Top 10 cyber crime stories of 2025

Announcing at the beginning of the year the dominant idea in 2025 – that threat actors use artificial intelligence (AI) models, Google Threat Intelligence Team (GTIG) has released new information showing how nation-state-backed threat actors from countries such as China, Iran, North Korea and Russia have attempted to abuse its Gemini artificial intelligence tool.

GTIG said it has observed attackers using Gemini to support various stages of their attack chains, including acquiring infrastructure and bulletproof hosting services, target reconnaissance, vulnerability research, payload development, and assistance with malicious scripts and post-compromise evasion techniques.

At the end of March, the UK Information Commissioner's Office (ICO) issued a fine of £3.07 million at Advanced Computer Software Group, subsequently renamed OneAdvanced, in relation to the LockBit ransomware attack in 2022, which crippled NHS services when the victim was forced to take down a key patient management platform.

In a warning to others, the regulator found that healthcare subsidiary OneAdvanced did not have adequate technical and organizational controls in place to ensure the security of its systems, and highlighted gaps in multi-factor authentication (MFA), vulnerability scanning and patch management.

In April, just before the Easter weekend, one of the biggest cyber attacks of the year occurred. against high street stalwarts Marks and Spencer (M&S). In the first incident, the retailer was forced to shut down several public services, including online shopping, click and collect and contactless payments.

A few days later, a second cyber attack affecting the Co-op Group attracted more attention, and it soon emerged that the attacks were not the work of professional Russian hackers, but of an English-speaking hacking collective known as Scattered Spider.

By midsummer The scattered spider attacks spread quickly.At the same time, members of the hacker gang switched their attention to other industries – first to the insurance sector, and then to aviation.

Almost immediately after Mandiant threat researchers issued the alert on June 27, several airlines reported cyber incidents, and others followed.

On July 10, the UK National Crime Agency (NCA) announced the arrest of four people in investigation into the M&S and Co-op attacks.

The arrests of two men aged 19, a third aged 17 and a 20-year-old woman were made at their home addresses in London, Staffordshire and the West Midlands with support from the West Midlands Regional Organized Crime Unit (Rocu) and the East Midlands Special Operations Unit.

In August, there was a series of attacks by the hacker collective ShinyHunters. organized using Salesforce products gained worldwide attention thanks to Adidas; LVMH brands Dior, Louis Vuitton and Tiffany & Co; jewelry company Pandora; insurance companies such as Allianz; and airlines such as Qantas and Air France-KLM have been implicated.

Researchers looking into the issue have found evidence suggesting a deliberate partnership between ShinyHunters and Scattered Spider, who were previously linked to a wider cybercriminal network known as The Com.

At the beginning of September, British automaker Jaguar Land Rover (JLR) has become the latest organization to fall victim to a major cyber attack, and once again hackers are believed to be responsible for an incident that hit the company's production.

In the days and weeks that followed, the scope of the cyber attack began to expand to include many of JLR's suppliers as the firm was forced to repeatedly delay the launch of its production lines.

Since the summer, several organizations, including many prominent universities and media outlets in the US, and possibly some NHS bodies, have been targeted by the Cl0p cyber ransomware gang after its members successfully exploited a vulnerability in Oracle E-Business Suite (EBS).

In October, Oracle responded with an out-of-band patch to address a remote code execution (RCE) vulnerability in the widespread EBS ecosystem—the product is deeply embedded in enterprise financial and operating systems, meaning Cl0p could have had access to a large number of extremely high-value targets.

As the fallout from the JLR incident continued throughout the fall, the economic fallout expanded to include reduction in UK gross domestic product (GDP), the Cyber ​​Monitoring Center (CMC), a non-profit cybersecurity organization, declared the incident a Category 3 system event on the hurricane scale.

Taking various factors into account, the CMC said the financial cost of the incident was likely to be around £1.9 billion, with the potential to be even higher, and called it the most destructive cyber attack to ever hit the UK.

However, there was good news for (some) hackers at the end of 2025, as the long battle reform the outdated Computer Misuse Act The 1990 CMA took a step forward when it announced that the government was planning changes that would protect ethical hackers from prosecution by giving them statutory protection.

The CMA, while successfully used to prosecute cybercriminals, also risked criminalizing ethical hackers and security researchers for doing their jobs through the specific offense of “unauthorized computer access.” Campaigners say changing the law will boost the UK's security industry.