Cyber Chaos: The Biggest Crypto Heist, AI-Powered Hacking, Rising Cyber Threats and Government Policy Shifts

Another month, another major breach—except this time, it’s the biggest cryptocurrency heist ever recorded. Bybit, one of the world’s largest cryptocurrency exchanges, has confirmed the theft of $1.46 billion from its Ethereum cold wallet. The attackers executed a sophisticated scheme during a routine transfer of funds from Bybit's cold wallet to a warm wallet. Cold wallets are offline storage solutions designed to safeguard assets from online threats, while warm wallets are connected to the internet to facilitate daily transactions.?

During this transfer, the attackers manipulated the smart contract associated with the transaction. They altered the contract's logic and masked the signing interface, making the transaction appear legitimate to Bybit's security protocols. This manipulation allowed the attackers to gain unauthorised control over the cold wallet, leading to the transfer of approximately 401,000 Ethereum to an unidentified address.?

Bybit has since paused withdrawals, reassured customers that their funds remain intact, and launched an investigation with cybersecurity experts. Despite these assurances, the incident raises concerns over whether cold storage remains a viable long-term security measure when such large sums can still be compromised.?

But cryptocurrency exchanges aren’t the only targets this month. PyPI, a critical resource for developers, was once again exploited to distribute malicious packages disguised as legitimate AI tools, exposing users to infostealer malware. Cybersecurity researchers uncovered a malicious campaign on the Python Package Index (PyPI), where threat actors uploaded counterfeit packages mimicking DeepSeek AI tools. These packages, named "deepseeek" and "deepseekai," were designed to infiltrate developers' systems and extract sensitive information. The attackers leveraged an inactive PyPI account, established in June 2023, to upload the malicious packages on January 29, 2025. Once installed, these packages ran malicious code that harvested user data, system information, and environment variables, including API keys and database credentials. The stolen data was then sent to a remote server using Pipedream, a legitimate automation tool.??

As attackers refine their methods, the use of AI in cybercrime is becoming an increasing concern with hacking groups leveraging AI tools to enhance their operations. According to Google's Threat Intelligence Group, government-linked advanced persistent threat (APT) groups from over 20 countries, notably Iran and China, are utilising Gemini for tasks such as coding malicious tools, researching vulnerabilities, and gathering intelligence on targets. While they are not using Gemini to develop or conduct AI-enabled cyberattacks, they are using it to streamline their operations, reducing the time and effort needed to conduct reconnaissance, develop exploits, and execute attacks.?

On home soil, IMI plc, one of the UK’s leading engineering firms, has fallen victim to a cyberattack—the second major hit on the country's industrial sector in just two weeks. The company, a key player in industrial automation and flow control, has confirmed unauthorised access to its systems, but is yet to disclose specific details regarding the severity of the breach. What makes this particularly concerning is, late last month, Smiths Group faced a similar breach, and now IMI joins the growing list of high-profile victims. The pattern is clear: cybercriminals are doubling down on industrial and manufacturing firms, exploiting their often outdated security infrastructures and the critical nature of their operations.?

From cyberattacks to government backdoors—IMI plc wasn’t the only UK security shake-up this month. Apple just handed the UK government a win in the encryption war by quietly removing its Advanced Data Protection (ADP) feature for iCloud users in the UK, following pressure from the British government under the Investigatory Powers Act (IPA) 2016. ADP, introduced in late 2022, was designed to provide end-to-end encryption for iCloud backups, ensuring only users could access their data. However, under the UK’s regulatory framework, companies are required to provide authorities with access to communications data upon request. Reports suggest Apple opted to remove ADP rather than comply with demands to introduce a backdoor into its encryption model.?

This means UK users are losing a feature designed to keep their data safe from hackers, surveillance, and unauthorised access. While some security measures remain intact (such as iCloud Keychain and iMessage encryption), privacy advocates argue that this sets a worrying precedent. Could other security features be next on the chopping block??

Hacks, Cybercrimes and Threat Intel?

Zero-Click Attack Hits WhatsApp Users?

In a disturbing revelation, WhatsApp uncovered a sophisticated spyware campaign targetting 90 journalists and civil society members across multiple countries, including some in Europe. The attack used a powerful spyware tool made by Israeli firm Paragon Solutions which was deployed through a zero-click attack, allowing devices to be compromised without any user interaction. Hackers are believed to have used malicious PDF files, which were sent to individuals added to WhatsApp group chats. WhatsApp has warned affected users and says it is "highly confident" their devices were targeted. WhatsApp has since warned those affected and is now taking legal action, include a cease and desist letter to Paragon.?

850,000 Affected in Globe Life Cybersecurity Breach?

