Cybersecurity in November delivered a wave of high-impact incidents, from stealthy government breaches to zero-day exploitation at scale.
As attacks grew more coordinated and more technical, November proved that cybersecurity threats are escalating faster than defenders can adapt.
Cybercrime Breaking News
- A major U.S. government agency faced a targeted intrusion that raised concerns across federal networks.
- Researchers uncovered a sophisticated campaign abusing multiple zero-day flaws in widely deployed enterprise systems.
- A third-party integration used by hundreds of companies triggered emergency security blocks after unusual activity surfaced.
Cybersecurity Justice & Regulation
- An international operation quietly took down several prolific malware and botnet ecosystems.
- Authorities followed a complex crypto trail linked to global online piracy, disrupting a major revenue channel.
- Western governments issued coordinated sanctions against infrastructure providers long tied to cybercriminal groups.
Stay tuned as November’s developments show how cybercrime, regulation, and global security are colliding in new ways.
Cybercrime Breaking News
A suspected nation-state actor breached the US Congressional Budget Office, prompting the agency to quickly contain the intrusion and roll out new monitoring and security controls.
Amazon uncovered a highly sophisticated threat actor abusing zero-day flaws in both Cisco ISE and Citrix systems – deploying custom in‑memory backdoors and exploiting “Citrix Bleed Two” before disclosure.
Salesforce temporarily cut off access to the third-party app Gainsight after detecting unusual activity that may have allowed hackers to access data from 284 organizations, though the issue was linked to the app’s connection and not a Salesforce platform vulnerability.
Logitech reported a data breach via a zero-day in third-party software, with limited employee and customer data taken, but no sensitive information or operational impact.
A sophisticated phishing-as-a-service campaign targeted customers of Italy’s Aruba S.p.A., using multi-stage fake login and payment pages, CAPTCHA evasion, and Telegram bots to steal credentials and credit card details from millions of users.
Russian insurer VSK has suffered a major cyber attack that disrupted its website, mobile app, and IT systems, affecting millions of customers, though the company says no personal data was compromised.
CISA warns that multiple threat actors are using sophisticated social engineering, device-linking tricks, and zero-click exploits to deploy spyware against high-value Signal and WhatsApp users – mainly government, military, and civil society targets across the U.S., Europe, and the Middle East.
Cybersecurity and AI
Researchers disclosed that a Chinese state-sponsored group manipulated Claude into autonomously conducting complex cyber-espionage operations against about 30 global targets, marking what it calls the first large-scale AI-orchestrated cyber attack – though experts question the evidence behind the claim.
Researchers at Google’s Threat Intelligence Group say that, for the first time, state-backed hackers are deploying malware that utilizes large language models during execution – with tools such as PROMPTFLUX and PROMPTSTEAL dynamically rewriting their own code or generating commands on the fly to evade detection.
Cybersecurity Justice
Operation Endgame’s latest phase saw international law enforcement dismantle the Rhadamanthys infostealer, VenomRAT Trojan, and Elysium botnet – taking down over 1,025 servers, seizing 20 domains, and arresting a key suspect.
Europol and 15 countries traced $55 million in cryptocurrency from 69 digital piracy sites by using crypto to access pirated content, disrupting accounts and cutting off criminal revenue streams.
The U.S. Justice Department announced five guilty pleas and seized over $15 million in cryptocurrency linked to North Korean APT38 hackers and IT worker schemes that defrauded more than 136 U.S. companies and stole identities of over 18 Americans.
The Treasury Department sanctioned eight individuals and two North Korean entities for laundering earnings from cybercrime and IT worker operations, which fund Pyongyang’s weapons programs and evade international sanctions.
The U.S., U.K., and Australia have sanctioned Russian bulletproof hosting provider Media Land and its affiliates for supporting ransomware gangs, enabling DDoS attacks, and helping cybercriminals evade law enforcement, while also targeting Aeza Group and its front companies for similar activities.
A Russian national has agreed to plead guilty in the U.S. for helping the Yanluowang ransomware gang break into companies, earning over $250,000 as an initial access broker before investigators traced his crypto transactions and linked him to multiple ransomware groups.
Two British teenagers, accused of being part of the Scattered Spider group, pleaded not guilty to cyber attack charges over the 2024 Transport for London hack and additional alleged attacks on U.S. healthcare companies, with their trial set for June 2026.
German authorities arrested a far-right extremist for running a darknet platform that solicited cryptocurrency to fund assassinations of politicians, provided bomb-making instructions, and targeted public figures.
Google filed a lawsuit in New York to dismantle “Lighthouse,” a global phishing-as-a-service operation that deployed smishing attacks and fake websites to steal millions of credit cards, while also advocating for U.S. legislation to curb such transnational cybercrime.
The SEC has dropped its case against SolarWinds and its CISO, ending a years-long legal battle over alleged misleading security disclosures tied to the 2020 supply-chain attack.
FinTech Updates
Hackers exploited a faulty access-control mechanism in Balancer’s long-running V2 Composable Stable Pools, stealing over $100M in crypto and triggering a wave of emergency network halts, recovery actions, and fraud warnings across the wider DeFi ecosystem.
The co-founders of Samourai Wallet, a cryptocurrency mixer that laundered over $237 million in criminal proceeds from darknet markets, drug trafficking, and other illegal activities, were sentenced to four and five years in prison, forfeited $6.3 million in fees, and face supervised release and fines.
European authorities arrested nine people across Cyprus, Spain, and Germany for running a massive network of fake crypto-investment platforms that stole over EUR 600 million from victims through slick websites, cold calls, social-media ads, and celebrity-impersonation scams.
European authorities dismantled a massive fraud ring that used stolen credit card data, shell companies, and even insiders at German payment providers to launder hundreds of millions through fake subscription sites.
The FBI warns that criminals are increasingly impersonating financial institutions to steal credentials and take over accounts, driving over 5,100 complaints and $262M in losses this year.
Cybersecurity News Across The Globe
- Asahi says a ransomware attack disrupted its operations and may have exposed the personal data of about 1.5 million people, though no leaked information has been found, and the company has not paid a ransom.
Want to find out more about:
- GDPR and AI in 2025: What SMEs Need to Know
- From Weeks to Days: Essential Penetration Testing for Faster Results
- Why Security Awareness Programs Fail (and How to Fix Them)
- Boris Goncharov, AMATAS’ CSO, on the Digitalks Podcast
AMATAS will continue to monitor this space and deliver salient information regularly.
Stay tuned for our next report and if you are interested in any of our privacy and cybersecurity services, please do reach out through our website www.amatas.com or by e-mailing office@amatas.com.
As always – be vigilant, stay alert, and think twice.
