Robert Grupe's AppSecNewsBits 2026-01-03

2025 Summary

The biggest cybersecurity and cyberattack stories of 2025

1. AI-Powered Attacks: used AI for faster exploitation, adaptive malware, and higher volumes of attacks.

2. Zero-days Attacks: network edge devices and internet-exposed services were primary targets for exploitation because they sit between the internet and an internal network.

3. The Salesforce Data-theft Attacks: attackers repeatedly gained access to customer data through compromised accounts, OAuth tokens, and third-party services.

4. Massive IT Outages: demonstrating how dependent global commerce has become on cloud infrastructure.

5. Insider Threats: employees or consultants with trusted access, whether intentionally abused or not revoked after termination, led to large-scale damage.

6. Targeting help desks in social engineering attacks: tricked help desks into bypassing security controls and granting employees access to their accounts.

7. AI Prompt-injection Attacks: causing models to leak sensitive data, generate malicious output, or perform unintended actions without exploiting flaws in the code itself.

8. The Continued Salt Typhoon Telco Attacks: long-term, persistent access to telecommunication networks.

9. North Korean IT Workers: laptop farms and rented identities.

10. Rise in Developer Supply Chain Attacks: Cybercriminals are increasingly targeting developers by abusing open-source package and extension repositories, turning them into malware distribution sites.

11. DDoS attacks increase in strength: increasing firepower of DDoS platforms, with attacks peaking at 5.6 Tbps, 7.3 Tbps, 11.5 Tbps, and later 22.2 Tbps.

12. Oracle data theft attacks: Clop extortion group exploited multiple zero-day vulnerabilities in Oracle E-Business Suite (EBS).

13. The $1.5 billion ByBit crypto heist: conducted via a compromised developer machine belonging to a developer.

14. ClickFix Social Engineering Attacks: webpages designed to display an error or issue and then offer "fixes" to resolve it.

15. The PornHub Data Breach: after stealing the company's Premium member activity data from third-party analytics provider Mixpanel.

The biggest failures of 2025: supply chains, AI, and cloud

• Supply Chain Attacks: Poisoning the well
  There were too many supply-chain attacks this year to list them all. Some of the other most notable examples included: Go packages, NPM, Magneto, open-source packages, multiple repository maintainer accounts.

• Memory corruption, AI chatbot style
  Another class of attack that played out more times in 2025 than anyone can count was the hacking of AI chatbots. The hacks with the farthest-reaching effects were those that poisoned the long-term memories of LLMs. In much the way supply-chain attacks allow a single compromise to trigger a cascade of follow-on attacks, hacks on long-term memory can cause the chatbot to perform malicious actions over and over.

• Using AI as bait and hacking assistants
  Other LLM-involved hacks used chatbots to make attacks more effective or stealthier. There were also multiple instances of LLM vulnerabilities that came back to bite the people using them. In one case, CoPilot was caught exposing the contents of more than 20,000 private GitHub repositories from companies including Google, Intel, Huawei, PayPal, IBM, Tencent, and, ironically, Microsoft.

• Meta and Yandex caught red-handed
  Both companies were caught exploiting an Android weakness that allowed them to de-anonymize visitors so years of their browsing histories could be tracked.

• Cloud failures
  The outage with the biggest impact came in October, when a single point of failure inside Amazon’s sprawling network took out vital services worldwide. It lasted 15 hours and 32 minutes. The root cause that kicked off a chain of events was a software bug in the software that monitors the stability of load balances by, among other things, periodically creating new DNS configurations for endpoints within the Amazon Web Services network.

• Code in the Deepseek iOS app that caused Apple devices to send unencrypted traffic,
  without first being encrypted, to Bytedance, the Chinese company that owns TikTok.

• The discovery of bugs in Apple chips that could have been exploited to leak secrets from Gmail, iCloud, and other services.

Death, torture, and amputation: How cybercrime shook the world in 2025

• Synnovis: The first confirmed ransomware-related death
  King's College Hospital NHS Trust – one of the hospitals affected by the blood shortages – confirmed that a patient died during the period of service disruption caused by the cyberattack.