Globe Life Inc., a well-known insurance company, has reported a data breach that might have exposed personal information of about 850,000 people. Initially, in October 2024, the company believed only 5,000 individuals were affected. However, a recent SEC filing revealed the scope of the breach to be much larger. The stolen information includes names, addresses, birth dates, Social Security numbers, email addresses, phone numbers, health details, and insurance policy information. The breach has been traced to databases managed by a few independent agents working with Globe Life's branch, American Income Life Insurance Company. The company has confirmed that the extortion attempt did not involve ransomware and did not disrupt its systems or business operations. In response, Globe Life is proactively notifying the potentially affected individuals and offering free credit monitoring services.??

SimpleHelp Flaws Open Door to Ransomware Attacks?

Cybersecurity experts at Field Effect have identified active exploitation of vulnerabilities within SimpleHelp's Remote Monitoring and Management (RMM) software. These security flaws, catalogued as CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728, have been leveraged by malicious actors to gain unauthorised access to systems, establish administrator privileges, and deploy the Sliver post-exploitation framework.? Attackers initially gained entry through an Estonian-based server executing a series of discovery commands to learn more about the environment, using which they were able to create a new admin account to maintain access. Installing Silver malware they connected to a server in Netherlands. But they didn't stop there—next, they broke into the company's Domain Controller, created another admin account ("fpmhlttech"), and hid their access using a Cloudflare Tunnel disguised as a Windows file. With persistent access established, the attackers now have the capability to launch ransomware attacks, and given that Sliver has been linked to ransomware groups in the past, this intrusion raises concerns about a larger, more destructive attack unfolding in the near future.?

Magento Sites Hit by GTM-Based Credit Card Skimming Attack?

Cybercriminals are exploiting Google Tag Manager (GTM) to inject credit card skimming malware into Magento-based e-commerce websites, according to security researchers at Sucuri. The malicious script, while appearing as a legitimate GTM or Google Analytics tracking code, acts as an obfuscated backdoor, granting attackers persistent access to compromised sites. Further analysis revealed, the malware, disguised as a GTM tracking script, is embedded in the Magento database and steals payment card data during checkout. At least three sites remain infected, down from six initially reported by Sucuri. Security expert Puja Srivastava says this trick lets hackers maintain control of affected sites, even if store owners remove suspicious files.?

New Phishing Tool ‘Astaroth’ Bypasses 2FA Protections?

A sophisticated phishing toolkit called "Astaroth" has emerged, designed to bypass two-factor authentication (2FA) on major online platforms. This sophisticated tool employs advanced techniques to circumvent two-factor authentication (2FA) on platforms such as Gmail, Yahoo, and Office 365. Utilising an evilginx-style reverse proxy, Astaroth positions itself between users and legitimate login interfaces, enabling real-time interception of credentials and session cookies. Priced at $2000 on the dark web, Astaroth comes with six months of updates, this toolkit signifies a significant advancement in phishing capabilities, rendering traditional 2FA defences inadequate.?

Attackers Chain Flaws to Hijack Palo Alto Networks Firewalls?

Palo Alto Networks has confirmed that a previously patched vulnerability in its PAN-OS firewall software is now under active attack, with cybercriminals chaining it with two older flaws to gain root-level control over affected systems. The issue stems from CVE-2025-0108, an 8.8 rated authentication bypass vulnerability in the web management interface of PAN-OS, which allows unauthenticated attackers with network access to execute PHP scripts and compromise system integrity. However, attackers are combining it with CVE-2024-9474, a 6.9 rated privilege escalation vulnerability and CVE-2025-0111, a 7.1 rated file-read vulnerability. When chained together, these vulnerabilities enable full system takeover, giving adversaries root access to unpatched devices.?

Infosec Research and Vulnerability??

CISA Adds Critical Microsoft Outlook Vulnerability to Exploited List?

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning to federal agencies regarding the active exploitation of a critical Microsoft Outlook remote code execution (RCE) vulnerability. The flaw, CVE-2024-21413, allows hackers to bypass Microsoft’s built in Outlook protections for malicious links using the file:// protocol and an exclamation mark, tricking Outlook into running files as if they were safe. CISA has now added CVE-2024-21413 to its Known Exploited Vulnerabilities (KEV) catalogue confirming that attacks are actively exploiting it in real-world attacks. Despite Microsoft’s warning about this a year ago, attackers continue to exploit it, proving that many systems remain unpatched.?

DeepSeek's iOS App Found Transmitting Unencrypted User Data to China?

In a damning report, NowSecure has exposed DeepSeek's iOS app for transmitting sensitive user data without encryption, effectively handing over personal information to potential cybercriminals. Even more alarming, this data is funnelled directly to servers owned by ByteDance, the Chinese tech giant notorious for its data privacy controversies. Further compounding the issue, the app disables Apple's App Transport Security (ATS), allowing unencrypted data transmission. South Korea's National Intelligence Service has slammed DeepSeek for its rampant data collection practices, leading to a suspension of new downloads in the country until these glaring privacy issues are rectified. These revelations have also prompted discussions among U.S. lawmakers about potentially banning DeepSeek from government devices due to security risks.?

SonicWall VPN Flaw Lets Attackers Take Over Sessions Without Detection?

