The Cyber War of 2025: How AI, Zero-Days, and Human Trust Shaped the Year’s Most Dangerous Threats

2025 wasn’t just another year in the long, slow creep of digital insecurity. It was a shift. A turning point. The kind of year where the line between what we thought was safe and what was actually vulnerable started to blur in ways we didn’t expect.

Cyber threats didn’t just get smarter—they started to think. They began to exploit the very things we rely on: AI tools, the trust we place in software, the way we interact with systems, and the fragile assumption that if something looks official, it must be real. It wasn’t just about stealing data anymore. It was about manipulating systems, breaking trust, and turning everyday actions into entry points for chaos.

Look. The world didn’t just get hacked. It got manipulated. And it wasn’t always through brute force or flashy malware. Sometimes, it was just a fake error message, a deepfake call, or a prompt that slipped into an AI chat and changed everything.

The PornHub Breach: A New Kind of Extortion

Let’s talk about the ShinyHunters group and their attack on PornHub. They didn’t go after credit cards or login passwords. They went after behavior. They infiltrated the platform through a third-party analytics tool, Mixpanel, and pulled over 200 million records—94 gigabytes worth of data detailing users’ viewing habits, search history, download patterns.

They didn’t sell it. They threatened to release it. Publicly. If you didn’t pay up.

Now, no financial data was exposed. But what about the reputation? What about the shame? What about the fact that someone could now know exactly what you watched, when, and how often? That’s not just privacy—it’s a personal attack. And it’s something we’ve seen before—like Ashley Madison, where leaked relationship data led to real-world tragedies. People died. People were shamed. This time, the weapon isn’t just data. It’s identity. And it’s weaponized with chilling precision.

ClickFix: The Social Engineering That Got Smarter

ClickFix wasn’t just a malware campaign. It evolved. It became a full-blown social engineering operation. You’d see a pop-up—something like “Windows Update failed” or a fake CAPTCHA challenge—and you’d think, Oh, that’s not right, but I’ll just click it to fix it.

And then, before you knew it, you’d run a PowerShell command or a shell script that installed infostealers, remote access tools, or even backdoors. The worst part? It wasn’t just for Windows. Variants hit macOS and Linux too. One APT36 campaign specifically targeted Linux users.

Then came ConsentFix—a new twist that exploited Microsoft’s Azure CLI OAuth flow. Just by clicking “allow,” users gave up access tokens. And FileFix? It used Windows File Explorer’s address bar to trick you into running harmful commands.

And now there’s ErrTraffic—a paid platform that lets anyone buy these attacks. No technical skills needed. Just a few clicks. It’s like buying a phishing kit from a marketplace. And it’s getting more common.

The $1.5 Billion ByBit Heist: A Cold Wallet Catastrophe

February 2025 hit hard. A $1.5 billion theft from ByBit’s cold wallet. Confirmed by the FBI. Carried out by North Korea’s Lazarus Group. How? They got inside a developer machine used to manage the wallet. Once inside, they manipulated transaction approvals—no alarms, no alerts, just a quiet drain.

It wasn’t an isolated incident. Phemex lost $85 million. Cetus Protocol? $223 million. Trust Wallet users lost $7 million across thousands of accounts. And in a separate twist, pro-Israel hackers breached Iran’s Nobitex exchange and burned $90 million in crypto.

This isn’t just about money. It’s about the assumption that cold wallets are safe. That they’re offline, unconnected. The reality? They’re not immune. And once a developer machine is compromised, the whole system is open.

Oracle’s Zero-Day Crisis: A Data Breach That Broke the Shield

Oracle? Hit hard. The Clop group found a zero-day in their E-Business Suite—CVE-2025-61882—and started exploiting it in July. By August, they’d stolen data from dozens of companies. They didn’t just hack—it was personalized. They sent direct emails to business leaders, saying, “Your data is going to be leaked unless you pay.”

Then came a second zero-day, CVE-2025-61884. Leaked on Telegram by ShinyHunters. Oracle patched it quietly. But the damage was done. Harvard, Dartmouth, Logitech, Korean Air—all reported breaches.

Here’s the thing: enterprise software isn’t just a tool. It’s a fortress. And when a zero-day hits, it doesn’t just break in. It opens the door and says, “You’re not safe here.” And if you’re not watching, you’re already compromised.

The Rise of DDoS Power: Aisuru’s 29.7 Tbps Assault

2025 saw DDoS attacks go from being a nuisance to a weapon of mass disruption. One of the biggest ever? 29.7 terabits per second—orchestrated by the Aisuru botnet. Microsoft reported a 15 Tbps attack on Azure. Cloudflare saw even larger ones.

These weren’t random. They were targeted. Used to crash services, to extort companies, to make a statement. And they were increasingly automated—no need for human hands.

So what happened? Global law enforcement stepped in. They coordinated takedowns of DDoS-for-hire platforms. Arrests. Infrastructure dismantled. Europol cracked down on the pro-Russian NoName057(16) group, which had a history of launching these attacks.

But here’s the question: if we can stop the attacks, why do they keep coming back? Because the tools are out there. And anyone with a computer can build one.

Supply Chain Attacks: The New Frontline of Malware

Attackers didn’t go after big companies directly. They went after the tools we use. Open-source platforms like npm and PyPI became frontlines.

The IndonesianFoods campaign flooded npm with hundreds of thousands of malicious packages. Shai-Hulud infected hundreds of popular ones, stealing developer secrets and API keys. Glassworm came back, using VSCode extensions to deliver cryptominers, steal crypto, and even install early-stage ransomware.

