The cyberattacks of 2025 marked a structural change in the global digital security landscape, generating increasingly systemic impacts with measurable economic, operational, and geopolitical consequences on a global scale. 

The following figures confirm the magnitude of this disruption:

• £1.9 billion in losses from the attack on Jaguar Land Rover, with factories shut down for five weeks;
• US$1.5 billion stolen from brokerage Bybit, the largest crypto theft ever recorded;
• R$ 800 million embezzled from the Pix ecosystem through the compromise of an intermediary supplier;

These events cemented 2025 as the year of the so-called “Systemic Breakdown”, in which local failures began to generate global and interdependent impacts.

To contextualize this scenario, we have prepared an analysis of the main attack vectors, the groups involved, and the actual impacts observed throughout the year. 

Enjoy your reading!

The cyberattack landscape in 2025: who attacked, how they attacked, and how much it cost

The most destructive attacks of 2025 were carried out by highly organized criminal federations, rather than isolated groups. Here are some of the most emblematic cases:

Scattered Lapsus$ Hunters coalition, formed by groups with different specializations:

• Scattered Spider: initial access via vishing, SIM swapping, and MFA fatigue;
• ShinyHunters: data theft in cloud, SaaS, and DevOps environments;
• LAPSUS$: public extortion and real-time data leaks via Telegram.

👉According to IBM’s 2025 Cost of a Data Breach Report, 37% of breaches involving AI specifically used AI-generated phishing to compromise defenses. In addition, multistage attacks increased the complexity of investigations.

RansomHub Federation + BlackCat (ALPHV) + regional affiliates

The RansomHub group has emerged as one of the leading ransomware hubs, absorbing affiliates from previously dismantled operations such as BlackCat/ALPHV and operating as a distributed federation.

• RansomHub: attack coordination, leak infrastructure, and negotiation;
• Former BlackCat/ALPHV affiliates: payload development and attacks on hybrid environments (Windows, Linux, and ESXi);
• Regional cells: focus on specific sectors, such as healthcare, manufacturing, and finance;

👉 A 22% increase in the average ransom demanded in attacks attributed to the RansomHub ecosystem, with a significant rise in attacks on critical infrastructure.

The Lazarus Group and the convergence between cybercrime and the state

Although traditionally classified as a state actor, in 2025 the Lazarus Group operated with characteristics typical of a criminal federation, integrating:

• APT38: financial attacks and compromise of banking systems;
• BlueNoroff: advanced spear phishing and attacks on crypto asset brokers;
• Digital laundering teams: chain-hopping operations, mixers, and cross-chain bridges.

👉  Theft of US$1.5 billion in crypto assets in a single attack (Bybit) and accelerated laundering of funds in less than 48 hours, hindering blocking actions.

These examples of cyberattacks in 2025 demonstrate that:

• Criminal groups began operating as federated ecosystems;
• Functions such as initial access, exploitation, extortion, and laundering were specialized and outsourced;
• The distinction between organized cybercrime and state operations became functionally irrelevant.

This model dramatically increased the scale, speed, and financial impact of attacks observed throughout the year.

Offensive Artificial Intelligence: when automation became a weapon

By 2025, Artificial Intelligence had definitively ceased to be merely a productivity accelerator for attackers and had become a primary attack vector, altering the dynamics, scale, and effectiveness of criminal operations.

Unlike in previous years, AI was not only used to automate repetitive tasks, but also to simulate human behavior, circumvent security controls, and exploit psychological factors in real time.

This advance marked a critical change: attacks no longer relied primarily on casual human error and began to exploit algorithmic social engineering, which is highly adaptive and virtually indistinguishable from legitimate interactions.

Consolidated data confirms the transition of AI in relation to cyberattacks in 2025:

• Voice deepfakes can now be generated in real time with just 3 seconds of audio, enabling virtually instantaneous phone scams, voice messages, and fake authentications.
• Corporate fraud involving video deepfakes has caused direct losses of more than $25 million in a single incident, as in the case of the multinational Arup, where executives were deceived in a fake virtual meeting.
• Hyper-personalized phishing campaigns, fueled by generative AI and leaked data, achieved click-through rates above 40%, more than double the historical average observed in traditional campaigns.

