KrebsOnSecurity.com marks a significant milestone today, celebrating 16 years of dedicated cybersecurity journalism. This anniversary is a moment of profound gratitude to our extensive readership – from the newest visitors to our long-standing community and even our most vocal critics. Your active engagement throughout the past year has been an invaluable source of encouragement, especially during challenging periods. A dominant theme in our 2025 coverage was the concept of comeuppance, with a particular focus on entities that facilitated complex and globally distributed cybercrime operations.

Our investigative work in May 2024 delved into the history and ownership of Stark Industries Solutions Ltd., a "bulletproof hosting" provider that became operational mere weeks before Russia’s invasion of Ukraine. This service emerged as a critical staging ground for repeated Kremlin-backed cyberattacks and disinformation campaigns. A year later, Stark and its two co-owners faced sanctions from the European Union. However, our subsequent analysis revealed that these penalties had minimal impact on the proprietors’ ability to rebrand and transfer substantial network assets to other entities under their control.

In December 2024, KrebsOnSecurity spotlighted Cryptomus, a Canadian-registered financial firm that had become the preferred payment processor for numerous Russian cryptocurrency exchanges and websites peddling cybercrime services targeted at Russian-speaking individuals. By October 2025, Canadian financial regulators declared that Cryptomus had flagrantly violated anti-money laundering laws, imposing a record $176 million fine on the platform.

Our September 2023 report highlighted findings from researchers who concluded that a series of six-figure cyberheists, impacting dozens of victims, stemmed from attackers successfully cracking master passwords stolen from the password manager service LastPass in 2022. This conclusion was echoed in March 2025, when U.S. federal agents investigating a staggering $150 million cryptocurrency heist stated in a court filing that they had reached the same determination.

Phishing remained a pervasive threat and a major focus of our coverage this year. We provided an inside look into the daily operations of several voice phishing gangs, responsible for orchestrating elaborate, convincing, and financially devastating cryptocurrency thefts. The article "A Day in the Life of a Prolific Voice Phishing Crew" meticulously detailed how one such cybercrime syndicate routinely abused legitimate services offered by Apple and Google to force various outbound communications to their intended victims, including emails, automated phone calls, and system-level messages delivered to all signed-in devices.

Furthermore, nearly half a dozen stories published in 2025 dissected the relentless barrage of SMS phishing, or "smishing," originating from China-based phishing kit vendors. These vendors provide a simplified infrastructure for their customers to convert phished payment card data into mobile wallets from Apple and Google.

In January, we featured research into Funnull, a dubious and sprawling content delivery network specializing in assisting China-based gambling and money laundering websites in distributing their operations across multiple U.S.-based cloud providers. Just five months later, the U.S. government sanctioned Funnull, identifying it as a primary source of investment and romance scams, commonly known as "pig butchering."

In May, Pakistan apprehended 21 individuals alleged to be affiliated with Heartsender, a phishing and malware dissemination service that KrebsOnSecurity first reported on in 2015. These arrests followed closely on the heels of the FBI and Dutch police seizing dozens of servers and domains associated with the group. Notably, many of those arrested were first publicly identified in a 2021 article detailing how they had inadvertently infected their computers with malware that exposed their real-life identities.

In April, the U.S. Department of Justice indicted the proprietors of a Pakistan-based e-commerce company for conspiring to distribute synthetic opioids in the United States. The following month, KrebsOnSecurity elaborated on how the proprietors of the sanctioned entity are perhaps more widely recognized for operating an extensive and long-running scheme to defraud Westerners seeking assistance with trademarks, book writing, mobile app development, and logo designs.

Earlier this month, we examined an academic cheating enterprise that leveraged Google Ads to generate tens of millions of dollars in revenue. This operation has curious ties to a Kremlin-connected oligarch whose Russian university is involved in building drones for Russia’s ongoing conflict in Ukraine.

As always, KrebsOnSecurity has diligently monitored the world’s largest and most disruptive botnets, which subjected the internet to distributed denial-of-service (DDoS) assaults this year that were two to three times the size and impact of previous record-breaking attacks.

In June, KrebsOnSecurity.com experienced the largest DDoS attack that Google had mitigated at that time, a testament to the effectiveness of Google’s Project Shield offering. Experts attributed this attack to an Internet-of-Things botnet known as Aisuru, which had rapidly expanded in size and firepower since its emergence in late 2024. A subsequent Aisuru attack on Cloudflare, occurring just days later, nearly doubled the magnitude of the June attack against our site. Shortly thereafter, Aisuru was implicated in another DDoS attack that again doubled the previous record.

By October, it appeared that the cybercriminals controlling Aisuru had shifted their botnet’s focus from DDoS attacks to a more sustainable and profitable venture: renting out hundreds of thousands of infected Internet of Things (IoT) devices for proxy services that assist cybercriminals in anonymizing their traffic.

However, it has recently become evident that at least some of the disruptive botnet and residential proxy activity attributed to Aisuru last year was likely orchestrated by the individuals responsible for building and testing a formidable botnet known as Kimwolf. XLab, a Chinese security firm that first chronicled Aisuru’s rise in 2024, recently profiled Kimwolf as arguably the world’s largest and most dangerous collection of compromised machines, with approximately 1.83 million devices under its control as of December 17th. XLab noted that the author of Kimwolf exhibits an "almost ‘obsessive’ fixation on the well-known cybersecurity investigative journalist Brian Krebs, leaving easter eggs related to him in multiple places."

We are pleased to announce that the initial KrebsOnSecurity stories of 2026 will provide an in-depth exploration of Kimwolf’s origins and examine the botnet’s unique and highly invasive methods of spreading digital contagion. The first installment in this series will include a somber global security notification concerning the devices and residential proxy services that are inadvertently contributing to Kimwolf’s rapid proliferation.

We extend our sincere gratitude once again for your continued readership, encouragement, and unwavering support. If you value the content published on KrebsOnSecurity.com, we kindly request that you consider making an exception for our domain in your ad blocker. The advertisements featured on our site are limited to a select few static images, all served in-house and personally vetted by me; there is absolutely no third-party content present. This simple act would significantly contribute to sustaining the high-quality work you have come to expect from us almost weekly.

And if you haven’t already, we encourage you to sign up for our email newsletter! (Over 62,000 subscribers can’t be wrong!). The newsletter is a straightforward plain text email delivered the moment a new story is published. We send between one and two emails per week, never share our email list, and do not conduct surveys or promotions.

Thank you again, and Happy New Year to everyone! Please remain safe and vigilant.