KrebsOnSecurity.com marks a significant milestone today, celebrating its 16th anniversary, a testament to years of dedicated cybersecurity journalism and investigative reporting. A profound and heartfelt thank you is extended to the entire readership – encompassing new followers, long-standing patrons, and even those who offer critical perspectives – for their unwavering engagement throughout the past year. This readership has been an invaluable source of encouragement, particularly during challenging periods. The past year, 2025, has been particularly marked by a recurring theme of "comeuppance," with a strong focus on entities that have facilitated complex and globally distributed cybercrime services, bringing them into the spotlight for accountability.

The investigative prowess of KrebsOnSecurity was on full display in May 2024 when the site delved into the intricate history and ownership of Stark Industries Solutions Ltd., a notorious "bulletproof hosting" provider. This entity, which emerged mere weeks before Russia’s invasion of Ukraine, served as a critical staging ground for repeated Kremlin-orchestrated cyberattacks and disinformation campaigns. A year later, Stark Industries and its two co-owners faced sanctions from the European Union. However, KrebsOnSecurity’s continued analysis revealed that these penalties had a negligible impact, with the proprietors adeptly rebranding and transferring substantial network assets to other controlled entities, demonstrating a persistent evasion of accountability.

In December 2024, KrebsOnSecurity published a detailed profile of Cryptomus, a Canadian-registered financial firm that had ascended to become the payment processor of choice for a multitude of Russian cryptocurrency exchanges and websites peddling cybercrime services to a Russian-speaking clientele. The ramifications of this exposure were significant, as in October 2025, Canadian financial regulators declared that Cryptomus had flagrantly violated anti-money laundering laws, resulting in a record-breaking $176 million fine imposed upon the platform.

The far-reaching consequences of data breaches were further illuminated in September 2023, when KrebsOnSecurity shared critical findings from researchers. These findings concluded that a series of high-value cyberheists, impacting numerous victims, were directly attributable to the successful cracking of master passwords stolen from the password manager service LastPass in 2022. This conclusion was independently corroborated in March 2025, when U.S. federal agents investigating a staggering $150 million cryptocurrency heist revealed in a court filing that they had arrived at the same incriminating link between the 2022 LastPass hacks and the subsequent massive theft.

Phishing, in its various insidious forms, emerged as a dominant theme in this year’s coverage. The investigative reports offered an unflinching look into the daily operations of several voice phishing gangs, who routinely executed elaborate, convincing, and financially ruinous cryptocurrency heists. The article "A Day in the Life of a Prolific Voice Phishing Crew" provided an in-depth examination of how one such cybercrime syndicate masterfully abused legitimate services offered by Apple and Google. This abuse facilitated a diverse array of outbound communications to their intended victims, including deceptive emails, automated phone calls, and critical system-level messages sent across all signed-in devices, highlighting the sophisticated exploitation of trusted platforms.

Furthermore, nearly half a dozen stories throughout 2025 meticulously dissected the relentless tide of SMS phishing, or "smishing," originating from China-based phishing kit vendors. These vendors democratized cybercrime by making it remarkably easy for their customers to convert phished payment card data into functional mobile wallets for Apple and Google. In a significant move to disrupt this widespread criminal enterprise, Google has since initiated legal action, filing at least two John Doe lawsuits targeting these groups and numerous unnamed defendants, in an effort to wrest control over the syndicate’s online resources.

In January, KrebsOnSecurity brought to light crucial research exposing a dubious and sprawling content delivery network known as Funnull. This network specialized in aiding China-based gambling and money laundering websites in distributing their operations across multiple U.S.-based cloud providers. The impact of this exposé was swift and decisive, as five months later, the U.S. government levied sanctions against Funnull, officially designating it as a primary source for "pig butchering" scams, a particularly pernicious form of investment and romance fraud.

The global reach of cybercrime was further underscored in May, when Pakistan announced the arrest of 21 individuals allegedly connected to Heartsender, a sophisticated phishing and malware dissemination service that KrebsOnSecurity first brought to public attention back in 2015. These arrests followed closely on the heels of coordinated operations by the FBI and Dutch police, who had seized dozens of servers and domains belonging to the group. Notably, many of those apprehended had been publicly identified in a 2021 article detailing how they had inadvertently infected their own computers with malware, which subsequently exposed their real-life identities, creating a self-incriminating loop that ultimately led to their downfall.