👉The combination of automation, personalization, and realism has dramatically reduced the time it takes to detect these attacks, increasing the success rate even in organizations with regular awareness training.

Thus, the AI-based offensive in 2025 made it clear that:

• Traditional authentication and awareness controls are no longer sufficient;
• Reliance on voice, video, and written language has become a new blind spot;
• The asymmetry between attack and defense has widened, as a single operator can scale campaigns with global impact.

This scenario reinforces the need for proactive and predictive cybersecurity approaches capable of simulating, anticipating, and interrupting attacks before they reach their peak exploitation phase.

Supply chain: the silent multiplier of impact

In 2025, attacks on the supply chain became established as the dominant vector of systemic impact, not because of the volume of attacks, but because of their ability to spread across organizations, sectors, and geographies.

Below are some of the most emblematic cases of the year:

Jaguar Land Rover (JLR) case

• Attack period: August to October 2025;
• Estimated financial impact: £1.9 billion;
• Operational downtime: 5 weeks;
• Suppliers impacted: over 5,000.

The insecure convergence between IT and OT forced the preventive shutdown of global production lines, exposing the fragility of the Just-in-Time model in prolonged attack scenarios.

CDK Global case study (automotive ecosystem)

Embora iniciado em um fornecedor de software, o ataque à CDK Global continuou gerando efeitos severos ao longo de 2025, afetando concessionárias e montadoras em múltiplos países.

• Impacted sector: automotive (sales, after-sales, and logistics)
• Affected companies: more than 15,000 dealerships
• Average downtime: up to 3 weeks in some regions
• Estimated losses: hundreds of millions of dollars in interrupted and delayed sales

👉 Simultaneous disruption of billing, financing, logistics, and customer service, even in organizations without direct involvement.

Synnovis/NHS case (healthcare and laboratories)

The attack on Synnovis, a supplier responsible for NHS laboratory services in the United Kingdom, demonstrated how dependence on critical third parties can have a direct impact on the population.

• Critical period: Q2–Q3 2025
• Hospital services affected: tests, diagnostics, and elective surgeries
• Operational impact: thousands of procedures canceled or postponed
• Estimated indirect cost: tens of millions of pounds in contingency and delays

👉 Risks to continuity of care and patient safety, without direct attack on central hospital infrastructure.

MOVEit case (delayed effects and extended chain)

Even after initial exploitation in previous years, vulnerabilities associated with the MOVEit ecosystem continued to have an impact in 2025, especially in long chains of data and managed services.

• Type of impact: data leakage and re-exploitation;
• Organizations indirectly affected: thousands;
• Average cost per organization: over $9 million in response, fines, and litigation.

👉 Prolonged and recurring exposure caused by invisible dependence on third-party components.

These examples of cyberattacks on the supply chain have shown that:

• The supply chain acts as an impact multiplier, not as a secondary vector;
• Visibility into third parties is still fragmented and incomplete;
• Lean, highly integrated models amplify risks in persistent attacks;
• The traditional separation between local incidents and systemic crises no longer exists.

👉Attacking a supplier means, in practice, attacking an entire ecosystem.

The financial sector and the geopolitics of cybercrime

By 2025, attacks on the financial sector were no longer solely economically motivated and began to play a strategic role in global geopolitics.

Cybercrime operations began to finance sanctioned states, destabilize markets, and put pressure on traditional and emerging financial systems simultaneously.

The convergence of organized cybercrime, state operations, and digital finance has transformed banks, brokerages, and crypto asset platforms into high-value geopolitical targets, extending the impact of attacks beyond immediate financial losses.

The following cases illustrate how the financial system became an active field of strategic disputes in 2025:

The biggest crypto theft in history: Bybit

• Date: February 21, 2025;
• Amount stolen: $1.5 billion in Ethereum;
• Attribution: Lazarus Group (North Korea / APT38);
• Geopolitical impact: It is estimated that up to 50% of North Korea’s missile program funding is supported by cybercrime operations and crypto asset theft;

👉 The attack highlighted how crypto assets have come to be used as a direct instrument of state financing, circumventing international economic sanctions.

