February has brought a wave of cybersecurity incidents, from record-breaking crypto heists to new malware campaigns and major law enforcement takedowns.
With cybercriminals refining their tactics and security researchers uncovering hidden threats, organizations are facing new challenges in defending against espionage, fraud, and infrastructure attacks.
Here are some of the biggest developments from this month:
Cybercrime Breaking News
- A massive $1.5 billion cryptocurrency heist – who was behind the Bybit exchange hack?
- Microsoft issues a critical warning on ASP.NET machine key exploits – are developers unknowingly exposing their systems?
- A new phishing campaign is targeting industrial organizations across the Asia-Pacific – how are hackers deploying FatalRAT malware?
Cybersecurity Justice & Regulation
- A major ransomware group’s leak site is taken down – what does this mean for 8Base and its victims?
- Dutch police seize 127 servers tied to a notorious bulletproof hosting provider – who was enabling cybercriminals?
- A U.S. citizen pleads guilty to running a North Korean IT fraud scheme – how did they help funnel millions into the regime?
From billion-dollar cybercrimes to regulatory crackdowns, February has been a defining month in cybersecurity.
Read on for a full breakdown of the most pressing developments.
Cybercrime Breaking News
Researchers found that about 150 abandoned AWS S3 buckets, previously used by governments, businesses, and infrastructure projects, were still receiving millions of requests, posing serious security risks. Attackers could potentially hijack these requests to distribute malicious updates, compromising entire networks through overlooked cloud storage vulnerabilities.
Microsoft Threat Intelligence has warned of code injection attacks leveraging publicly available ASP.NET machine keys, which could allow threat actors to deploy malware on target servers. Researchers identified over 3,000 exposed keys in public repositories and documentation, urging developers to avoid using publicly available keys and to rotate them regularly to mitigate security risks.
Microsoft Threat Intelligence has identified a new variant of the XCSSET macOS malware that infects Xcode projects to steal cryptocurrency and sensitive data while evading detection.
The FBI and CISA have issued a warning about renewed activity from the Ghost (Cring) ransomware group, which has been exploiting unpatched vulnerabilities in widely used software and firmware as recently as January. The China-based group has compromised organizations in over 70 countries by targeting outdated security appliances, web application servers, and Microsoft Exchange systems left vulnerable to known exploits.
Cisco Talos researchers have linked China-affiliated Salt Typhoon to a long-running cyber espionage campaign targeting U.S. telecommunications providers, using a custom-built tool called JumbledPath to exfiltrate encrypted data and manipulate network settings. The group gained persistent access for over three years in some cases, primarily through stolen login credentials, rather than exploiting new vulnerabilities in Cisco devices.
Researchers have uncovered a phishing campaign targeting industrial organizations across the Asia-Pacific region, using Chinese cloud services like myqcloud and Youdao Cloud Notes to distribute the FatalRAT malware, with a focus on government agencies and industries such as manufacturing, telecommunications, and energy.
Cybersecurity researchers have identified an ongoing campaign, dubbed GitVenom, in which threat actors use fake open-source projects on GitHub to steal personal and financial data from gamers and cryptocurrency investors, facilitating the theft of approximately 5 bitcoins – worth around $456,600.
Hackers are hijacking YouTube accounts to impersonate professional Counter-Strike 2 players during major e-sports tournaments, using fake livestreams to lure fans into cryptocurrency and in-game item theft scams.
The Black Basta ransomware group has suffered a major leak of internal chat logs, potentially exposing key details about its operations and members after allegedly targeting Russian banks.
Lee Enterprises has disclosed in a regulatory filing that a cyber attack has disrupted its operations for weeks, encrypting critical applications and stealing files. The incident has caused delays in print distribution, billing, collections, and vendor payments.
Grubhub disclosed a data breach linked to a third-party contractor, exposing customer names, contact details, partial payment card data, and some hashed passwords.
Cyberwar between Russia and Ukraine: Updates
Google’s security team has discovered that Russian state-backed hackers are targeting Signal accounts used by Ukrainian military personnel and government officials, exploiting the app’s “linked devices” feature to intercept sensitive communications. By tricking victims into scanning malicious QR codes, attackers gain real-time access to their messages, a tactic that researchers warn could soon be used against broader targets beyond Ukraine.
A hacking group suspected of having ties to Belarusian state intelligence has been linked to an ongoing cyber espionage campaign targeting Ukrainian military and government entities, as well as Belarusian opposition activists. Researchers believe the operation, attributed to the long-running GhostWriter campaign, uses phishing documents disguised as anti-corruption initiatives and political prisoner lists to distribute malware, possibly in response to Belarus’s recent presidential election.
A ransomware attack using a LockBit variant disrupted operations at Siberia’s largest dairy plant, with hackers reportedly spreading the malware via remote access software and printing anti-war messages across company systems.
Cybersecurity and AI
Experts warn that the Department of Government Efficiency (DOGE), led by Elon Musk, may already have access to sensitive IRS and Social Security data, raising concerns over potential breaches, misuse, and declining public trust in tax privacy. A lawsuit has been filed to block DOGE from accessing IRS records, as reports suggest the agency has also begun feeding federal data into AI systems for investigative purposes.
