Threat Intelligence Briefing - December 2025
North Korea stole billions in crypto in 2025, new research says
For the second year in a row, North Korea’s vast cryptocurrency hacking operation has broken its own record, stealing $2.02 billion in 2025, new research says. A report published Thursday by the blockchain watchdog company Chainalysis found that North Korea broke its own record of $1.3 billion in hacked and stolen crypto like bitcoin and ethereum. That brings the country’s total stolen crypto to around $6.75 billion, the report said. The total amount of stolen crypto around the globe rose to $3.4 billion. A significant chunk of that comes from the hack of the Dubai-based cryptocurrency exchange Bybit this year. The hackers — who worked for North Korea’s elite government hacking squad, according to the U.S. Secret Service — stole around $1.5 billion, mostly in ethereum, in February, Bybit’s CEO said.
North Korea stole billions in crypto in 2025, new research says
Whistleblowers raise ‘extreme’ concern about security of government’s Digital ID
The data of millions of people in Britain is at risk as a result of significant cybersecurity issues with the government’s planned Digital ID, multiple whistleblowers have warned. The whistleblowers, who have shared confidential documents and emails with ITV News to back up their claims, are senior civil servants involved in the development of the One Login technology, which will form the basis of Digital ID. They have asked to remain anonymous to protect their careers. One of the civil servants fears the problems could lead to “the worst data breach in UK government history”. One Login is already used by 13 million people in the UK for a variety of government services, including managing a state pension, cancelling a lost passport and registering as a teacher or social worker.
Whistleblowers raise ‘extreme’ concern about security of government’s Digital ID | ITV News
Major Australian university targeted in cyberattack
Hackers have accessed the personal information of thousands of people at the University of Sydney in a cyberattack targeting the institution's online code library. Vice president of operations Nicole Gower confirmed today "historical data files" were accessed last week, including the personal information of about 10,000 current and about 12,500 former staff and affiliates that were at the university as of September 4, 2018. Hackers also accessed the personal information of 5000 alumni and students as well as six donors from 2010 to 2019. Compromised information includes the name, date of birth, phone number and home address of staff as well as their job title and employment dates. A spokesperson for the University of Sydney estimated the incident impacted about 20,000 staff and affiliates.
Major Australian university targeted in cyberattack
Google Sues Chinese ‘Darcula’ Group Over Alleged Phishing Scheme
Alphabet Inc.’s Google filed a lawsuit against alleged Chinese cybercriminals, accusing the group of orchestrating a vast phishing campaign designed to dupe Americans into turning over their credit card numbers. The group, which Google refers to as “Darcula,” developed a malicious software kit that enables users with little technical knowledge to automatically send waves of text messages purporting to offer free versions of Google services such as YouTube Premium, according to the complaint filed Wednesday. In fact, the messages lured recipients into turning over financial information that scammers could use to steal victims’ money. The Darcula enterprise stole nearly 900,000 credit card numbers, including 40,000 numbers from Americans, over the course of seven months, according to the the complaint. The scheme was responsible for up to 80% of all phishing messages and involved some 600 cybercriminals at its peak, according to Google.
Google Sues Chinese 'Darcula' Group Over Alleged Phishing Scheme
London council hit by cyber-attack says personal data ‘copied and taken away’
A central London council said potentially sensitive and personal information was likely “copied and taken” by hackers during a cyber-attack in November. Westminster City Council said the breach involved some “limited data” hosted on a shared IT system with Kensington and Chelsea Council. It said work was underway to understand exactly what details were taken and how it impacts residents. They said this will take time to complete but stressed the data was not lost or deleted and there is no indication at this stage that it has been published online. The council is one of three local authorities targeted in a cyber-attack which took place on November 24. Westminster City has been working with the Met Police, the National Crime Agency, National Cyber Security Centre, and cyber security experts from NCC Group to investigate the hack.
London council hit by cyber attack says personal data ‘copied and taken away’
Enterprise AI adoption is creating massive surge in Cloud Security risks
As businesses around the world increasingly integrate Artificial Intelligence (AI) tools into their cloud-based operational and administrative frameworks, they are simultaneously encountering a dramatic surge in cloud security risks. This trend, while pushing the boundaries of technological innovation, is also creating new vulnerabilities that hackers are quick to exploit. Research conducted by Palo Alto Networks, a global leader in cybersecurity, has highlighted these growing concerns, shedding light on the security challenges that organisations must address as they scale their use of AI in the cloud.
Enterprise AI adoption is creating massive surge in Cloud Security risks
CISA Flags Critical ASUS Live Update Flaw After Evidence of Active Exploitation
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical flaw impacting ASUS Live Update to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerability, tracked as CVE-2025-59374 (CVSS score: 9.3), has been described as an "embedded malicious code vulnerability" introduced by means of a supply chain compromise that could allow attackers to perform unintended actions. "Certain versions of the ASUS Live Update client were distributed with unauthorized modifications introduced through a supply chain compromise," according to a description of the flaw published in CVE.org. "The modified builds could cause devices meeting specific targeting conditions to perform unintended actions. Only devices that met these conditions and installed the compromised versions were affected."
CISA Flags Critical ASUS Live Update Flaw After Evidence of Active Exploitation
China-Linked Hackers Exploiting Zero-Day in Cisco Security Gear
Cisco on Wednesday warned customers that a China-linked threat group has been observed exploiting a new zero-day affecting some of its security products. The vulnerability, tracked as CVE-2025-20393 and classified as having critical severity, impacts appliances running Cisco AsyncOS software for Secure Email Gateway (formerly ESA) and Secure Email and Web Manager (formerly Content SMA). The zero-day can be exploited to execute arbitrary commands on the underlying operating system with root privileges. The exploitation of CVE-2025-20393 was discovered by Cisco’s own Talos security experts. The attacks have been aimed at “a limited subset of appliances with certain ports open to the internet”. Cisco Talos has attributed the attacks to a threat actor tracked as UAT-9686, which it believes, with moderate confidence based on the tools and infrastructure it uses, is a Chinese state-sponsored APT.
China-Linked Hackers Exploiting Zero-Day in Cisco Security Gear
OAuth Device Code Phishing Campaigns Surge Targets Microsoft 365
A surge in phishing campaigns abusing Microsoft’s OAuth device code authorisation flow has been observed with multiple threat clusters using the technique to gain unauthorised access to Microsoft 365 accounts. According to a new advisory published today by Proofpoint, both state-aligned and financially motivated actors are leveraging social engineering to trick users into approving malicious applications, enabling account takeover, data theft and further compromise. The attacks rely on the OAuth 2.0 device authorisation grant, a legitimate process designed to help users sign in on devices with limited input capabilities. Once a victim enters a device code generated by an attacker-controlled application on Microsoft’s trusted verification page, the threat actor receives a valid access token. That token can then be used to control the compromised M365 account.
OAuth Device Code Phishing Campaigns Surge Targets Microsoft 365
New Somalia e-visa security flaw puts personal data of thousands at risk
Somalia’s new electronic visa website lacks proper security protocols, which could be exploited by nefarious actors wanting to download thousands of e-visas containing sensitive information, including individuals’ passport details, full names, and dates of birth. Al Jazeera confirmed the system vulnerability this week, following a tip from a source with a background in web development. The source provided Al Jazeera with information about the at-risk data as well as evidence that they had taken their concerns to the Somali authorities last week to make them aware of the vulnerability. The source said that despite their efforts, there had been no response from the authorities and the issue had not been fixed.
Personal data of thousands left exposed by new Somalia e-visa security flaw