Today marks a significant milestone as KrebsOnSecurity.com celebrates its 16th anniversary, a testament to Brian Krebs’s unwavering dedication to uncovering the intricate workings of the cybercrime underworld. This past year, 2025, has been particularly impactful, with a strong thematic focus on holding accountable the entities that facilitate complex and globally dispersed cybercriminal services. We extend our deepest gratitude to our diverse readership—newcomers, long-time followers, and even the drive-by critics—whose engagement has been a powerful source of encouragement, especially during challenging times.

The year 2025 was a year of reckoning for many cybercrime enablers. In May 2024, KrebsOnSecurity delved into the murky history and ownership of Stark Industries Solutions Ltd., a notorious "bulletproof hosting" provider that emerged just weeks before the invasion of Ukraine. This platform became a critical staging ground for repeated Kremlin cyberattacks and disinformation campaigns. A year later, while the European Union sanctioned Stark and its two co-owners, our investigation revealed the proprietors’ cunning attempts to evade these penalties. They successfully rebranded and transferred substantial network assets to other entities under their control, demonstrating a disturbing resilience in their operations. This persistent evasion underscores the ongoing challenge of dismantling sophisticated cybercrime infrastructure.

Further highlighting the financial conduits of illicit activities, in December 2024, KrebsOnSecurity profiled Cryptomus, a Canadian-registered financial firm that had become the payment processor of choice for numerous Russian cryptocurrency exchanges and websites peddling cybercrime services to Russian-speaking customers. The consequences for such facilitation were significant. In October 2025, Canadian financial regulators, recognizing Cryptomus’s gross violations of anti-money laundering laws, imposed a record-breaking $176 million fine against the platform. This substantial penalty serves as a stark warning to financial institutions that enable cybercriminal enterprises.

The ripple effects of major data breaches continued to be felt throughout 2025. In September 2023, KrebsOnSecurity published findings from researchers who linked a series of high-stakes cyberheists, totaling millions of dollars across dozens of victims, to the cracking of master passwords stolen from the password manager service LastPass in 2022. The gravity of this breach was further underscored in March 2025 when U.S. federal agents, investigating a spectacular $150 million cryptocurrency heist, stated in a court filing that they had reached the same conclusion: the stolen LastPass credentials were a key enabler of the massive theft. This highlights the critical importance of robust password management and the devastating consequences of compromised credentials.

Phishing, in its myriad forms, remained a dominant threat throughout the year, and KrebsOnSecurity dedicated significant coverage to its insidious operations. The site peered into the day-to-day activities of several voice phishing gangs that orchestrated elaborate, convincing, and financially devastating cryptocurrency thefts. The in-depth piece, "A Day in the Life of a Prolific Voice Phishing Crew," exposed how one such gang cynically abused legitimate services offered by tech giants like Apple and Google. They manipulated these platforms to push a variety of outbound communications to their victims, including emails, automated phone calls, and system-level messages delivered to all signed-in devices, demonstrating a sophisticated exploitation of trusted services.

The pervasive threat of SMS phishing, or "smishing," originating from China-based phishing kit vendors also received substantial attention. Nearly half a dozen stories in 2025 dissected the incessant smishing campaigns, revealing how these vendors made it alarmingly easy for their customers to convert phished payment card data into fraudulent Apple and Google wallets. In a significant move to combat this syndicate, Google has since initiated legal action, filing at least two John Doe lawsuits targeting these groups and dozens of unnamed defendants in an effort to disrupt their online resources and operations.

In January, KrebsOnSecurity highlighted critical research into Funnull, a dubious and sprawling content delivery network that specialized in assisting China-based gambling and money laundering websites in distributing their operations across multiple U.S.-based cloud providers. The implications of such infrastructure were far-reaching. Just five months later, the U.S. government took decisive action, sanctioning Funnull and identifying it as a primary source of "pig butchering" scams—a particularly insidious form of investment and romance fraud.

