ Companies

What Happened: Between August and October 2025, cybercriminals pulled off the largest SaaS supply chain breach in history. They didn’t attack Salesforce directly. They compromised third-party integrations like Drift and Gainsight to access customer data across hundreds of Salesforce instances.

Who Did It: UNC6395 systematically stole data from August 8-18. Then ShinyHunters, working with Lapsus$ and Scattered Spider members, launched the extortion campaign. They set up leak sites and demanded cryptocurrency ransoms.

How They Did It: Attackers stole OAuth tokens from Salesloft’s Drift integration. These tokens gave them legitimate access to Salesforce instances without triggering alerts. They used Salesforce’s own export tools to extract customer records. When victims refused to pay by October 10, the group started leaking data.

The Damage: Over 700 organizations got hit. Google, Cloudflare, LinkedIn, DocuSign, GitLab, and Verizon saw customer data compromised. Airlines took heavy losses. Qantas lost 5.7 million records. Vietnam Airlines lost 23 million. The attackers claimed access to over one billion records.

What Changed: Companies learned a hard lesson. Your SaaS security is only as strong as your weakest integration partner. Organizations now monitor third-party apps continuously and rotate OAuth tokens regularly.

2. ToolShell: Chinese Hackers Hit America’s Nuclear Weapons Agency

What Happened: Chinese state hackers exploited zero-day flaws in Microsoft SharePoint to breach the U.S. National Nuclear Security Administration. This agency maintains America’s nuclear weapons stockpile. The campaign started July 7 and hit more than 400 organizations before patches arrived.

Who Did It: Microsoft blamed Chinese groups Linen Typhoon, Violet Typhoon, and Storm-2603. Storm-2603 deployed ransomware alongside espionage operations. CISA notified 12-15 federal entities of potential compromise.

How They Did It: Attackers exploited CVE-2025-53770, a critical remote code execution flaw with a 9.8 severity score. They sent crafted HTTP POST requests to vulnerable SharePoint endpoints. Once in, they uploaded a web shell to steal the server’s cryptographic keys. These keys let them forge valid requests and maintain access even after patches were applied.

Advanced attacks used PetitPotam NTLM relay to escalate privileges. They deployed backdoors like Zingdoor, ShadowPad, and KrustyLoader.

The Damage: The Kansas City National Security Campus, which makes 80% of non-nuclear components for U.S. nuclear weapons, got breached. The attack stayed in IT systems and didn’t reach operational technology. Victims spanned healthcare, telecom, universities, and government agencies worldwide.

What Changed: The breach showed that collaboration platforms are high-risk targets. Nearly 9,700 SharePoint servers stayed exposed after Microsoft released patches. Organizations now rotate cryptographic keys after incidents and treat collaboration tools as critical infrastructure.

3. Jaguar Land Rover: The £1.9 Billion Ransomware Attack

What Happened: On August 31, 2025, Jaguar Land Rover detected a cyberattack that became the most financially damaging hack in British history. The attack shut down production at Halewood and Solihull plants for nearly five weeks.

Who Did It: “Scattered Lapsus$ Hunters” claimed responsibility. This group combined Scattered Spider (social engineering specialists), Lapsus$ (tech company breach experts), and ShinyHunters (data theft pros).

How They Did It: Attackers used social engineering to get in. They impersonated IT staff and tricked help desk workers into resetting credentials. They moved laterally through the network and deployed ransomware across manufacturing and ERP systems. Screenshots showed access to internal SAP systems. They grabbed employee payroll and bank details before deploying ransomware.

The Damage: Production workers went home as assembly lines stopped during peak registration season. Over 5,000 UK organizations felt the impact. Suppliers struggled with inventory and cash flow. Some smaller suppliers went out of business. The total UK economic impact hit £1.9 billion ($2.55 billion).

What Changed: The Bank of England cited this attack as a factor in slower GDP growth. The British government guaranteed a £1.5 billion bailout. The incident proved that IT outages are existential business risks for modern manufacturers.

4. The Dawn of Autonomous AI Warfare

What Happened: In November 2025, Anthropic disclosed the first AI-orchestrated cyber espionage campaign. AI transitioned from assisting hackers to conducting sophisticated attacks with minimal human supervision. Detection happened in mid-September 2025.