Cybersecurity researchers at BishopFox have disclosed a critical security flaw (CVE-2024-53704) affecting SonicWall's SSL VPN solution. The vulnerability arises from improper handling of session authentication within the firewall. Attackers trick the VPN software into believing they are authorised users by sending crafted malicious links, causing the original user to be logged out and granting the attacker full access. Once compromised, attackers can access sensitive internal network resources, retrieve users' private VPN configurations, and view internal network information without detection.?

Bishop Fox discovered the flaw by reverse-engineering the original SonicWall patch released in November 2024 for another vulnerability (CVE-2024-9474). Through this investigation, they found an additional critical issue (CVE-2024-53704) that bypasses authentication entirely, confirming SonicWall's concerns about active exploitation. They also noted that approximately 4,500 publicly exposed SonicWall devices remain unpatched as of February 2025, leaving numerous organisations vulnerable to this attack.?

Researchers Uncover Russian-Linked Golang Malware Using Telegram C2??

Netskope Threat lab researchers have identified a sophisticated backdoor malware, written in Golang, that utilises Telegram's messaging platform for command-and-control operations. Believed to originate from Russia, this malware exploits cloud-based applications to remain undetected and is fully functional despite indications of ongoing development. Upon activation, the malware discreetly embeds itself within the system's temporary files and establishes a covert communication channel through Telegram's Bot API. It awaits specific commands from its operators, enabling actions such as executing PowerShell commands, ensuring its persistence, and self-deletion to erase traces of its presence.??

Critical OpenSSH Flaws Expose Systems to MitM and DoS Attacks

Two significant security vulnerabilities have been identified in the OpenSSH suite, potentially enabling machine-in-the-middle (MitM) attacks and denial-of-service (DoS) exploits under specific conditions. Discovered by the Qualys Threat Research Unit (TRU), these vulnerabilities are designated as CVE-2025-26465 and CVE-2025-26466.??

CVE-2025-26465 affects OpenSSH client versions 6.8p1 through 9.9p1. The vulnerability is triggered when the VerifyHostKeyDNS option is enabled, allowing an attacker to impersonate a legitimate server and compromise the SSH session's integrity. This issue is particularly concerning for systems that had this option enabled by default. CVE-2025-26466 impacts both clients and servers running OpenSSH versions 9.5p1 to 9.9p1. This flaw permits attackers to initiate a pre-authentication denial-of-service attack, leading to excessive consumption of memory and CPU resources. Administrators can mitigate this risk by configuring parameters like LoginGraceTime, MaxStartups, and PerSourcePenalties to manage resource allocation effectively.??

Juniper Patches Critical Authentication Bypass in Session Smart Routers

In a recent security advisory, Juniper Networks has disclosed a critical vulnerability, CVE-2025-21589, affecting its Session Smart Router, Session Smart Conductor, and WAN Assurance Managed Router products. This flaw permits network-based attackers to bypass authentication protocols, granting them administrative access to compromised devices. Discovered during internal security assessments, the vulnerability has been assigned a CVSS v3.1 severity score of 9.8.?

Legal and Compliance

UK Launches World's First Cyber Incident Severity Scale

The UK has launched the world's first Cyber Monitoring Centre (CMC) to standardise the severity rating of major cyber incidents, similar to a hurricane scale. This initiative, backed by cyber insurance and cybersecurity experts, aims to clarify "systemic" events (like NotPetya) that impact many organisations. The CMC uses a five-level scale, with expert assessments triggered for incidents causing over ￡100 million in damages. This will bring transparency to cyber insurance, streamline claims, and improve management of widespread cyber threats.?

This month’s developments highlight the rapidly evolving cyber threat landscape and the need for businesses, governments, and individuals to adapt. From the largest cryptocurrency heist in history to state-backed hackers leveraging AI for reconnaissance, cybercriminals are refining their tactics and exploiting weaknesses across industries. With zero-click spyware targeting journalists, end-to-end encryption features being quietly rolled back, and AI tools being leveraged for cyber warfare, the stakes have never been higher.??

The message is clear: cyber resilience is no longer optional—it’s a necessity. Patching known vulnerabilities, enforcing strong authentication, and implementing proactive threat monitoring are vital steps in defending against these threats.??

The Bybit breach is a stark reminder that even cold wallets—often considered the safest form of digital asset storage—are not immune to sophisticated attacks. Meanwhile, the continued exploitation of PyPI and the emergence of advanced phishing tools like Astaroth reinforce the reality that cybercrime is becoming more automated, scalable, and accessible to a wider range of threat actors.?

However, steps are being taken in the right direction. The UK’s launch of the Cyber Monitoring Centre (CMC) represents an important step toward classifying and quantifying cyber threats, but it also highlights a critical reality: attacks on critical infrastructure, financial institutions, and emerging technologies will only become more frequent and severe.?

As we head into the next month, one question remains: With governments rolling back encryption, AI supercharging cybercrime, and even ‘secure’ systems falling to hackers, are we heading towards a future where cybersecurity is no longer about protection, but about survival??