Attacks on traditional financial institutions: ICBC Financial Services (U.S.)

The offensive against traditional financial institutions in 2025 demonstrated that banks and systemic intermediaries had also become targets of strategic pressure, not just extortion.

• Date: March 2025;
• Type of attack: ransomware with direct impact on settlement and clearing systems;
• Financial impact: billions in delays in U.S. Treasury securities market transactions;
• Systemic impact: temporary risk to financial market stability and need for emergency interventions.

👉 The attack revealed the operational fragility of financial infrastructures considered critical to global economic stability.

Crypto platforms as a recurring target: Poloniex

Crypto asset platforms remain prime targets in 2025, not only for their direct financial value, but also for their speed of liquidity and difficulty in international tracking.

• Date: April 2025;
• Amount stolen: approximately US$ 120 million in digital assets;
• Method: compromise of private keys and exploitation of flaws in internal controls;
• Destination of funds: accelerated movement via mixers and cross-chain bridges.

👉 The case reinforced the asymmetry between the speed of the attack and the slowness of regulatory mechanisms and international response.

The Brazilian scenario: accelerated digitization and systemic risk

Brazil recorded a 12% increase in ransomware attacks in 2025, bucking the downward trend in other Latin American countries (Fortinet Global Threat Landscape). The most notable attack in the country was on C&M Software, which caused damage to the Pix payment method.

• Date: July 2025;
• Amount misappropriated: R$ 800 million;
• Financial institutions affected: 6;
• Vector: compromise of connectivity provider with SPB.

👉 The incident led the Central Bank to tighten audit requirements, network segregation, and third-party governance.

The cyberattacks of 2025 linked to the financial sector made it clear that:

• The financial system has become a critical infrastructure of geopolitical interest;
• Cyberattacks now directly finance states and strategic agendas;
• The line between financial crime and international conflict has become blurred;
• Financial defense requires not only technical controls, but also geopolitical and offensive intelligence.

👉In this context, offensive cybersecurity is no longer optional but strategic, allowing financial organizations to identify vulnerabilities before they are exploited, test their own operational limits, and prepare for a scenario in which attacks are not just crimes but instruments of global power.

Conclusion: what lessons can be learned from the cyberattacks of 2025?

A consolidated analysis of the main incidents, trends, and metrics from 2025 reveals a structural change in the global cyber risk model.

Attacks no longer exploit isolated technical flaws, but now target identity, systemic dependence, and operational continuity, significantly increasing the impact and scale of threats.

The data analyzed from the cyberattacks of 2025 shows that:

• Digital identity has become the main vector of attack, replacing the direct exploitation of technical vulnerabilities with credential abuse, advanced social engineering, and AI-based automation.
• The risk of concentration in critical suppliers is systemic, transforming localized incidents into global crises through highly interdependent digital supply chains.
• Operational resilience has surpassed absolute prevention as a strategic priority, as the ability to maintain operations, contain impacts, and recover quickly has become crucial to an organization’s survival.
• Offensive automation has widened the asymmetry between attack and defense, enabling small groups to have a disproportionate impact on a global scale.
• Response time has become as critical as detection, directly influencing financial losses, reputational impact, and regulatory effects.

With this in mind, we at Tracenet Solutions understand that cybersecurity is no longer reactive. In a scenario where attacks are inevitable, the real competitive advantages lie not only in blocking threats, but also in:

• Continuous threat intelligence, capable of anticipating adversary movements;
• Deep and integrated visibility, covering identity, network, cloud, and third parties;
• Offensive and predictive capabilities, which allow real attacks to be simulated before they occur;
• Strategic and coordinated response, reducing systemic impacts and recovery time.

We believe that resilient organizations are not those that believe they are impenetrable, but those that think like attackers, test their own limits, and prepare to operate even under attack.

Want to be part of this movement? Contact us and request a quote!