• Kido International: Pre-schoolers' personal data weaponized
  Radiant Group posted the images of 10 schoolchildren online, complete with their home addresses, parents' names, and guardians' contact details. Even for a ransomware gang, this was bad… so bad that rival operation Nova publicly shamed Radiant on the Russian cybercrime forum RAMP, peer pressuring it to remove the data.

• Jaguar Land Rover: A landmark loan and a workforce living in fear
  The cost of its five-week shutdown, the associated recovery, and the missed payments to its huge supply chain, was pegged at more than £2 billion ($2.68 billion). It led to the UK government stepping in with a novel financial support package, and dented the UK's GDP growth.

• Amputations for compensation: Violence and cybercrime coalesce
  Ransomware crews are upping the ante with their attacks, increasingly resorting to threats of physical violence during the negotiation period. A Semperis study from July found that around 40% of ransomware victims had received such threats.
  Jameson Lopp, co-founder of crypto security biz Casa, publicly tracks violent crypto thefts, recording 67 for 2025 in total.
  Europol Operational Taskforce GRIMM arrested 193 suspects linked to crimes related to contract killings, intimidation, and torture. These typically involved grooming or coercing kids and teens to carry out the acts for cash.

• Virtual kidnappings: An AI-powered evolution
  While the FBI has not reported the total number of cases it has observed in the past year, according to its figures, hundreds of emergency scams were reported last year, in total costing victims around $2.7 million.

• Code red: Emergency alert systems downed
  No crises took place during the period of downtime, fortunately, although the attack demonstrates how a ransomware gang could have unintentionally caused intense chaos across various communities. 

OWASP Top 10:2025 Web Application Security Risks

A01:2025 - Broken Access Control
A02:2025 - Security Misconfiguration
A03:2025 - Software Supply Chain Failures
A04:2025 - Cryptographic Failures
A05:2025 - Injection
A06:2025 - Insecure Design
A07:2025 - Authentication Failures
A08:2025 - Software or Data Integrity Failures
A09:2025 - Security Logging and Alerting Failures
A10:2025 - Mishandling of Exceptional Conditions

EPIC FAILS in Application Development Security practice processes, training, implementation, and incident response
European Space Agency hit again as cybercrims claim 200 GB data up for sale
According to the alleged attacker, they gained access to ESA-linked external servers on December 18, and were connected for about a week, during which they claim to have stolen source code files, CI/CD pipelines, API and access tokens, confidential documents, configuration files, Terraform files, SQL files, hardcoded credentials, and a dump of all their private Bitbucket repositories as well.

22 Million Affected by Aflac Data Breach
The company disclosed the intrusion on June 20, saying it had identified suspicious activity on its network in the US on June 12 and blaming it on a sophisticated cybercrime group. Operations were not affected, as file-encrypting ransomware was not deployed.
The compromised information includes names, addresses, Social Security numbers, dates of birth, driver’s license numbers, government ID numbers, medical and health insurance information, and other data.
Scattered Spider hacking group might have been responsible for the intrusion, as it occurred around the same time that Google’s Threat Intelligence Group warned that the gang was focusing on insurance companies.

21K Nissan customers' data stolen in Red Hat raid
An unauthorized third party had accessed and copied some data from a Red Hat Consulting-managed, dedicated GitLab instance. According to the Nissan breach notification in December, Red Hat detected the intruders on September 26, and then alerted the automaker on October 3.
Leaked personal details include customers' addresses, names, phone numbers, partial email addresses, and other customer-related information used for sales activities.

Covenant Health says May data breach impacted nearly 478,000 patients
Covenant Health learned on May 26, 2025, that an attacker had breached its systems eight days earlier, on May 18, and gained access to patient data. In late June, the Qilin ransomware group claimed the attack, stating that it had stolen 852 GB of data comprising nearly 1.35 million files.
In July, the healthcare entity initially reported that the data of 7,864 people had been exposed, but further analysis has revealed a larger impact.
Beginning December 31, the organization started mailing data breach notification letters to patients.