Microsoft has identified six developers, including two U.S.-based individuals, who allegedly modified generative AI tools to create and distribute harmful content such as celebrity deep fakes. The company has taken legal action to disrupt their operations, seizing a key website linked to the scheme, and reported that the unsealing of court filings has already caused internal disputes among the accused cybercriminals. According to an amended complaint, Microsoft tracks the four international developers as part of the global cybercrime network Storm-2139, which exploited leaked customer credentials to access AI services, manipulate their capabilities, and resell them to malicious actors with detailed instructions for bypassing security safeguards.
Researchers uncovered two malicious packages on the Python Package Index (PyPI) mimicking DeepSeek developer tools, designed to steal sensitive data such as API keys, database credentials, and system information. Additionally, a security assessment of the DeepSeek iOS app revealed critical security vulnerabilities, including unencrypted data transmission, insecure data storage, and extensive data collection sent to servers in China, leading to bans in countries like Taiwan and South Korea in February 2025.
Cybersecurity Justice
Law enforcement agencies took down the 8Base ransomware group’s leak site and arrested four individuals as part of a coordinated international operation. The takedown, supported by Europol and multiple national agencies, also led to the dismantling of 27 servers linked to the group, which had targeted organizations across Europe and beyond, and had ties to the Phobos ransomware operation. As part of the broader crackdown, two additional arrests were made in connection with Phobos ransomware attacks that targeted over 1,000 organizations, including hospitals, healthcare providers, and colleges.
Dutch police have seized 127 servers linked to Zservers, a bulletproof hosting provider accused of facilitating ransomware attacks, including operations tied to LockBit and Conti. The raid followed an international sanctions announcement by the U.S., U.K., and Australia, which designated Zservers and two Russian administrators for enabling cybercriminals to evade law enforcement.
Spanish authorities have arrested a hacker accused of breaching systems belonging to NATO, the U.S. Army, and several Spanish government institutions, allegedly carrying out over 40 cyber attacks. The suspect, who boasted about the attacks on dark web forums, was found in possession of multiple computers and over 50 cryptocurrency accounts, with officials now analyzing seized equipment.
A U.S. citizen has pleaded guilty to running a laptop farm that helped North Korean IT workers pose as U.S.-based employees, allowing them to secure jobs at over 300 American companies. The scheme generated more than $17 million, much of which was funneled back to North Korea, with stolen identities used to deceive employers and U.S. agencies.
Apple has announced the removal of its Advanced Data Protection (ADP) feature for UK users after refusing a government request for access to encrypted iCloud data, sparking concerns over user privacy and potential global implications.
Warby Parker has been fined $1.5 million by the U.S. Department of Health and Human Services for failing to protect customer health data after a 2018 credential stuffing attack compromised nearly 200,000 accounts.
FinTech Updates
Bybit, a Dubai-based cryptocurrency exchange, suffered a $1.5 billion Ethereum heist after hackers exploited a transaction moving funds from a cold wallet to an online wallet. Blockchain analysts have attributed the attack to North Korea’s Lazarus Group, citing strong overlaps with previous thefts and evidence of the stolen funds being laundered through decentralized exchanges. The FBI has since issued an alert, urging crypto exchanges, DeFi services, and blockchain operators to block transactions linked to the stolen assets, warning that the hackers have already laundered about $400 million.
A Russian operator of the defunct BTC-e cryptocurrency exchange, has reportedly been released from U.S. custody as part of a prisoner swap for an American school teacher. The operator, who pleaded guilty to conspiracy to commit money laundering, was accused of facilitating $4 billion in illicit transactions, including proceeds from ransomware attacks and other cybercrimes.
A Canadian hacker has been indicted in the U.S. for exploiting weaknesses in two decentralized finance platforms, stealing nearly $65 million between 2021 and 2023. Prosecutors say he manipulated smart contracts, moved the stolen funds through complex transactions to hide their origin, and even tried to pressure one platform into handing over control in exchange for partial repayment.
Researchers have identified a new scam technique called VidSpam, where cybercriminals use video-based MMS messages to promote Bitcoin investment fraud.
Cybersecurity News Across The Globe
- Italy has launched an investigation into the use of Paragon Solutions’ spyware, which targeted journalists, activists, and at least seven individuals in the country, along with victims across several European nations via WhatsApp. The spyware, capable of infecting devices without user interaction, was reportedly used in a broader surveillance campaign, raising concerns about potential misuse by government agencies.
- The Reserve Bank of India (RBI) is launching an exclusive “bank.in” domain for banks and a “fin.in” domain for non-bank financial entities to enhance cybersecurity and protect digital financial transactions from fraud, with registrations beginning in April 2025.
- Thailand has cut off electricity to several areas in Myanmar known as hubs for online scam operations, many of which are run by criminal syndicates exploiting trafficked workers. The move follows pressure from China to crack down on scam networks, as authorities attempt to curb cross-border fraud and human trafficking.
- Ecuador’s National Assembly reported two cyber attacks aimed at accessing confidential data, warning citizens and public institutions of ongoing threats to sensitive information.
Want to find out more about:
- How to Prevent Supply Chain Attacks: Strategies and Best Practices
- Fileless Malware – The Stealthy Threat You Need to Know About
- CREST Certification Benefits to Enhance Your Professional Value
- Why vCISO for Small Organizations is Key to Maximizing Security
AMATAS will continue to monitor this space and deliver salient information regularly.
Stay tuned for our next report and if you are interested in any of our privacy and cybersecurity services, please do reach out through our website www.amatas.com or by e-mailing office@amatas.com.
As always – be vigilant, stay alert, and think twice.