PyPI added new controls. But the threat? Still alive. Because when you trust a package from a known source, you’re trusting a system that can be poisoned. And once it’s in, it spreads like wildfire.

North Korean IT Workers: The Silent Infiltrators

North Korea isn’t just using hackers. They’re using people. Fake identities. Legitimate jobs. “Laptop farm” operations across 16 U.S. states. These actors remotely accessed corporate systems under the guise of being IT staff.

Some even pleaded guilty to helping create false identities to pass background checks. The U.S. Treasury slapped sanctions on individuals and front companies.

One campaign used deepfake Zoom calls—impersonating executives—to trick employees into installing macOS malware. Others used fake technical interviews to distribute malware through malicious npm packages.

It’s not about brute force. It’s about trust. And trust is what they’re exploiting.

Salt Typhoon: Espionage in the Telecom Sector

Salt Typhoon? Still active. Linked to state-aligned Chinese actors. They target telecom infrastructure—Cisco devices, unpatched systems, privileged access. They deploy custom malware to collect network configurations, monitor traffic.

And the breaches? They’re not just in private companies. They hit military networks. The U.S. National Guard.

The FCC issued warnings. Then rolled back proposed cybersecurity rules. That’s a problem. If we’re not regulating the infrastructure that keeps the nation running, who’s going to protect it?

Prompt Injection: The AI Vulnerability That No One Saw Coming

This one hit hard. As AI tools became part of daily work—Microsoft 365 Copilot, Google Gemini, AI coding assistants—researchers found a new attack vector: prompt injection.

Attackers feed specially crafted inputs into AI systems. The AI, confused or tricked, starts leaking data, generating malicious output, or doing things it wasn’t supposed to.

One case? A “CometJacking” attack used prompt injection in Perplexity’s Comet AI to access linked email and calendar data. Even downscaled images with hidden instructions could trigger the attack.

We didn’t see this coming. Because we thought AI was secure. We thought it was smart. But it’s not immune. And if you’re using it to handle sensitive data, you’re opening a backdoor.

Help Desk Exploits: Social Engineering at Scale

Threat actors like Scattered Spider and Luna Moth don’t just send phishing emails. They impersonate IT staff.

A Cognizant help desk was tricked into granting access to a company account. Result? A $380 million lawsuit. Google reported similar attacks on U.S. insurance firms. Retailers like Marks & Spencer and Co-op confirmed breaches enabled by social engineering.

The UK government had to issue new guidance. Because the truth is: the people who should be trusted—help desk staff—are now being used as weapons.

Insider Threats: Trust Is the Weakest Link

Trust is fragile. And in 2025, it broke more than once.

Coinbase’s breach? 69,461 users. Linked to a former support agent. CrowdStrike detected an insider feeding data to hackers—paid $25,000 by a group tied to Scattered Spider and ShinyHunters.

FinWise Bank? 689,000 customers affected. A former employee sold credentials for $920. That same set of credentials was used in a $140 million heist at Brazil’s Central Bank.

It’s not just about bad actors. It’s about people who were supposed to protect us. And when trust fails, the damage is immediate and massive.

Massive IT Outages: When Cloud Fails, Everything Fails

Heroku. Microsoft DNS. Google. AWS. All had massive outages. Not from direct cyberattacks—more like cascading failures. But the scale? It was global.

And the impact? Everything broke. E-commerce sites crashed. Financial services froze. People couldn’t access emails or accounts.

It’s not just about security. It’s about resilience. If the cloud fails, we all fail. And if we don’t have backup systems, we’re just sitting ducks.

Salesforce Data Theft: A Chain of Compromised Third Parties

Salesforce itself wasn’t breached. But attackers used compromised OAuth tokens from third-party services like Salesloft Drift. That gave them access to customer data across Google, Cisco, Chanel, and others.

ShinyHunters set up a dedicated leak site to extort affected companies. It wasn’t just data. It was customer relationships. And once that’s exposed, the damage is long-term.

It’s a reminder: no system is isolated. If one link fails, the whole chain is exposed.

Zero-Day Exploits: Still the Gold Standard

Zero-days didn’t go away. They were exploited—in Cisco, Fortinet, Citrix, Microsoft SharePoint. The ToolShell flaw in SharePoint, linked to Chinese actors, enabled data theft and persistence. Flaws in 7-Zip and WinRAR were used in phishing campaigns to bypass security.

These aren’t just technical flaws. They’re gaps in the system. And when attackers find them, they don’t just use them—they weaponize them.

AI-Powered Cybercrime: The New Normal

AI tools like WormGPT 4 and KawaiiGPT made it possible for anyone to generate malware without knowing how to code. The S1ngularity attack targeted thousands of GitHub accounts. AI-powered tools like HexStrike accelerated exploitation—cutting down the time and skill needed to launch attacks.

By year’s end, AI wasn’t just a tool. It was a core component of modern cybercrime.

It’s no longer experimental. It’s routine. It’s embedded. And it’s getting better every day.

So what does 2025 really mean?

It means cybersecurity isn’t just about patching software. It’s about understanding how people behave, how trust is built and broken, and how AI—something we thought would help us—can now be used to break everything we rely on.

The real threat isn’t just in the code. It’s in the human decisions, the assumptions, the moments when someone clicks “yes” to a fake update or trusts a message that looks official.

And in that moment, the war isn’t fought in data centers. It’s fought in our minds.

The Cyber War of 2025: How AI, Zero-Days, and Human Trust Shaped the Year’s Most Dangerous Threats