May brought a relentless wave of cybersecurity threats, shaking industries across the board – from retail giants and airlines to government agencies and critical infrastructure operators.
With threat actors evolving and critical systems growing more exposed, organizations worldwide are facing growing pressure to stay one step ahead.
Cybercrime Breaking News
- Three of the U.K.’s biggest retailers are hit by cyber attacks – but one group’s tactics are raising red flags in the U.S.
- A sophisticated Chinese malware campaign uses Google Calendar and fake images to breach global government networks.
- CISA issues an urgent warning as cyber actors target U.S. oil and gas infrastructure, putting physical systems at risk.
Cybersecurity Justice & Regulation
- International police dismantle 300 ransomware servers in a sweeping operation, indicting dozens.
- A U.S. federal jury orders a major spyware developer to pay millions after a years-long legal battle over surveillance abuse.
- The EU launches a new vulnerability database to speed up coordinated cyber risk response across member states.
As cybercrime blurs the lines between statecraft, sabotage, and financial gain, this month’s developments offer a sobering reminder: the threat landscape is not only expanding – it’s accelerating.
Cybercrime Breaking News
Luxury retailer Harrods confirmed an attempted breach of its systems, becoming the third major U.K. brand in two weeks to report a cybersecurity incident. The announcement follows more disruptive attacks on Marks & Spencer (M&S), which suspended online orders, and the Co-op temporarily shut down parts of its IT systems.
- M&S has since confirmed that customer data (including names, contact details, and addresses) was stolen in the attack, though no payment details or passwords were compromised. The company is reportedly preparing an insurance claim of up to £100 million to cover operational losses, with estimates suggesting the cyber attack may have already cost M&S over £60 million in lost online sales. M&S said the disruption will continue into July and expects its annual profits to be reduced by around £300 million due to the attack.
- Google warned that the same hacking group suspected in these UK retail attacks has shifted its focus to the U.S., targeting American retailers through ransomware and extortion campaigns linked to the group known as Scattered Spider. While the group is a key part of the UK National Crime Agency’s investigation, officials stress they are pursuing multiple hypotheses and have not confirmed definitive attribution.
The UK Ministry of Justice has confirmed that hackers accessed and downloaded sensitive data belonging to anyone who applied for legal aid in England and Wales since 2010, which may be one of the most severe breaches ever to impact the British justice system. The attackers claim to have data on over 2 million people, including details such as addresses, criminal histories, and financial information, and have threatened to publish it online.
Google revealed that Chinese state-sponsored threat actor APT41 used a sophisticated malware dubbed TOUGHPROGRESS (hosted on a compromised government website and leveraging Google Calendar for command-and-control) to target multiple global government entities via spear-phishing campaigns. The malware’s infection chain included fake images concealing encrypted payloads, advanced evasion tactics like process hollowing, and stealth modules that ultimately enabled covert operations across compromised systems.
CISA, alongside the FBI, EPA, and DOE, warned of ongoing cyber attacks targeting operational technology and industrial control systems within the U.S. oil and gas sector, urging critical infrastructure operators to disconnect OT systems from the internet, strengthen passwords, and segment IT and OT networks due to rising threats from unsophisticated yet potentially disruptive actors.
Cisco Talos has linked Chinese-speaking threat actor UAT-6382 to the exploitation of a now-patched RCE vulnerability (CVE-2025-0944) in Trimble Cityworks, targeting U.S. local government networks to deploy Cobalt Strike and VShell via Rust-based TetraLoader malware. Researchers observed the group conducting rapid post-compromise activity, including web shell deployment and reconnaissance, with a clear interest in utility management systems.
The FBI has issued a warning about ongoing social engineering and callback phishing attacks by the extortion group Luna Moth, which has been targeting U.S. law firms since 2022 by impersonating IT staff and tricking employees into granting remote access to steal sensitive data and demand ransom.
A Russia-linked hacking group exploited XSS vulnerabilities in webmail platforms like Roundcube, Zimbra, and MDaemon to target government and defense entities across Eastern Europe, including Ukraine, Bulgaria, and Romania. The campaign, attributed to APT28, aimed to steal credentials and emails using spear phishing messages disguised as news, with similar activity observed in Africa, South America, and other parts of Europe.
