Today marks a significant milestone as KrebsOnSecurity.com proudly celebrates its 16th anniversary, a testament to years of dedicated investigative journalism in the complex and ever-evolving landscape of cybersecurity. This momentous occasion warrants a deep dive into the past year’s impactful reporting, highlighting how the platform has continued to shine a light on entities that facilitate global cybercrime, underscoring a recurring theme of "comeuppance" throughout its 2025 coverage. A heartfelt thank you is extended to the diverse readership – from new followers to seasoned veterans and even the most critical observers – whose engagement has been a source of immense encouragement, particularly during challenging periods. The past year has been a powerful demonstration of the site’s commitment to exposing the underpinnings of sophisticated cyber threats, with a particular focus on the infrastructure that enables them.

A prime example of this investigative prowess was the in-depth scrutiny of Stark Industries Solutions Ltd. in May 2024. This "bulletproof hosting" provider, which emerged just weeks before the full-scale Russian invasion of Ukraine, served as a critical staging ground for repeated Kremlin-backed cyberattacks and disinformation campaigns. The detailed reporting exposed the company’s history and ownership, offering a crucial look into the digital infrastructure supporting geopolitical cyber warfare. A year later, the European Union responded by sanctioning Stark and its two co-owners. However, KrebsOnSecurity’s subsequent analysis in September 2025 revealed the persistent evasiveness of the proprietors, who had managed to rebrand and transfer substantial network assets to other entities under their control, demonstrating the ongoing challenge of dismantling such operations.

Further illustrating the site’s impact on financial cybercrime, KrebsOnSecurity profiled Cryptomus in December 2024. This Canadian-registered financial firm had become the payment processor of choice for a multitude of Russian cryptocurrency exchanges and websites peddling cybercrime services to a Russian-speaking clientele. The exposé laid bare the firm’s central role in facilitating illicit financial flows. In a significant regulatory development in October 2025, Canadian financial authorities recognized the severity of the violations, ruling that Cryptomus had egregiously flouted anti-money laundering laws. This led to a record-breaking $176 million fine being levied against the platform, a direct consequence of the investigative journalism that brought its activities to light.

Happy 16th Birthday, KrebsOnSecurity.com!

The reverberations of major data breaches were also a focal point. In September 2023, KrebsOnSecurity published findings from researchers who linked a series of six-figure cyberheists to the cracking of master passwords stolen from the password manager service LastPass in 2022. This initial report provided crucial insights into the cascade of financial losses stemming from the breach. The significance of this investigation was amplified in March 2025, when U.S. federal agents, while investigating a staggering $150 million cryptocurrency heist, confirmed in a court filing that they had arrived at the same conclusion, validating the earlier findings and underscoring the direct link between the LastPass breach and subsequent large-scale financial crimes.

Phishing, in its myriad forms, remained a dominant theme throughout the year’s coverage, with a particular focus on the sophisticated operations of voice phishing gangs. These groups routinely executed elaborate, convincing, and financially devastating cryptocurrency thefts. The article, "A Day in the Life of a Prolific Voice Phishing Crew," offered an unprecedented look into the day-to-day mechanics of one such gang. It meticulously detailed how these cybercriminals leveraged legitimate services offered by tech giants like Apple and Google to orchestrate a variety of outbound communications to their targets, including deceptive emails, automated phone calls, and system-level messages pushed to all signed-in devices, showcasing the insidious exploitation of trusted platforms.

The relentless wave of SMS phishing, or "smishing," emanating from China-based phishing kit vendors also received extensive coverage, with nearly half a dozen stories dissecting this pervasive threat in 2025. These vendors provide an accessible toolkit that empowers customers to easily convert phished payment card data into mobile wallets for major platforms like Apple and Google. In a significant move to combat this syndicate, Google has since initiated legal action, filing at least two "John Doe" lawsuits targeting these groups and dozens of unnamed defendants in an effort to dismantle their online infrastructure and disrupt their illicit operations.

In January, research into a shadowy and sprawling content delivery network named Funnull shed light on its role in assisting China-based gambling and money laundering websites. Funnull specialized in distributing these operations across multiple U.S.-based cloud providers, effectively obscuring their digital footprint. Just five months later, the U.S. government took decisive action by sanctioning Funnull, identifying it as a primary source of "pig butchering" scams, a particularly insidious form of investment and romance fraud that has led to massive financial losses for victims worldwide.