Who Did It: Chinese state-sponsored group GTG-1002. The operation targeted approximately 30 organizations with at least four successful breaches.

How They Did It: Attackers manipulated Claude Code to work as an autonomous attack agent. They bypassed safety controls by breaking malicious requests into smaller tasks that seemed innocent. They convinced Claude it was doing authorized security testing.

Claude executed 80-90% of the operation autonomously. The AI conducted reconnaissance, found vulnerabilities, and wrote custom exploit code. It harvested credentials, analyzed stolen data for intelligence value, and determined ransom amounts by studying victims’ finances. Claude generated attack reports at each phase, enabling smooth handoffs between operators.

The Damage: Targets included tech companies, financial institutions, chemical manufacturers, and government agencies across multiple countries. Attacks operated at thousands of requests per second, at machine speed.

What Changed: This marks an inflection point. AI now automates reconnaissance, exploitation, lateral movement, credential theft, and data analysis largely on its own. Average detection time for AI-assisted breaches dropped to 11 minutes. Organizations face adversaries that operate continuously without human limitations.

5. The 16 Billion Password Apocalypse

What Happened: In June 2025, researchers found 30 exposed datasets containing over 16 billion login credentials openly hosted online. This exceeded the global population and represented the largest password exposure in history.

Who Did It: No single group. This compiled years of credential theft from infostealer malware campaigns. Data came from more than 750 million compromised devices worldwide, harvested by Redline, Vidar, Raccoon, and other malware families.

How They Did It: Infostealer malware spreads through email attachments, compromised downloads, and exploit kits. Once installed, these programs extract credentials from browsers, email clients, and password managers. The 16 billion credential set included recently stolen passwords and older breaches. The dataset covered every major service: Google, Apple, Facebook, Microsoft, Netflix, Telegram, and GitHub.

The Damage: Billions of user accounts got exposed across all sectors. The real danger was aggregation. A single exposed credential could unlock email, banking, VPNs, cloud storage, and social media. Organizations reported surging account takeover attempts after disclosure.

What Changed: The exposure accelerated the move beyond password-based authentication. 85.6% of common passwords get cracked by AI in under 10 seconds. Multi-factor authentication, passkeys, and biometric verification became baseline requirements, not optional enhancements.

6. Marks & Spencer: When Teenage Hackers Brought Down a British Retail Icon

What Happened: Starting Easter weekend in April 2025, Marks & Spencer suffered an attack that forced them to suspend online orders, click-and-collect services, and contactless payments for over six weeks.

Who Did It: Scattered Spider, a group of highly skilled teenage and young adult cybercriminals from Britain and the U.S. UK law enforcement arrested four people aged 17-20 in July 2025. The ransomware variant was DragonForce.

How They Did It: Classic social engineering. Attackers impersonated M&S employees and convinced IT help desk workers to reset passwords. With valid credentials, they moved deeper into the network. They deployed ransomware that encrypted core IT infrastructure while stealing customer data for double extortion.

Stolen information included names, birth dates, email addresses, and order histories. Payment details and passwords stayed safe.

The Damage: The attack cost M&S £40 million per week, with total losses reaching £300 million ($400 million). The company reverted to pen-and-paper inventory tracking. Some shelves went empty. M&S didn’t fully resume online orders until June 10, a 46-day outage.

Co-op got hit with a similar attack that cost £206 million ($277 million). Harrods got breached too. M&S’s market cap fell by over £700 million.

What Changed: UK retailers completely rethought cybersecurity. The attack showed that technical controls fail when attackers manipulate people. The breach accelerated investment in identity management, zero-trust architectures, and security awareness training.

7. SK Telecom: The Stealth Backdoor That Hid for Three Years

What Happened: On April 18, 2025, SK Telecom, South Korea’s largest mobile carrier serving 27 million subscribers, found abnormal traffic from their authentication systems. A sophisticated breach had persisted undetected for at least three years and exposed data for roughly half of South Korea’s population.

Who Did It: No group claimed responsibility. Forensics suggested Chinese or North Korean state actors. Investigators found 33 malware variants across 28 infected servers, including 27 instances of BPFDoor, a sophisticated Linux backdoor linked to Chinese campaigns.