Cisco Talos researchers have uncovered a spam campaign targeting Portuguese-speaking users in Brazil with free trial versions of remote monitoring and management (RMM) software, using fake electronic invoice (NF-e) emails to lure victims into downloading malicious installers hosted on Dropbox. The campaign, attributed to an initial access broker, primarily targets C-level, finance, and HR personnel across multiple sectors and abuses tools like N-able RMM, PDQ Connect, and ScreenConnect to gain unauthorized remote access.
- Nucor, the largest steelmaker in the U.S., confirmed a cybersecurity incident that led to the temporary shutdown of some production operations, citing unauthorized access to parts of its IT systems and ongoing recovery efforts.
- Global Crossing Airlines, a contractor for U.S. deportation flights, confirmed to the SEC that hackers accessed parts of its business systems in a May 5 cyber attack, though flight operations were not disrupted.
- Adidas has disclosed a cyber attack involving the theft of customer contact information via a third-party service provider, though no passwords or payment data were compromised.
- British logistics firm Peter Green Chilled has confirmed a ransomware attack that disrupted its ability to process orders for chilled goods destined for major supermarkets, raising concerns among small food producers about potential product spoilage.
- Several major Russian state services, including tax and digital documentation platforms, experienced outages, reportedly caused by a large-scale DDoS attack “originating from abroad”.
- Midwestern telecom provider Cellcom confirmed a cyber attack caused widespread voice and texting outages affecting thousands of customers in Michigan and Wisconsin for nearly a week, prompting an ongoing investigation involving the FBI and state officials.
- MathWorks, the developer behind MATLAB, is gradually restoring systems after confirming a ransomware attack disrupted online tools and internal operations.
Cyberwar between Russia and Ukraine: Updates
The UK and allies have exposed a long-running Russian cyber-espionage campaign, attributed to GRU Unit 26165 (Fancy Bear), targeting organizations involved in supplying aid and logistics to Ukraine, including breaches of around 10,000 internet-connected cameras used to monitor border shipments. According to cybersecurity researchers and national security agencies, the attackers used spear phishing, password guessing, and Outlook vulnerabilities to access corporate networks and industrial systems, posing a serious risk of disruption to critical infrastructure across 12 European countries, the US, and Australia.
Microsoft has uncovered a previously undocumented cluster of malicious cloud-based activity attributed to Void Blizzard, a threat actor conducting cyber espionage operations that have disproportionately targeted NATO member states and Ukraine since at least April 2024. Active across government, defense, healthcare, and NGO sectors in Europe and North America, the group typically uses stolen credentials to infiltrate organizations and exfiltrate large volumes of sensitive data.
Cybersecurity researchers have identified a North Korea-linked hacking group targeting Ukrainian government entities in a new cyber espionage campaign, likely aimed at gathering intelligence on the country’s war strategy and assessing the future of the conflict with Russia. The attackers use phishing emails disguised as political reports to deliver PowerShell-based malware that collects detailed system data from infected hosts.
The pro-Kremlin hacker group Killnet has resurfaced under a new identity, claiming responsibility for a cyber attack on Ukraine’s drone-tracking system, a move analysts believe may be part of a broader Russian information operation. Cybersecurity researchers say the group’s return, coinciding with Russia’s Victory Day, appears more reputation-driven than ideological, with Killnet now resembling a for-hire cybercrime outfit rather than a traditional hacktivist collective.
Cybersecurity and AI
Google’s Mandiant team has uncovered a Vietnam-linked campaign using fake AI video generator websites and social media ads to trick users into downloading malware like STARKVEIL. The scheme, active since mid-2024, has reached millions globally and is designed to steal credentials, credit card data, and cookies via infostealers and backdoors.
