Cybersecurity in December brought a wave of high-impact incidents, from state-linked hackers exploiting critical vulnerabilities to massive breaches affecting millions of users worldwide.
From government systems to global fintech platforms, threats escalated in scale and sophistication, reminding organizations that vigilance is more crucial than ever.
Cybercrime Breaking News
- Chinese state-linked groups exploit the React2Shell vulnerability across millions of websites.
- South Korea’s largest retailer suffers a breach exposing tens of millions of customer accounts.
- France’s postal and banking services were disrupted by a major DDoS attack just before Christmas.
Cybersecurity Justice & Regulation
- U.S.-based security professionals plead guilty to deploying ransomware against multiple victims.
- Law enforcement in 19 countries arrests hundreds in a major African cybercrime crackdown.
- The SEC charges multiple crypto firms for defrauding investors of millions.
Explore December’s top cybercrime stories, major justice actions, and key lessons for defending your organization.
Cybercrime Breaking News
Chinese state-linked hackers are actively exploiting the critical React2Shell vulnerability (CVE-2025-55182) in React Server Components, which affects millions of websites and carries a maximum CVSS score of 10, according to Amazon researchers. Security teams warn that multiple China-nexus threat groups rapidly weaponized public exploits following disclosure, prompting urgent calls for organizations to patch affected React and Next.js versions immediately.
CISA, NSA, and Canada’s Cyber Centre warned that Chinese state-sponsored hackers are using BRICKSTORM malware to maintain long-term access to government and IT networks, enabling credential theft, lateral movement, and potential espionage.
U.S. agencies warned Russian-linked hacktivists (CARR, NoName057(16), and Z-Pentest) are targeting critical infrastructure via exposed VNC connections, causing disruptions in water, energy, and food sectors. DOJ indictments link the groups to Russian state support, and the FBI’s Operation Red Circus is working to stop them.
Amazon says Russian GRU-linked hackers, known as APT44 or Sandworm, have shifted to exploiting misconfigured customer network edge devices on AWS (rather than novel software vulnerabilities) to target Western energy, telecom, and tech organizations, stealing credentials and establishing persistent access for lateral movement.
- South Korea’s largest online retailer, Coupang, confirmed a massive data breach affecting 33.7 million customer accounts (potentially up to 65% of the population), exposing personal data such as names, contact details, addresses, and order histories. However, payment and login information were not compromised. Authorities are investigating a suspected insider attack linked to a former employee, with police seizing data and devices from Coupang’s headquarters.
- DXS International, a UK tech provider whose software supports around 10% of NHS referrals, reported a breach of its internal servers on December 14, though clinical services remained operational.
- France’s postal service, La Poste, and its banking arm were disrupted by a DDoS attack ahead of Christmas, temporarily affecting online services and slowing parcel deliveries. The pro-Russian hacker group NoName057(16) claimed responsibility, and French authorities have launched an investigation.
Cybersecurity Justice
The U.S. Justice Department charged 54 people for carrying out nationwide ATM “jackpotting” attacks using Ploutus malware, stealing at least $5.4 million by physically installing the malware on ATMs to force them to dispense cash, allegedly as part of the Venezuelan Tren de Aragua gang.
Law enforcement in 19 countries arrested 574 suspects, took down thousands of malicious links, and recovered $3 million in a major African cybercrime crackdown targeting business email compromise, digital extortion, and ransomware.
French authorities arrested a 22-year-old over a hack of the Interior Ministry that accessed several email accounts and dozens of confidential files, including judicial records and wanted persons. The attack, under investigation by the Paris Public Prosecutor’s Office, did not involve a ransom demand and carries a potential prison sentence of up to 10 years.
A Maryland man was sentenced to 15 months in prison for enabling North Korean IT workers to impersonate him and secure software jobs at U.S. companies and government agencies, including the FAA, generating nearly $1 million in illicit revenue.
Two U.S.-based cybersecurity professionals pleaded guilty to conspiracy for using their incident response positions to deploy ALPHV/BlackCat ransomware in 2023, extorting victims and earning over $1 million.
Twin brothers from Virginia, former federal contractors, were arrested for allegedly deleting 96 U.S. government databases containing FOIA and sensitive records, stealing data, and attempting to cover their tracks, facing up to 45 years in prison.
A Ukrainian national pleaded guilty to conspiracy to commit computer fraud for his role in deploying Nefilim ransomware against companies in the U.S. and other countries, targeting high-revenue firms and threatening to publish stolen data unless ransoms were paid; he faces up to 10 years in prison and will be sentenced on May 6, 2026.
Nigerian police, acting on tips from Microsoft, the FBI, and the U.S. Secret Service, arrested an alleged developer of the RaccoonO365 phishing kit, used to steal Microsoft credentials via fake login portals and subscription-based phishing campaigns.
Spanish police arrested a 19-year-old man accused of stealing and selling roughly 64 million personal data records from nine companies, allegedly obtained through unauthorized system access and marketed on hacker forums.
FinTech Updates
Hackers breached the network of fintech firm Marquis Software Solutions through a SonicWall firewall vulnerability, exposing the personal and financial data of at least 780,000 people across dozens of U.S. banks and credit unions.
The U.S. Justice Department seized the domain web3adspanels.org and its database, which were used in a bank account takeover scheme that defrauded Americans of millions of dollars by harvesting login credentials via fake bank websites promoted through search engine ads. At least 19 victims, including two Georgia companies, suffered attempted losses of $28 million and confirmed losses of $14.6 million.
European police shut down the Cryptomixer cryptocurrency mixing service, seizing servers, data, and more than $29 million in bitcoin, after determining it had laundered over €1.3 billion in illicit funds for cybercriminals since 2016.
The DOJ seized a Myanmar-based scam website, tickmilleas.com, which impersonated the legitimate forex and commodities trading platform TickMill to defraud victims of cryptocurrency.
The FBI, with German, Finnish, and Michigan authorities, took down the cryptocurrency exchange E-Note, used to launder over $70 million for ransomware groups, and charged a Russian national with money laundering conspiracy carrying up to 20 years in prison.
Russian police dismantled a cybercrime gang that used NFCGate-based malware disguised as bank apps to steal over 200 million rubles from customers by harvesting card data via smartphones.
The SEC sued multiple crypto firms, including Morocoin and Cirkor, for allegedly defrauding investors out of over $14 million through fake WhatsApp investment clubs, deepfake videos, and bogus trading platforms.
Cybersecurity News Across The Globe
- Romania’s national water management agency was hit by a ransomware attack that locked staff out of roughly 1,000 systems using BitLocker, though critical infrastructure like dams and flood defenses remained unaffected.
- Georgia has arrested a former top security official on multiple bribery charges, alleging he accepted payments in exchange for protecting scam call centers that defrauded victims around the world.
- The Chinese cybercrime group Silver Fox is now targeting India with income tax-themed phishing emails that deliver the modular ValleyRAT malware, using DLL hijacking and hollowing techniques to steal credentials and maintain persistent access across Asia-Pacific, Europe, and North America.
Want to find out more about:
- The New Cyber Reality: From New Attack Paths to Continuous Validation
- The Evolution of Pentesting: Why Continuous Testing Is the New Reality
- The Path to CREST Certification and Its Impact on AMATAS’ Penetration Testing
AMATAS will continue to monitor this space and deliver salient information regularly.
Stay tuned for our next report and if you are interested in any of our privacy and cybersecurity services, please do reach out through our website www.amatas.com or by e-mailing office@amatas.com.
As always – be vigilant, stay alert, and think twice.