In April, the U.S. Department of Justice indicted the proprietors of a Pakistan-based e-commerce company for their alleged conspiracy to distribute synthetic opioids within the United States. The following month, KrebsOnSecurity published a detailed account revealing that the proprietors of this sanctioned entity were perhaps more widely known for orchestrating an elaborate and protracted scheme to defraud Westerners. This scam targeted individuals seeking assistance with trademark registration, book writing, mobile app development, and logo design, highlighting a dual-pronged criminal enterprise.

More recently, in a story published earlier this month, KrebsOnSecurity investigated an academic cheating empire that has been significantly amplified by Google Ads, generating tens of millions of dollars in revenue. This empire has intriguing connections to a Kremlin-connected oligarch whose Russian university is actively involved in building drones for Russia’s ongoing war against Ukraine, raising serious geopolitical and ethical concerns.

The persistent threat posed by large-scale botnets remained a critical focus, with KrebsOnSecurity diligently tracking the world’s most disruptive networks. These botnets unleashed distributed denial-of-service (DDoS) assaults throughout the year, with attacks exhibiting a scale and impact two to three times greater than previously recorded record DDoS events.

In a particularly notable incident in June, KrebsOnSecurity.com itself was targeted by what was, at the time, the largest DDoS attack ever mitigated by Google, a service provided through their invaluable Project Shield offering. Experts attributed this attack to an Internet-of-Things (IoT) botnet known as Aisuru, which had experienced rapid growth in both size and destructive capability since its emergence in late 2024. A subsequent Aisuru attack on Cloudflare, occurring just days later, effectively doubled the magnitude of the initial attack on this website. Tragically, Aisuru was also implicated in another DDoS attack shortly thereafter, which once again doubled the prior record.

By October, it became apparent that the cybercriminals controlling Aisuru had strategically shifted their botnet’s focus from disruptive DDoS attacks to a more lucrative and sustainable venture: renting out hundreds of thousands of compromised IoT devices for proxy services. These services are instrumental in helping cybercriminals anonymize their illicit online activities.

However, more recent developments have clarified that at least some of the disruptive botnet and residential proxy activity attributed to Aisuru in the preceding year was likely orchestrated by the same individuals responsible for developing and testing a formidable botnet known as Kimwolf. XLab, a Chinese cybersecurity firm that was the first to document Aisuru’s rise in 2024, has recently published an exposé on Kimwolf, identifying it as unequivocally the world’s largest and most dangerous collection of compromised machines, boasting approximately 1.83 million devices under its command as of December 17th.

Intriguingly, XLab’s report highlighted that the author of Kimwolf exhibits an almost "obsessive" fixation on the renowned cybersecurity investigative journalist Brian Krebs, embedding subtle "easter eggs" related to him throughout various aspects of the botnet’s infrastructure.

Looking ahead, KrebsOnSecurity is pleased to announce that the initial stories of 2026 will delve deeply into the origins of Kimwolf, meticulously examining the botnet’s unique and highly invasive methods of spreading digital contagion. The first installment in this series will include a sobering global security notification concerning the devices and residential proxy services that are inadvertently contributing to Kimwolf’s rapid expansion.

The author reiterates their sincere gratitude for the continued readership, encouragement, and unwavering support. For those who appreciate the content published on KrebsOnSecurity.com, a humble request is made to consider making an exception for the domain within ad blockers. The advertisements featured are limited to a small number of static images, all served in-house and meticulously vetted by the author personally, ensuring a completely secure and ad-free experience free from any third-party content. This small gesture significantly aids in supporting the ongoing investigative work that is published almost weekly.

Furthermore, for those who have not yet subscribed, an invitation is extended to join the email newsletter. With over 62,000 subscribers already on board, it’s clear the newsletter offers significant value. It consists of a plain text email delivered the moment a new story is published, with an average of one to two emails per week. The mailing list is never shared, and no surveys or promotions are conducted, ensuring a focused and valuable communication channel.

Once again, profound thanks are extended to the readership, and a warm Happy New Year is wished to all. The message concludes with a crucial reminder: stay safe out there.