Cybersecurity Justice
As part of Operation Endgame, international law enforcement agencies dismantled 300 servers and 650 domains linked to ransomware infrastructure, seized $3.5 million, and issued arrest warrants for 20 individuals believed to be enabling major ransomware attacks. U.S. prosecutors also charged 16 people tied to DanaBot malware, while Europol confirmed several strains including Trickbot and Qakbot were “neutralized” in this global crackdown on cybercriminal entry points. Four domains linked to a crypting syndicate that helped cybercriminals keep malware undetected have also been seized, as part of Operation Endgame’s global crackdown on cybercrime infrastructure.
Authorities in the U.S., EU, and Japan partnered with Microsoft to dismantle the infrastructure of Lumma Stealer, a popular malware that steals sensitive data like passwords, bank credentials, and crypto wallets from over 10 million infected devices. The FBI estimates $36.5 million in credit card theft losses in 2023 alone, while Microsoft seized over 2,300 domains to sever Lumma’s communication with victims and disrupt its criminal marketplace.
Polish authorities have arrested four individuals aged 19 to 22 for allegedly operating six DDoS-for-hire platforms that enabled thousands of attacks on schools, businesses, government services, and gaming platforms since 2022. The arrests, part of Europol and FBI-led Operation PowerOFF, follow a broader international crackdown that also saw the U.S. seize nine related domains and law enforcement in the Netherlands and Germany contribute critical intelligence.
U.S. prosecutors have charged four foreign nationals in connection with the dismantling of the Anyproxy and 5socks botnets, which relied on malware-infected routers to sell proxy access for profit over two decades. Authorities say the botnets generated over $46 million in revenue and were disrupted as part of Operation Moonlander, with domain seizures and international law enforcement support.
A coordinated international operation led by Europol and U.S. authorities resulted in the arrest of 270 individuals linked to dark web drug trafficking and the seizure of over $200 million, large quantities of narcotics, and 180 firearms. Dubbed Operation RapTor, the effort follows major dark web marketplace takedowns and highlights the growing ability of law enforcement to dismantle anonymous criminal networks.
The European Union has launched the European Vulnerability Database (EUVD), a new platform designed to aggregate and share cybersecurity vulnerability information across the EU, supporting faster risk mitigation and improved situational awareness.
The U.S. Treasury has sanctioned the Karen National Army (KNA), a Myanmar-based militia group, for its role in facilitating cyber scam operations, human trafficking, and smuggling along the Thai border. The KNA is accused of leasing land in Shwe Kokko to scam syndicates, supplying them with electricity and protection, while profiting from a network of compounds where trafficked workers are forced to conduct online fraud schemes.
- An Alabama man has been sentenced to 14 months in prison for carrying out a SIM-swap attack that allowed unauthorized access to the SEC’s social media account, resulting in a fraudulent post that briefly spiked bitcoin’s value. The court also ordered the forfeiture of $50,000 and imposed restrictions on future internet use during a three-year supervised release.
- The U.S. Justice Department has indicted the alleged leader of the Qakbot malware operation, which helped facilitate global ransomware attacks that infected over 700,000 computers and targeted victims across multiple industries. Although the botnet was dismantled in 2023, the group allegedly pivoted to new attack methods and amassed over $24 million in illicit proceeds, now subject to U.S. forfeiture.
- An Iranian individual has pleaded guilty in the U.S. to participating in a years-long international ransomware and extortion scheme that used the Robbinhood strain to disrupt essential services and extort millions from cities and organizations across the country.
- A Ukrainian national has been extradited from Spain to face charges in Brooklyn for his alleged role in deploying Nefilim ransomware against major corporations across the U.S. and beyond. Prosecutors say that the scheme targeted companies with over $200 million in revenue, causing millions in damages through extortion, data theft, and encrypted system takeovers.
- U.S. prosecutors have charged a Yemeni national with allegedly helping to develop and deploy the Black Kingdom ransomware, which infected around 1,500 systems worldwide between 2021 and 2023. Victims in the U.S. included a medical billing company, a ski resort, a school district, and a health clinic, with attackers exploiting Microsoft Exchange vulnerabilities to demand Bitcoin payments.
- A Kosovo national has been extradited to the U.S. to face charges for allegedly running an illegal online marketplace that sold stolen account credentials, credit card information, and personal data used in tax fraud, identity theft, and other cybercrimes.