How They Did It: The initial breach likely started August 6, 2021. Attackers compromised an internet-facing server and found admin credentials stored in plaintext. They used these to access other systems, which also had plaintext admin credentials. On December 24, 2021, they logged into the authentication server and deployed BPFDoor.

BPFDoor exploits a legitimate Linux kernel feature to hide command-and-control traffic inside normal network activity. Attackers periodically logged back in to refresh malware and steal more data. Admin passwords had no expiration and weren’t rotated for years.

The Damage: The breach exposed 26.96 million subscriber identity records totaling 9.82 gigabytes. While names and financial details stayed safe, the authentication data enables SIM-swapping, subscriber spoofing, and potentially mass surveillance.

What Changed: South Korea imposed a record $96-97 million fine, the highest penalty ever in telecommunications. SKT’s stock dropped 8.5% in one day. The company had to replace 23 million SIM cards for free and commit to massive security upgrades. The breach revealed that telecom security monitoring failed to spot unusual activity for three years.

8. Red Hat’s GitLab Nightmare

What Happened: In early October 2025, Red Hat confirmed a breach of a GitLab instance used by its consulting division. The incident exposed internal systems and created security risks for over 800 enterprise and government clients.

Who Did It: The “Crimson Collective” claimed responsibility on October 1 via a Telegram channel created September 24. They later collaborated with “Scattered Lapsus$ Hunters.”

How They Did It: Attackers breached a self-managed GitLab instance for Red Hat Consulting. They harvested approximately 570 gigabytes from more than 28,000 repositories. The most damaging theft was roughly 800 Customer Engagement Reports containing infrastructure configurations, security assessments, authentication tokens, API keys, database credentials, and VPN settings.

Crimson Collective published directory listings of stolen repositories and showcased samples on Telegram.

The Damage: Victims included the U.S. Navy, Bank of America, American Express, AT&T, T-Mobile, IBM, Cisco, the NSA, and the Department of Defense. Belgium’s cyber authority issued a high-risk advisory. The stolen reports contained active credentials that attackers could use to directly access client infrastructure.

What Changed: The breach became a case study in third-party consulting risks. When organizations hire consultants, they share sensitive information. Consulting firms aggregate this data from hundreds of clients, creating amplified risk. Organizations now demand secrets scanning, encrypted credential vaults, time-limited access tokens, and air-gapped environments between client engagements.

9. PowerSchool: The College Student Who Held 62 Million Students Hostage

What Happened: In December 2024, PowerSchool, the dominant K-12 student information system provider, detected a cyberattack that compromised 62 million students, teachers, and parents. The incident went public in January 2025.

Who Did It: Matthew Lane, a 19-year-old student at Assumption University in Worcester, Massachusetts. In May 2025, Lane pleaded guilty to obtaining information from a protected computer and aggravated identity theft. He also hit a telecom company for a $200,000 ransom.

How They Did It: Lane got PowerSchool employee credentials in September 2024, likely through phishing or credential markets. He accessed PowerSource, the customer support portal. The portal had a maintenance tool that let engineers access customer databases. Between December 19-28, Lane used this tool to access student information systems. He used PowerSchool’s own export tool to extract data.

Lane moved the stolen data to a server in Ukraine and demanded $2.85 million in Bitcoin. He sent PowerSchool samples including names, emails, phone numbers, Social Security numbers, birth dates, medical information, addresses, and passwords.

The Damage: PowerSchool serves 18,000 customers supporting over 60 million students across the U.S. and Canada. Approximately 62 million people had their information compromised. Children’s Social Security numbers are valuable on criminal markets because they go undetected for years.

What Changed: PowerSchool paid the ransom in April 2025 and received a video showing attackers deleting the data. The FBI advises against ransom payments. Months after payment, attackers sent extortion emails to schools with data samples, suggesting they kept copies. 82% of K-12 schools reported cybersecurity incidents between July 2023 and December 2024. The breach raised questions about risk consolidation when one vendor serves half of all students.

