KrebsOnSecurity.com proudly marks its 16th anniversary, a milestone achieved through the unwavering engagement of its dedicated readership, a community that spans from eager newcomers to seasoned followers and even the most discerning critics. This past year, the collective interaction on the platform has been nothing short of remarkable, offering a profound sense of solace amidst a landscape frequently shadowed by challenging cyber events. A dominant theme woven through our 2025 coverage was the concept of comeuppance, specifically targeting entities that have facilitated the proliferation of complex and globally distributed cybercrime operations.

Our deep dive in May 2024 into the history and ownership of Stark Industries Solutions Ltd., a notorious "bulletproof hosting" provider that surfaced just weeks before the invasion of Ukraine, revealed its role as a critical staging ground for persistent Kremlin cyberattacks and disinformation campaigns. A year later, while Stark and its co-owners faced European Union sanctions, our subsequent investigations demonstrated the proprietors’ adeptness at evading these penalties. They have since been observed rebranding and strategically transferring substantial network assets to other controlled entities, underscoring the fluid and evasive nature of their operations.

In December 2024, KrebsOnSecurity shed light on Cryptomus, a Canadian-registered financial firm that had become the payment processor of choice for a multitude of Russian cryptocurrency exchanges and websites peddling cybercrime services to a Russian-speaking clientele. This exposure proved prescient, as by October 2025, Canadian financial regulators, citing gross violations of anti-money laundering laws, imposed a record-breaking $176 million fine on the platform.

The critical link between major data breaches and subsequent financial crimes was starkly illustrated in September 2023, when KrebsOnSecurity published findings from researchers who concluded that a series of high-value cyberheists, impacting numerous victims, stemmed from the exploitation of master passwords pilfered from the LastPass password manager service in 2022. This investigative thread culminated in March 2025, when U.S. federal agents, in their pursuit of a staggering $150 million cryptocurrency heist, publicly confirmed in court filings that they had reached the same incriminating conclusion.

Phishing, in its myriad and increasingly sophisticated forms, emerged as a significant focus of this year’s reporting. Our investigations provided an intimate look into the daily operations of several voice phishing gangs, responsible for orchestrating elaborate, convincing, and financially devastating cryptocurrency thefts. The article "A Day in the Life of a Prolific Voice Phishing Crew" offered a granular examination of how one such gang expertly leveraged legitimate services from tech giants like Apple and Google to manipulate outbound communications to their targets, encompassing emails, automated phone calls, and system-level alerts delivered to all signed-in devices.

Furthermore, nearly half a dozen articles in 2025 meticulously dissected the relentless wave of SMS phishing, or "smishing," originating from China-based phishing kit vendors. These vendors provide an accessible toolkit for criminals to readily convert phished payment card data into functional mobile wallets for platforms like Apple and Google. In a significant move to counter this pervasive threat, Google has initiated legal action, filing at least two John Doe lawsuits against these shadowy groups and numerous unnamed defendants, aiming to dismantle their online infrastructure.

January saw the spotlight fall on research detailing a dubious and sprawling content delivery network known as Funnull. This network specialized in enabling China-based gambling and money laundering websites to distribute their operations across a multitude of U.S.-based cloud providers, effectively obscuring their digital footprint. Just five months later, the U.S. government responded by sanctioning Funnull, officially designating it as a primary source of the insidious investment and romance scams colloquially known as "pig butchering."

In a significant development in May, Pakistan apprehended 21 individuals allegedly affiliated with Heartsender, a phishing and malware dissemination service that KrebsOnSecurity first exposed back in 2015. These arrests followed closely on the heels of coordinated efforts by the FBI and Dutch police, who had seized dozens of servers and domains belonging to the group. Intriguingly, many of those arrested had been previously identified in a 2021 report detailing how they had inadvertently exposed their real identities by infecting their own computers with malware.

April brought the indictment of proprietors of a Pakistan-based e-commerce company by the U.S. Department of Justice, accused of conspiring to distribute synthetic opioids in the United States. The following month, KrebsOnSecurity delved into the dual nature of these individuals’ operations, revealing that they are perhaps more widely recognized for perpetrating an elaborate and long-standing scheme to defraud Westerners seeking assistance with services such as trademark registration, book writing, mobile app development, and logo design.

More recently, our investigation illuminated an academic cheating empire, bolstered by extensive Google Ads campaigns, which has generated tens of millions of dollars in revenue. This enterprise also exhibits curious ties to a Kremlin-connected oligarch whose Russian university is actively involved in building drones for Russia’s ongoing conflict in Ukraine.

KrebsOnSecurity has consistently maintained a vigilant watch over the world’s most formidable and disruptive botnets. This year, these networks unleashed distributed denial-of-service (DDoS) assaults that were an astonishing two to three times larger and more impactful than any previously recorded record attacks.

In June, KrebsOnSecurity.com itself became the target of the largest DDoS attack ever mitigated by Google at that time, a testament to the relentless power of the Internet of Things (IoT) botnet known as Aisuru. This botnet had experienced a dramatic surge in size and firepower since its emergence in late 2024. A subsequent Aisuru attack on Cloudflare, occurring mere days later, nearly doubled the magnitude of the assault on our site. Aisuru was subsequently implicated in yet another DDoS attack that once again doubled the existing record.

By October, it appeared that the cybercriminals orchestrating Aisuru had pivoted their strategy, shifting the botnet’s focus from disruptive DDoS attacks to a more sustainable and profitable endeavor: renting out hundreds of thousands of compromised IoT devices for proxy services. These services are instrumental in helping cybercriminals anonymize their malicious traffic.

However, emerging intelligence suggests that at least some of the disruptive botnet and residential proxy activity attributed to Aisuru in the past year was, in fact, the work of the individuals responsible for developing and testing a potent new botnet known as Kimwolf. XLab, a Chinese security firm that first chronicled Aisuru’s rise in 2024, recently profiled Kimwolf, identifying it as arguably the world’s largest and most dangerous collection of compromised machines, with approximately 1.83 million devices under its control as of December 17th.

XLab’s report highlighted a peculiar observation: the author of the Kimwolf botnet exhibits an "almost ‘obsessive’" fixation on the renowned cybersecurity investigative journalist Brian Krebs, embedding subtle "easter eggs" related to him in various aspects of the botnet’s infrastructure.

KrebsOnSecurity is pleased to announce that its inaugural stories of 2026 will delve deeply into the origins of Kimwolf, dissecting its unique and highly invasive methods of propagating digital infections. The initial installment of this series will include a sobering global security notification concerning the devices and residential proxy services that are inadvertently fueling Kimwolf’s rapid expansion.

We extend our profound gratitude once again for your continued readership, invaluable encouragement, and steadfast support. For those who appreciate the content published on KrebsOnSecurity.com, we kindly request that you consider making an exception for our domain within your ad blocker settings. The advertisements featured on our site are limited to a select few static images, served exclusively in-house and meticulously vetted by myself. We maintain a strict policy against any third-party content. By allowing these ads, you directly contribute to sustaining the investigative work that appears on this platform almost weekly.

Additionally, if you haven’t already, we encourage you to sign up for our email newsletter. With over 62,000 subscribers, it’s clear many find value in this direct line of communication. The newsletter consists of plain text emails sent immediately upon the publication of a new story. We send between one and two emails per week, guarantee the privacy of our email list, and refrain from conducting surveys or promotions.

Thank you once more, and we wish everyone a safe and Happy New Year. Stay vigilant.