- Moldovan authorities have arrested a foreign national suspected of carrying out ransomware attacks on Dutch companies in 2021, including a major incident linked to DoppelPaymer that disrupted the Netherlands Organization for Scientific Research.
A U.S. federal jury has ordered spyware developer NSO Group to pay nearly $168 million to WhatsApp for exploiting its servers to deploy Pegasus spyware in 2019, targeting over 1,400 users across 51 countries through a zero-click vulnerability. The verdict follows a six-year legal battle revealing the spyware was used against journalists, activists, and dissidents, with the court barring NSO from defending its actions on the grounds of government use.
Ireland’s Data Protection Commission fined TikTok €530 million for violating GDPR by transferring European user data to China without adequate protections and ordered the platform to suspend such transfers within six months or face further enforcement.
FinTech Updates
Decentralized crypto exchange Cetus confirmed a $223 million hack, with investigators suggesting the attacker exploited either a smart contract vulnerability or manipulated token prices, as the company works to recover the funds after pausing $162 million.
Hackers stole over $12 million in cryptocurrency from DeFi platform Cork Protocol during a targeted attack on its wstETH:weETH market.
Hackers breached nearly 5,000 Japanese financial accounts in April, executing nearly $2 billion in unauthorized trades, according to Japan’s Financial Services Agency, which reported a sharp spike in fraudulent activity across nine securities firms.
German authorities have shut down the crypto mixing platform eXch and seized over $38 million in assets, suspecting it played a key role in laundering funds from February’s $1.46 billion Bybit hack. Investigators say the platform processed nearly $1.9 billion in cryptocurrency since 2014 and expect the operation to aid in solving additional cybercrimes.
Coinbase is offering a $20 million reward after rejecting an extortion demand from hackers who stole data on fewer than 1% of its users by bribing overseas support staff. The stolen information included contact details, masked ID numbers, and account data, but no funds, passwords, or crypto wallets were compromised, according to the company. In a filing with regulators, Coinbase confirmed that 69,461 individuals were affected, with exposed data including photos of IDs, Social Security number fragments, bank account numbers, and transaction histories.
The U.S. Treasury sanctioned Philippines-based Funnull Technology Inc. and its Chinese administrator for supporting hundreds of thousands of scam websites behind major cryptocurrency pig butchering frauds. Linked to over $200 million in reported U.S. losses, Funnull acted as an infrastructure provider for cybercriminals, according to the Office of Foreign Assets Control (OFAC) and the FBI.
Twelve more individuals have been charged in a sprawling RICO case tied to a $263 million cryptocurrency theft and laundering scheme that involved social engineering, home break-ins, and extravagant spending on cars, luxury goods, and private jets. According to the Justice Department, the group evolved from online gaming friendships and used stolen databases to identify wealthy targets, posing as security personnel to trick victims into handing over access to crypto wallets.
Cybersecurity News Across The Globe
- Nova Scotia Power revealed that hackers accessed and stole customer data (including banking details, Social Insurance numbers, and driver’s license information) more than a month before the breach was discovered on April 25. The utility is mailing notifications to affected individuals and offering free credit monitoring while urging customers to stay alert for impersonation scams.
- A surge of phishing attacks in Japan is being fueled by the evasive CoGUI phishing kit, which impersonates brands like Amazon and Rakuten to steal credentials and payment data while tailoring attacks to victims’ devices and locations to avoid detection.
- Japan has enacted a new Active Cyberdefense Law granting authorities the power to carry out offensive cyber operations, marking a significant shift in national security policy aimed at preemptively neutralizing digital threats.
- South African Airways reported a cyber attack that briefly disrupted its website, app, and internal systems, but core flight operations and customer service channels remained functional as systems were restored later that day.
- Australia has become the first country to mandate that ransomware victims report any extortion payments to the government within 72 hours.
Want to find out more about:
AMATAS will continue to monitor this space and deliver salient information regularly.
Stay tuned for our next report and if you are interested in any of our privacy and cybersecurity services, please do reach out through our website www.amatas.com or by e-mailing office@amatas.com.
As always – be vigilant, stay alert, and think twice.