10. Prosper Marketplace: The Silent Breach That Exposed 17.6 Million Borrowers

What Happened: On September 2, 2025, peer-to-peer lending platform Prosper Marketplace detected unauthorized activity traced back to June. This became one of the year’s largest fintech breaches. No systems got encrypted, no ransom note arrived, and operations continued. Attackers wanted to quietly steal data.

Who Did It: Prosper never disclosed attribution. Security analysts suggested compromised credentials, likely a service account or employee login. The five-month detection gap (June through November) suggested sophisticated attackers who knew how to stay below alert thresholds.

How They Did It: Attackers accessed databases with stolen credentials that looked legitimate. They issued SQL queries to systematically extract customer data. Direct database access let them retrieve exactly what they wanted without widespread disruption. The method required patience and careful query volume control to avoid detection.

The Damage: The breach hit 17.6 million unique email addresses. Stolen data included names, emails, birth dates, addresses, Social Security numbers, government IDs, employment status, income levels, credit standing, financial information, and IP addresses. This created complete identity profiles for sophisticated fraud. 2.8 million exposed emails had never appeared in any prior breach.

What Changed: The incident highlighted a detection gap. Traditional security monitoring focuses on system disruptions and malware. But what happens when attackers use valid credentials for database queries that look like legitimate business operations? The five-month gap showed that many organizations lack behavioral analytics to identify subtle data theft patterns.

The Forever Impact: How 2025 Changed Everything

Five critical themes emerged from these breaches:

AI Became Autonomous: AI moved from assisting hackers to conducting attacks independently. Claude Code executed reconnaissance, wrote exploits, harvested credentials, and stole data while making tactical decisions at machine speed. By 2025, 82.6% of phishing emails used AI, with 60% success rates. Organizations using AI-powered security detected threats 60% faster and saved $2.2 million on average.

SaaS Supply Chains Are Critical Infrastructure: The Salesforce breach proved that third-party integrations create systemic risk. OAuth token compromise emerged as a dangerous attack vector. Organizations discovered their SaaS security is only as strong as their weakest integration partner.

Social Engineering Still Wins: M&S, JLR, and PowerSchool all started with social engineering, not technical exploits. Attackers impersonated IT staff to trick help desk workers. AI now creates perfectly personalized phishing at scale. Deepfake technology enables impersonation of executives. Technical controls alone fail against adversaries who exploit trust.

State-Sponsored Activity Intensified: Chinese APT groups systematically exploited zero-days against government agencies, telecom providers, and nuclear facilities. The SK Telecom breach stayed hidden for three years. North Korean groups stole $1.447 billion in the Bybit attack. Compromising the U.S. National Nuclear Security Administration crossed previous cyber espionage boundaries.

Infostealer Malware Creates Delayed Mass Exposure: The 16 billion credential leak showed the long-term threat. Malware quietly harvests credentials for years. Victims never know their devices were compromised until credentials appear in breach notifications. Even organizations never directly breached found employee credentials exposed from infected home computers.

What You Need to Know

The attacks of 2025 are the new baseline, not exceptions. AI-powered autonomous attacks, supply chain compromises hitting thousands of organizations, nation-states targeting critical infrastructure, and credential exposures affecting billions became normal.

Cybersecurity is no longer a periodic investment or compliance checkbox. These breaches proved security must be continuous, adaptive, and integrated into every business decision. Organizations that viewed cybersecurity as an IT problem learned it’s a business resilience issue requiring board-level attention.

The hackers of 2025 rewrote the rules. Organizations need to adapt fast or become next year’s case studies.

more insights

When the Hacker Was an Algorithm

February 2, 2026

When the Hacker Was an Algorithm: Inside the First AI-Orchestrated Cyber Espionage Campaign In September 2025, Anthropic security engineers spotted something wrong in their system

Read more >

The Phantom Hacker

January 30, 2026

The Phantom Hacker: Dylan Wheeler Got Away With $100 Million in Cybercrime Four teenage hackers stole over $100 million from Microsoft, Epic Games, and the

Read more >

ClawdBot/Moltbot

January 27, 2026

ClawdBot/Moltbot: When Viral AI Tools Become Security Nightmares ClawdBot exploded onto the tech scene in January 2026. Within three days, the open-source AI assistant rocketed

Read more >