Today marks a significant milestone as KrebsOnSecurity.com celebrates its 16th anniversary, a testament to its enduring commitment to uncovering and reporting on the intricate world of cybersecurity. This past year has been particularly impactful, with a strong thematic focus on holding accountable those entities that facilitate complex and globally dispersed cybercrime services. Brian Krebs, the driving force behind the publication, extends a heartfelt thank you to the entire readership – from new followers to long-time supporters and even the occasional critic – for their invaluable engagement, which has served as a much-needed salve during challenging times.

The past year’s coverage has been marked by a series of in-depth investigations that have brought to light the shadowy operations powering significant cyber threats. In May 2024, KrebsOnSecurity meticulously scrutinized Stark Industries Solutions Ltd., a "bulletproof hosting" provider that emerged just weeks before the invasion of Ukraine. This provider became a crucial staging ground for repeated Kremlin-backed cyberattacks and disinformation campaigns. A year later, while Stark and its co-owners faced European Union sanctions, an in-depth analysis revealed that these penalties had done little to deter the proprietors from rebranding and transferring substantial network assets to other controlled entities, demonstrating a persistent evasion of accountability.

Further financial malfeasance was exposed in December 2024 with a profile of Cryptomus, a Canadian-registered financial firm that had become the payment processor of choice for numerous Russian cryptocurrency exchanges and websites peddling cybercrime services. The investigation revealed a disturbing pattern of facilitating illicit activities targeting Russian-speaking customers. The repercussions were significant, as Canadian financial regulators, in October 2025, ruled that Cryptomus had grossly violated anti-money laundering laws, leading to a record-breaking $176 million fine against the platform. This action underscored the critical role of financial enablers in the cybercrime ecosystem.

The lingering impact of major data breaches was also a recurring theme. In September 2023, KrebsOnSecurity published research indicating that a series of six-figure cyberheists across numerous victims were the direct result of attackers cracking master passwords stolen from the LastPass password manager in 2022. This conclusion was independently corroborated in March 2025, when U.S. federal agents investigating a colossal $150 million cryptocurrency heist stated in a court filing that they had reached the same grim assessment, highlighting the profound and long-lasting consequences of compromised credentials.

Phishing, in its myriad forms, dominated a significant portion of the year’s coverage. The publication offered an unprecedented glimpse into the day-to-day operations of several voice phishing gangs, detailing their elaborate, convincing, and financially devastating cryptocurrency theft schemes. The article "A Day in the Life of a Prolific Voice Phishing Crew" meticulously illustrated how one such gang expertly abused legitimate services from tech giants like Apple and Google to orchestrate a variety of outbound communications to their targets, including emails, automated phone calls, and system-level messages delivered to all signed-in devices. This exposé shed light on the sophisticated social engineering tactics employed by these criminals.

In parallel, nearly half a dozen stories in 2025 dissected the incessant SMS phishing, or "smishing," originating from China-based phishing kit vendors. These vendors have democratized the tools of cybercrime, making it alarmingly easy for customers to convert phished payment card data into mobile wallets from Apple and Google. In a proactive effort to dismantle this pervasive phishing syndicate, Google has taken legal action, filing at least two John Doe lawsuits targeting these groups and dozens of unnamed defendants, demonstrating a concerted effort to disrupt their online infrastructure.

The cloud infrastructure facilitating criminal enterprises also came under intense scrutiny. In January, research into a dubious and sprawling content delivery network named Funnull revealed its specialization in helping China-based gambling and money laundering websites distribute their operations across multiple U.S.-based cloud providers. This investigative work proved prescient, as just five months later, the U.S. government sanctioned Funnull, identifying it as a primary source of "pig butchering" investment and romance scams.

Further international law enforcement actions were highlighted with the May arrests of 21 individuals in Pakistan alleged to be working for Heartsender, a phishing and malware dissemination service first profiled by KrebsOnSecurity in 2015. These arrests followed a significant disruption by the FBI and Dutch police, who seized dozens of servers and domains associated with the group. Notably, many of those arrested were first publicly identified in a 2021 article detailing how they had inadvertently infected their own computers with malware that exposed their real-life identities, underscoring a potent combination of journalistic investigation and operational security failures.

The nexus of illicit online activities and legitimate business operations was further illuminated in April when the U.S. Department of Justice indicted the proprietors of a Pakistan-based e-commerce company for conspiring to distribute synthetic opioids in the United States. The following month, KrebsOnSecurity detailed how these same individuals were perhaps better known for operating an elaborate and lengthy scheme to defraud Westerners seeking services related to trademarks, book writing, mobile app development, and logo designs, exposing a dual criminal enterprise.

A particularly striking investigation earlier this month delved into an academic cheating empire that had generated tens of millions of dollars in revenue, largely fueled by Google Ads. The exposé revealed curious ties to a Kremlin-connected oligarch whose Russian university builds drones for Russia’s war against Ukraine, painting a disturbing picture of how seemingly legitimate educational institutions can become intertwined with geopolitical conflicts and illicit operations.

The relentless assault of distributed denial-of-service (DDoS) attacks also remained a critical focus, with the year’s botnets pummeling the internet with assaults two to three times the size and impact of previous record-breaking attacks. In June, KrebsOnSecurity.com itself became a target, experiencing the largest DDoS attack Google had mitigated at the time, a grateful guest of Google’s Project Shield. Experts attributed this attack to an Internet-of-Things botnet called Aisuru, which had rapidly escalated in size and firepower since its emergence in late 2024. Subsequent Aisuru attacks on Cloudflare and other targets practically doubled the scale of the attack against this site, highlighting the escalating capabilities of these botnets.

By October, it appeared the cybercriminals controlling Aisuru had pivoted from DDoS to a more lucrative venture: renting out hundreds of thousands of infected IoT devices to proxy services, which then helped cybercriminals anonymize their traffic. However, recent revelations suggest that at least some of the disruptive botnet and residential proxy activity attributed to Aisuru was, in fact, the work of those responsible for developing and testing a formidable botnet known as Kimwolf. The Chinese security firm XLab, which first chronicled Aisuru’s rise, has now profiled Kimwolf as arguably the world’s largest and most dangerous collection of compromised machines, boasting approximately 1.83 million devices under its control as of December 17th. Intriguingly, XLab noted that the Kimwolf author exhibits an "obsessive" fixation on Brian Krebs, leaving "easter eggs" related to him within the botnet’s code.

Looking ahead, KrebsOnSecurity is poised to launch a series in early 2026 that will delve deeply into the origins of Kimwolf, examining its unique and highly invasive methods of spreading digital disease. The inaugural installment will provide a global security notification concerning the devices and residential proxy services inadvertently powering Kimwolf’s rapid expansion.

Once again, Brian Krebs expresses profound gratitude for the continued readership, encouragement, and support. He appeals to readers to consider making an exception for KrebsOnSecurity.com in their ad blockers, noting that the ads are limited, static, served in-house, and personally vetted, with no third-party content. This simple action would significantly contribute to sustaining the valuable work produced almost weekly. Furthermore, readers are encouraged to sign up for the email newsletter, a plain text digest sent upon the publication of each new story, promising a maximum of two emails per week, no list sharing, and no surveys or promotions.

As the year draws to a close, KrebsOnSecurity extends a warm Happy New Year to all its readers, urging them to stay safe.