Hackers drain $3.9M from Unleash Protocol after multisig hijack
The decentralized intellectual property platform Unleash Protocol has lost around $3.9 million worth of cryptocurrency after someone executed an unauthorized contract upgrade that allowed asset withdrawals. An externally owned address gained administrative control via Unleash’s multisig governance and carried out an unauthorized contract upgrade.
By performing the unauthorized smart contract upgrade, the attacker unlocked the ability to perform withdrawals, leveraging it to steal WIP (wrapped IP), USDC, WETH (wrapped Ether), stIP (staked IP), and vIP (voting-escrowed IP) assets. After their withdrawal, the assets were bridged via third-party infrastructure and transferred to external addresses to reduce traceability. The attacker deposited the stolen amounts into the Tornado Cash cryptocurrency mixing service.

Cryptocurrency theft attacks traced to 2022 LastPass breach
In 2022, LastPass disclosed that attackers breached its systems by compromising a developer environment, stealing portions of the company's source code and proprietary technical information. Rather than the wallet being drained immediately after a breach, the thefts were in waves months or years later, illustrating how the attackers gradually decrypting vaults and extracting stored credentials.

Korean telco failed at femtocell security, exposed customers to snooping and fraud
Femtocells are customer premises equipment which include a small mobile base station and use a wired broadband service for backhaul into a carrier’s network. Carriers typically deploy them in areas where mobile network signals are weak to improve coverage in and around customers’ homes.  Korea Telecom (KT) deployed thousands of badly secured femtocells, leading to an attack that enabled micropayments fraud and snooping on customers’ communications – maybe for years.
The femtocells had no root password, stored keys in plaintext, and were remotely accessible because SSH was enabled.

Waymo pings updates to San Francisco fleet to prevent power outage chaos 2.0
Waymo says it is rolling out updates to its US fleet to counter future disruption caused by power outages like the one that hit San Francisco. Videos showed Waymo cabs lined up in streets with their hazard lights blaring, as human-controlled cars carefully navigated around the congestion.
The robotaxi biz was a focal point of the power outages at Pacific Gas and Electric (PG&E), with videos circulating online of its self-driving cars plonked in the middle of the city's busy roads, unresponsive due to traffic signal failures. The company responded by saying its fleet is programmed to treat disabled signals as four-way stops, but "the scale of the outage and the sheer number of disabled traffic lights" led to cases where its cars remained stationary for longer than usual.

NIST contemplated pulling the pin on NTP servers after blackout caused atomic clock drift
A staffer at the USA’s National Institute of Standards and Technology (NIST) tried to disable some of its Network Time Protocol infrastructure, after a power outage around Boulder, Colorado, led to errors. But the storms that caused the outage were so severe, only emergency services personnel are allowed to visit the site.
That’s bad because one of the things NIST uses its atomic clocks for is to provide a Network Time Protocol service, the authoritative source of timing information that the computing world relies on so that diverse systems can synchronize events. If NTP isn’t working, outcomes can include difficulties authenticating between systems, meaning applications can become unstable.
This incident therefore shouldn’t trouble the prudent, but may leave some NTP feed users unawares if they rely solely on the Boulder facility’s time feeds.
Time servers ran on battery power for about two hours, and that he learned the disseminated UTC(NIST) signal "likely did not deviate by more than 5 us (five millionths of a second) and appeared stable."
To put a deviation of a few microseconds in context, the NIST time scale usually performs about five thousand times better than this at the nanosecond scale by composing a special statistical average of many clocks. Such precision is important for scientific applications, telecommunications, critical infrastructure, and integrity monitoring of positioning systems. But this precision is not achievable with time transfer over the public Internet; uncertainties on the order of 1 millisecond (one thousandth of one second) are more typical due to asymmetry and fluctuations in packet delay.

