Cybersecurity in October unfolded with geopolitical intrigue, record-breaking seizures, and evolving criminal tactics, highlighting how digital crime continues to blur the line between finance, policy, and global security.
From ransomware gangs and espionage clusters to billion-dollar fraud networks, October underscored that no sector – government, finance, or critical infrastructure – is immune.
Cybercrime Breaking News
- A Russian-linked ransomware syndicate escalated its extortion spree against corporate executives worldwide.
- Chinese threat actors launched multi-stage espionage attacks targeting European diplomatic and government networks.
- A major airline and one of Japan’s top manufacturers were crippled by simultaneous ransomware operations.
Cybersecurity Justice & Regulation
- Authorities seized $15 billion in Bitcoin in what U.S. officials call the largest cryptocurrency seizure in history.
- Europol dismantled a sophisticated cybercrime-as-a-service platform that enabled over 49 million fake accounts.
- CISA, NSA, and allied agencies released new joint guidance to harden Microsoft Exchange Servers against active exploitation.
Stay tuned as October’s developments reveal how law enforcement, politics, and cyber innovation are converging in unprecedented ways.
Cybercrime Breaking News
Cybercriminals possibly linked to the Russian-affiliated Clop ransomware gang have launched a large-scale extortion campaign targeting executives, claiming to have stolen sensitive data from Oracle E-Business Suite environments and demanding ransoms while investigators from Mandiant and Google Threat Intelligence Group track the activity. Regional airline Envoy Air has become the second publicly confirmed victim of this Clop campaign.
China-based hackers tracked as Storm-1849 are scanning and exploiting Cisco ASA firewalls used by governments and large organizations worldwide, targeting the critical vulnerabilities CVE-2025-30333 and CVE-2025-20362, which affect firewall security, VPN web services, and remote access functions.
Chinese-linked hackers are exploiting the open-source Nezha monitoring tool to deploy Gh0st RAT on over 100 servers worldwide, primarily targeting exposed phpMyAdmin systems in East Asia, though some activity may stem from VPS enthusiasts experimenting rather than geopolitical motives.
Researchers warn that the Qilin ransomware gang, active since 2022 and operating as a Ransomware-as-a-Service group, has targeted hundreds of organizations worldwide in 2025, including Japanese beverage giant Asahi, the Texas city of Sugar Land, a North Carolina county government, and multiple Texas power companies. The group continues to publish stolen data at a rate of over 40 victims per month, with the manufacturing, professional services, and wholesale trade sectors most affected.
Microsoft says threat actors tracked as Storm-1175 have been exploiting a critical GoAnywhere MFT deserialization flaw (CVE-2025-10035) to gain initial access and deploy the Medusa ransomware, prompting Fortra and CISA advisories and urgent patching recommendations. After exploiting the bug, attackers abused RMM tools (SimpleHelp, MeshAgent), used Rclone and lateral-movement techniques to maintain persistence and exfiltrate data, with Medusa observed deployed in at least one compromised environment.
CISA has issued an emergency directive after a nation-state actor accessed F5 source code and vulnerability data, posing a serious threat to federal networks and requiring agencies to update affected systems immediately.
Microsoft has uncovered a “payroll pirate” campaign in which hackers, tracked as Storm-2657, are diverting university employees’ salary payments to attacker-controlled accounts.
North Korea’s Lazarus hacking group has targeted at least three European drone and military equipment manufacturers with ScoringMathTea malware.
A China-linked hacking group known as UNC6384 has launched a new wave of cyber attacks against European diplomatic and government entities, exploiting an unpatched Windows shortcut vulnerability (CVE-2025-9491) to deploy the PlugX malware through phishing emails themed around European Commission and NATO meetings.
- The cyber attack that halted Jaguar Land Rover’s global production last month is estimated to have cost the UK economy $2.5 billion, affecting the company, over 5,000 suppliers, and downstream organizations. JLR has now begun a phased restart of its manufacturing operations to resume engine and vehicle production.
- Discord confirmed that about 70,000 users had government ID photos exposed after hackers breached a third-party customer service provider. The stolen data also included names, emails, IP addresses, billing details, and messages exchanged with support teams, though Discord said its own systems were not directly compromised.
- A 13TB unencrypted database containing roughly 40 billion records from Netcore Cloud’s email marketing platform was discovered by a cybersecurity researcher and secured the same day.