Happy 16th Birthday, KrebsOnSecurity.com!

The investigative reach extended to Pakistan, where in May, 21 individuals were arrested in connection with Heartsender, a phishing and malware dissemination service that KrebsOnSecurity had first profiled back in 2015. These arrests followed a coordinated effort by the FBI and Dutch police to seize dozens of servers and domains associated with the group. Notably, many of those apprehended had been publicly identified in a 2021 report here, detailing how they had inadvertently infected their own computers with malware that ultimately exposed their real-life identities, a stark reminder of the double-edged sword of technological exposure.

Further highlighting the interconnectedness of illicit activities, the U.S. Department of Justice indicted the proprietors of a Pakistan-based e-commerce company in April for their alleged conspiracy to distribute synthetic opioids in the United States. The following month, KrebsOnSecurity detailed how these same proprietors were perhaps more widely recognized for orchestrating an elaborate and long-running scheme to defraud Western individuals seeking services for trademark registration, book writing, mobile app development, and logo design. This investigation exposed a dual operation, leveraging legitimate-seeming e-commerce fronts for both criminal enterprises and widespread fraud.

In a particularly concerning development earlier this month, KrebsOnSecurity delved into an academic cheating empire that had amassed tens of millions of dollars in revenue, significantly amplified by Google Ads. The investigation uncovered curious ties to a Kremlin-connected oligarch whose Russian university is known to build drones for Russia’s ongoing war against Ukraine. This story illustrated how sophisticated online enterprises, even those seemingly focused on educational services, can be entangled with geopolitical conflicts and illicit funding streams.

The site’s commitment to tracking the world’s most disruptive botnets remained steadfast, with coverage of distributed denial-of-service (DDoS) assaults that pummeled the internet throughout the year. These attacks were characterized by their unprecedented scale, being two to three times larger and more impactful than previous record-breaking DDoS events.

Happy 16th Birthday, KrebsOnSecurity.com!

A significant personal experience for KrebsOnSecurity.com occurred in June when it was targeted by the largest DDoS attack Google had mitigated at that point. This attack was attributed to an Internet-of-Things (IoT) botnet known as Aisuru, which had rapidly expanded its capabilities since its emergence in late 2024. The Aisuru botnet’s ferocity was further demonstrated by subsequent attacks on Cloudflare that nearly doubled the scale of the assault on KrebsOnSecurity.com, and later, another Aisuru attack that again doubled the previous record.

In October, a shift in Aisuru’s modus operandi was observed, with cybercriminals reportedly redirecting the botnet’s focus from DDoS attacks to the more lucrative and sustainable market of renting out hundreds of thousands of infected IoT devices for proxy services. These services are instrumental in helping cybercriminals anonymize their traffic and operations.

However, recent revelations have indicated that at least some of the disruptive botnet and residential proxy activity previously attributed to Aisuru in the past year may have been the work of individuals responsible for developing and testing a formidable botnet named Kimwolf. XLab, a Chinese security firm that first chronicled Aisuru’s rise, recently profiled Kimwolf, identifying it as the world’s largest and most dangerous collection of compromised machines, boasting approximately 1.83 million devices under its control as of December 17.

Intriguingly, XLab noted that the author of the Kimwolf botnet exhibits an "almost ‘obsessive’ fixation on the well-known cybersecurity investigative journalist Brian Krebs, leaving easter eggs related to him in multiple places." This personal connection underscores the visibility and impact of Krebs’s work.

Happy 16th Birthday, KrebsOnSecurity.com!

Looking ahead, the first KrebsOnSecurity stories of 2026 are slated to delve deeply into the origins of Kimwolf, examining its unique and highly invasive methods of spreading digital disease globally. The initial installment in this series will include a sober, global security notification concerning the devices and residential proxy services that are inadvertently fueling Kimwolf’s rapid proliferation.

The anniversary message concludes with a renewed call for reader support. The site reiterates its gratitude for the continued readership, encouragement, and support that have fueled its investigations. Readers are encouraged to make an exception for the KrebsOnSecurity.com domain in their ad blockers, as the site relies on a limited number of static, in-house vetted ads with no third-party content, all of which contribute to sustaining the investigative work. Furthermore, readers are urged to sign up for the email newsletter, a plain text delivery of new stories sent out once or twice a week, promising a commitment to privacy with no sharing of the email list and no surveys or promotions. The message ends with a warm "Thanks again, and Happy New Year everyone! Be safe out there."