Pen testers accused of 'blackmail' after reporting Eurostar AI chatbot flaws
Pen Test Partners found four flaws in Eurostar's public AI chatbot that, among other security issues, could allow an attacker to inject malicious HTML content or trick the bot into leaking system prompts.
After initially reporting the security issues - and not receiving any response - via a vulnerability disclosure program emails and LinkedIn direct messages.
“What transpired is that Eurostar had outsourced their VDP between our initial disclosure and hard chase. They had launched a new page with a disclosure form and retired the old one. It raises the question of how many disclosures were lost during this process."
Eventually, Eurostar found the original email containing the report, fixed "some" of the flaws, and so Pen Test Partners decided to proceed with publishing the blog.
But in the LinkedIn back-and-forth, Munro says: "Maybe a simple acknowledgement of the original email report would have helped?" And then, per a LinkedIn screenshot with Eurostar exec's name and photo blacked out, the security boss replied: "Some might consider this to be blackmail."

Crims disconnect Wired subscribers from their privacy, publish deets online
A criminal group is beating Conde Nast over the head for not responding sooner to its extortion attempt by posting stolen subscribers' email and home addresses and warning the publisher of Wired, The New Yorker, Vanity Fair, and Teen Vogue that it has 40 million more entries.
“Conde Nast does not care about the security of their users’ data. It took us an entire month to convince them to fix the vulnerabilities (on) their website,” the hackers wrote in a forum post. “We will leak more of their users’ data (40+ million) over the next few weeks. Enjoy!”

Users prompt Elon Musk's Grok AI chatbot to remove clothes in photos then 'apologize' for it
Some X users noticed if they took a photograph that had been posted on the service and prompted Grok to remove the clothing from that photo, it would do so and post the results publicly on X. This may have violated various laws, such as the TAKE IT DOWN Act passed by the US Congress in April and signed into law in May, which "criminalizes the nonconsensual publication of intimate images."
Then, the X account for Grok generated a tweet or whatever you call it now blaming "lapses in safeguards" and said it was "urgently fixing them." It is not clear whether this latest tweet was written by a human or was another AI-generated response to yet another prompt.

HACKING

 'Heartbleed of MongoDB' is now under active exploit
Any internet-exposed MongoDB Server running a vulnerable version is open to attack, and private servers reachable through lateral movement by attackers are also ripe for the plucking.
The specifics of the vulnerability stem from the network transport layer of MongoDB, which can be forced to allocate or process undersized buffers during decompression of network messages. The zlib message compressor used by MongoDB, prior to the patch deployed to fix the issue, was coded to return the output length instead of just the actual length of decompressed data, meaning it could be tricked into spilling whatever was in the allocated memory instead of just the real length of the decompressed data. Oops.
Identified as CVE-2025-14847, this CVSS 8.7 vulnerability in the widely used open-source MongoDB Server. The vulnerability was identified back on December 15 and patched shortly thereafter.
If you cannot upgrade immediately, disable zlib compression on the MongoDB Server.

MITM Attack Vector: Browser extensions with 8 million users collect extended AI conversations
Security firm Koi discovered the 8 extensions which harvest users’ complete and extended AI conversations and sell them for marketing purposes. The free extensions provide functions such as VPN routing to safeguard online privacy and ad blocking for ad-free browsing.
Each of the extensions contain “executor” scripts, with each being unique for ChatGPT, Claude, Gemini, and five other leading AI chat platforms. The scripts are injected into webpages any time the user visits one of these platforms. From there, the scripts override browsers’ built-in functions for making network requests and receiving responses.
As a result, all interaction between the browser and the AI bots is routed not by the legitimate browser APIs—in this case fetch() and HttpRequest—but through the executor script. The extensions eventually compress the data and send it to endpoints belonging to the extension maker.
Koi’s discovery is the latest cautionary tale illustrating the growing perils of being online. It’s questionable in the first place whether people should trust their most intimate secrets and sensitive business information to AI chatbots, which come with no HIPAA assurances, attorney-client privilege, or expectations of privacy.