The crackdown on malware dissemination services continued in May with significant arrests in Pakistan. Twenty-one individuals were apprehended, alleged to be working for Heartsender, a phishing and malware dissemination service that KrebsOnSecurity had first profiled back in 2015. These arrests followed closely on the heels of joint operations by the FBI and Dutch police, who had seized dozens of servers and domains associated with the group. Poignantly, many of those arrested had been inadvertently identified in a 2021 report here, detailing how they had inadvertently infected their own computers with malware that ultimately revealed their real-life identities.

In April, the U.S. Department of Justice indicted the proprietors of a Pakistan-based e-commerce company for conspiring to distribute synthetic opioids in the United States. The following month, KrebsOnSecurity revealed a disturbing dual operation: the proprietors of this sanctioned entity were perhaps more widely known for orchestrating an elaborate and long-running scheme to defraud Westerners seeking assistance with services such as trademark registration, book writing, mobile app development, and logo design. This juxtaposition highlights the often-unseen connections between seemingly disparate criminal enterprises.

The educational sector also became a battleground for illicit activities, as detailed in a story earlier this month. An academic cheating empire, turbocharged by Google Ads, was found to be generating tens of millions of dollars in revenue. This empire had curious ties to a Kremlin-connected oligarch whose Russian university is known for building drones used in Russia’s war against Ukraine. The intricate web of connections between online fraud, state-sponsored activities, and educational institutions presents a chilling picture of the pervasive influence of cybercrime.

The relentless assault of botnets on the internet remained a focal point of KrebsOnSecurity’s coverage. This year, distributed denial-of-service (DDoS) assaults pummeled the internet with an intensity two to three times greater than previous record-breaking attacks. In June, KrebsOnSecurity.com itself was targeted by what was then the largest DDoS attack ever mitigated by Google, a testament to the escalating power of these networks. Experts attributed this attack to an Internet-of-Things (IoT) botnet known as Aisuru, which had rapidly expanded its reach and firepower since its debut in late 2024. Subsequent Aisuru attacks on Cloudflare and other entities further amplified the scale of these disruptions.

By October, it became apparent that the cybercriminals controlling Aisuru had shifted their focus from DDoS attacks to a more lucrative and sustainable model: renting out hundreds of thousands of infected IoT devices for proxy services. These services are crucial for cybercriminals seeking to anonymize their traffic and evade detection. However, recent developments have revealed a complex interplay between botnets. It is now clear that at least some of the disruptive botnet and residential proxy activity attributed to Aisuru last year was likely the work of individuals responsible for developing and testing a formidable botnet known as Kimwolf.

XLab, a Chinese security firm that first chronicled Aisuru’s rise, recently profiled Kimwolf as arguably the world’s largest and most dangerous collection of compromised machines. As of December 17th, Kimwolf commanded approximately 1.83 million devices under its control. Notably, XLab observed that the author of Kimwolf exhibits an "obsessive" fixation on the renowned cybersecurity investigative journalist Brian Krebs, embedding "easter eggs" related to him in multiple locations within the botnet’s infrastructure.

Looking ahead, KrebsOnSecurity is prepared to delve deeply into the origins of Kimwolf in its first stories of 2026, examining the botnet’s unique and highly invasive methods of spreading digital disease. This series will include a sobering global security notification concerning the devices and residential proxy services that are inadvertently fueling Kimwolf’s rapid expansion.

We extend our sincere gratitude once more for your continued readership, encouragement, and unwavering support. Your engagement is the lifeblood of KrebsOnSecurity.com. We kindly ask that you consider making an exception for our domain in your ad blocker. The advertisements displayed are limited to a handful of static, in-house-vetted images, ensuring a clean and secure browsing experience without any third-party content. Your support through this avenue directly contributes to the continuation of our investigative work.

Furthermore, for those who haven’t yet subscribed, we encourage you to join our email newsletter. With over 62,000 subscribers, it’s a direct and efficient way to receive new stories the moment they are published. The newsletter is a plain text email, sent between one and two times a week, with a strict policy against sharing our email list or engaging in surveys or promotions.

Thank you again for being a part of the KrebsOnSecurity community. We wish everyone a safe and Happy New Year, and remind you all to remain vigilant and secure in the digital realm.