- Spanish retailer Mango reported that a data breach at one of its external marketing service providers exposed limited customer information.
Cybersecurity and AI
Spanish authorities dismantled an AI-driven phishing network run by Brazilian developer “GoogleXcoder,” who sold ready-made kits to steal banking credentials, leading to millions of euros in losses since 2023 and prompting his arrest in Cantabria as investigators continue identifying accomplices.
Cybersecurity Justice
U.S. and French authorities seized the BreachForums domain just hours before the Scattered Spider group threatened to leak data stolen from Salesforce. The hackers claim to have breached the systems of 39 Salesforce clients and plan to publish the stolen data despite the takedown.
Europol has dismantled a major cybercrime-as-a-service network in Operation SIMCARTEL, arresting seven suspects and seizing 1,200 SIM boxes with 40,000 active SIM cards used to enable global phishing, fraud, and identity crimes through over 49 million fake online accounts.
U.S. and U.K. authorities have carried out a landmark operation against the Prince Group, a Cambodian conglomerate accused of running a massive transnational cyber-enabled investment fraud and forced-labor network, seizing over $15 billion in Bitcoin – the largest cryptocurrency seizure in U.S. history – and sanctioning 146 individuals and entities, while the U.K. froze assets including a £12 million mansion and a £100 million office building linked to the syndicate.
More than 70 countries, including the U.K., EU members, China, and Russia, signed the new U.N. Convention against Cybercrime to improve global cooperation on digital crime, but the U.S. declined to join, saying it is still reviewing the treaty.
CISA and NSA, joined by cybersecurity agencies from Australia and Canada, have issued new guidance to secure on-premise Microsoft Exchange Servers against ongoing exploitation, urging organizations to adopt zero-trust principles, restrict admin access, and migrate end-of-life systems.
The UK’s Capita was fined a record £14 million after a 2023 ransomware attack exposed personal and financial data of 6.6 million people due to widespread security failings, including delayed threat response and understaffed monitoring systems.
The Medical Specialist Group in Guernsey has been fined £100,000 after a data breach exposed sensitive patient information.
A U.S. court has permanently barred Israel’s NSO Group from targeting WhatsApp, while reducing its punitive damages to $4 million, a ruling that could threaten the spyware company’s operations.
A former U.S. defense contractor executive pleaded guilty to stealing national-security software and selling sensitive cyber-exploit components to a Russian cyber-tools broker, compromising U.S. trade secrets and causing over $35 million in losses.
A Ukrainian national extradited from Ireland appeared in a U.S. court facing charges for allegedly deploying Conti ransomware, which targeted over 1,000 victims worldwide and extorted at least $150 million.
Russian authorities have arrested three suspected developers of Meduza Stealer malware, accused of creating and selling software designed to steal login credentials, cryptocurrency wallets, and other sensitive data.
FinTech Updates
Former Binance CEO Changpeng Zhao, who pleaded guilty in 2023 to failing to prevent cryptocurrency on the platform from being used in ransomware, darknet, and other cybercrime transactions, has been pardoned by President Donald Trump.
Researchers warn of Herodotus, a new Android banking trojan observed in Italy and Brazil that takes full control of devices to intercept SMS, display fake banking overlays, steal funds and credentials, and even mimics human typing (0.3–3s pauses) to evade behavior-based detection.
North Korean hackers linked to UNC5342 are using public blockchains to hide malware and steal cryptocurrency, marking the first known instance of a nation-state adopting the EtherHiding technique.
Cybersecurity News Across The Globe
- Japanese brewing giant Asahi has suffered a cyber attack that has halted ordering, shipping, and customer service operations in Japan, causing widespread product shortages, while its European operations remain unaffected.
Want to find out more about:
- What the EU AI Act Means for Cybersecurity and Compliance
- 5 Critical Security Risks Every AI-Native Company Must Address
- When AI Codes Too Fast: The Security Risks of Vibe Coding
- What Business Leaders Really Talk About When They Talk About Security
AMATAS will continue to monitor this space and deliver salient information regularly.
Stay tuned for our next report and if you are interested in any of our privacy and cybersecurity services, please do reach out through our website www.amatas.com or by e-mailing office@amatas.com.
As always – be vigilant, stay alert, and think twice.
