Today marks a significant milestone as KrebsOnSecurity.com proudly celebrates its 16th anniversary, a testament to years of dedicated investigative journalism in the realm of cybersecurity. This occasion is met with immense gratitude towards our diverse readership – from seasoned followers and eager newcomers to even the most discerning critics. Your engagement throughout the past year has been nothing short of remarkable, providing a much-needed balm during challenging periods. The year 2025 has been particularly characterized by a strong undercurrent of "comeuppance," with our coverage spotlighting entities that have facilitated complex and globally pervasive cybercrime services.

Our deep dive into the shadowy operations of Stark Industries Solutions Ltd. began in May 2024. This "bulletproof hosting" provider, which emerged just two weeks prior to Russia’s invasion of Ukraine, was revealed to be a critical staging ground for persistent Kremlin-backed cyberattacks and disinformation campaigns. A year later, the European Union imposed sanctions on Stark and its two co-owners. However, our subsequent analysis demonstrated the limited impact of these penalties, as the proprietors adeptly rebranded and transferred substantial network assets to other controlled entities, effectively evading the sanctions.

In December 2024, KrebsOnSecurity shed light on Cryptomus, a Canadian-registered financial firm that had become the payment processor of choice for numerous Russian cryptocurrency exchanges and websites peddling cybercrime services targeted at Russian-speaking individuals. This investigation culminated in October 2025 with Canadian financial regulators issuing a stern ruling against Cryptomus for egregious violations of anti-money laundering laws, resulting in a record-breaking $176 million fine.

The persistent threat of phishing has been a central theme in our 2025 coverage. We meticulously explored the daily operations of several voice phishing gangs, responsible for elaborate, convincing, and financially devastating cryptocurrency thefts. The exposé, "A Day in the Life of a Prolific Voice Phishing Crew," offered an unprecedented look into how one such criminal syndicate leveraged legitimate services from tech giants like Apple and Google to orchestrate a barrage of outbound communications, including emails, automated phone calls, and system-level alerts to all signed-in devices.

Furthermore, nearly half a dozen reports in 2025 dissected the relentless wave of SMS phishing, or "smishing," originating from China-based phishing kit vendors. These kits provide a low-barrier entry for customers to convert phished payment card data into illicit mobile wallets from Apple and Google. In a significant move to disrupt this sophisticated phishing syndicate, Google has initiated legal action, filing at least two "John Doe" lawsuits targeting these groups and dozens of unnamed defendants in an effort to wrest control of their online resources.

January saw the publication of research into Funnull, a dubious and sprawling content delivery network that specialized in aiding China-based gambling and money laundering websites in distributing their operations across multiple U.S. cloud providers. Just five months later, the U.S. government took decisive action, sanctioning Funnull and identifying it as a primary source of "pig butchering" scams – a particularly insidious form of investment and romance fraud.

In May, Pakistan apprehended 21 individuals allegedly connected to Heartsender, a phishing and malware dissemination service that KrebsOnSecurity first brought to public attention in 2015. These arrests followed a coordinated effort by the FBI and Dutch police to seize dozens of servers and domains associated with the group. Notably, many of those arrested were initially identified in a 2021 report detailing how they had inadvertently infected their own computers with malware that ultimately exposed their real-life identities.

April witnessed the U.S. Department of Justice indicting the proprietors of a Pakistan-based e-commerce company for their alleged conspiracy to distribute synthetic opioids in the United States. The following month, KrebsOnSecurity revealed that the individuals behind this sanctioned entity were perhaps more widely known for orchestrating an elaborate and long-running scheme to defraud Westerners seeking assistance with trademarks, book writing, mobile app development, and logo design services.

Earlier this month, our investigation delved into an academic cheating empire, fueled by Google Ads, that amassed tens of millions of dollars in revenue. This empire has curious ties to a Kremlin-connected oligarch whose Russian university is involved in building drones for Russia’s ongoing conflict in Ukraine, highlighting a disturbing intersection of illicit enterprise and geopolitical support.

As always, KrebsOnSecurity has diligently tracked the world’s most significant and disruptive botnets, which unleashed distributed denial-of-service (DDoS) assaults throughout the year, dwarfing previous records in both scale and impact. In June, KrebsOnSecurity.com itself became the target of the largest DDoS attack that Google had mitigated at that time, a testament to the growing power of Internet-of-Things botnets. Experts attributed this attack to Aisuru, a botnet that had rapidly escalated in size and firepower since its emergence in late 2024. A subsequent Aisuru attack on Cloudflare further amplified the scale of the assault on our site, and Aisuru was subsequently blamed for yet another DDoS attack that again doubled the previous record.

By October, it became evident that the cybercriminals controlling Aisuru had pivoted their strategy from DDoS attacks to a more lucrative and sustainable model: renting out hundreds of thousands of infected IoT devices for proxy services, enabling cybercriminals to anonymize their traffic. However, recent developments suggest that some of the disruptive botnet and residential proxy activity attributed to Aisuru last year may have actually been the work of individuals responsible for developing and testing a potent botnet known as Kimwolf. XLab, a Chinese security firm that first chronicled Aisuru’s rise, has now profiled Kimwolf as arguably the world’s largest and most dangerous collection of compromised machines, with approximately 1.83 million devices under its control as of December 17. Intriguingly, XLab noted that the Kimwolf author exhibits an "obsessive" fixation on cybersecurity investigative journalist Brian Krebs, embedding subtle references to him within the botnet’s code.

The first KrebsOnSecurity stories of 2026 will provide an in-depth exploration of Kimwolf’s origins and its unique and highly invasive methods of spreading digital threats globally. This series will include a sobering, worldwide security notification concerning the devices and residential proxy services inadvertently contributing to Kimwolf’s rapid expansion.

Once again, we extend our profound gratitude for your continued readership, encouragement, and unwavering support. If you value the content produced at KrebsOnSecurity.com, we kindly request that you consider making an exception for our domain in your ad blocker. The advertisements featured on our site are limited to a few static images, served in-house and meticulously vetted by myself; there is absolutely no third-party content. This small gesture significantly aids in sustaining the investigative work we diligently pursue almost every week.

Furthermore, if you haven’t already, we encourage you to subscribe to our email newsletter. With over 62,000 subscribers, it’s a valuable resource delivering a plain text email the moment a new story is published. We send between one and two emails weekly, strictly protect our subscriber list, and refrain from any surveys or promotions.

Thank you once more, and we wish everyone a safe and Happy New Year. Please remain vigilant and stay safe online.