Parked Domains Become Weapons with Direct Search Advertising
Parking threats are fueled by lookalike domains. No domain is immune.
At the heart of the matter is a feature referred to as direct search or zero click parking, which is intended to directly deliver users relevant content based on the parked domain name. When a domain owner opts into direct search, traffic to the domain is sold to advertisers who bid on keywords and traffic characteristics. In practice, the site visitor is usually funneled through a series of traffic distribution systems (TDSs) operated by third-party advertising platforms, creating a complex web where a legitimate business model is weaponized for abuse. In large scale experiments, we found that over 90% of the time, visitors to a parked domain would be directed to illegal content, scams, scareware and anti-virus software subscriptions, or malware.
When one of our researchers tried to report a crime to the FBI’s Internet Crime Complaint Center (IC3), they accidentally visited ic3[.]org instead of ic3[.]gov. Their phone was quickly redirected to a false “Drive Subscription Expired” page. They were lucky to receive a scam; based on what we’ve learnt, they could just as easily receive an information stealer or trojan malware. The real threat from parked domains comes from their ability to hide malicious activity. If we visit that same domain from a website scanner, it delivers a stereotypical parking page, leading people and automated systems to believe it is harmless.

The Kimwolf Botnet is Stalking Your Local Network
Kimwolf’s has infected more than 2 million devices globally, by effectively tunneling back through various “residential proxy” networks and into the local networks of the proxy endpoints, and by further infecting devices that are hidden behind the assumed protection of the user’s firewall and Internet router.
These residential proxy programs also are commonly installed via unofficial Android TV boxes sold by third-party merchants on popular e-commerce sites like Amazon, BestBuy, Newegg, and Walmart. These TV boxes range in price from $40 to $400, are marketed under a dizzying range of no-name brands and model numbers, and frequently are advertised as a way to stream certain types of subscription video content for free.
Kimwolf also is quite good at infecting a range of Internet-connected digital photo frames that likewise are abundant at major e-commerce websites.
[rG: And let’s not forget network attached home appliances and devices that use saved WiFi passwords, as well as home device control mobile apps.]

Poisoned WhatsApp API package steals messages and accounts
A malicious npm package with more than 56,000 downloads masquerades as a working WhatsApp Web API library, and then it steals messages, harvests credentials and contacts, and hijacks users' WhatsApp accounts.
It's based on the legitimate Baileys library and provides real, working functionality for sending and receiving WhatsApp messages."
The secret-stealing library is a fork of the legitimate @whiskeysockets/baileys package that uses WebSocket to communicate with WhatsApp.
This means that every WhatsApp communication passes through the socket wrapper, allowing it to capture your credentials when you log in and intercept messages as they are sent and received. All your WhatsApp authentication tokens, every message sent or received, complete contact lists, media files - everything that passes through the API gets duplicated and prepared for exfiltration.
The malware also uses a custom RSA implementation to encrypt the data, plus four layers of obfuscation - Unicode manipulation, LZString compression, Base-91 encoding, and AES encryption - before sending the stolen info to an attacker-controlled server.
Plus, it backdoors the user's WhatsApp account via the chat app's device pairing process, linking the attacker's device to the victim's. This means even after uninstalling the malicious npm package, the attacker's device can remain linked to the unknowing user's WhatsApp account.

 APPSEC, DEVSECOPS, DEV

From AI to analog, cybersecurity tabletop exercises look a little different this year
This year, organizations need to account for the speed of AI, both in terms of how attackers use these tools to find and exploit bugs, and how defenders can use AI in their response.
From the attackers' side, this means more targeted, convincing phishing emails, faster reconnaissance and scanning for vulnerabilities, and troves of sensitive data that can be quickly scanned and stolen. Meanwhile, defenders need to ensure their LLMs aren't leaky, and AI agents aren't accessing data that they shouldn't have access to.
Don't rely only on online files. Exercises must practice reverting to minimum viable business operations, utilizing offline golden copies of data and robust approval processes that an algorithm cannot spoof. If you can't trust what you see on the screen, your strongest defense is actually process, not technology.
Every exercise should include alternates, because real incidents rarely happen when your first choice responder is available

NIST and CISA Release Draft Interagency Report on Protecting Tokens and Assertions from Tampering Theft and Misuse for Public Comment
This report is in response to Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144, providing implementation guidance to help federal agencies and cloud service providers (CSPs) protect identity tokens and assertions from forgery, theft, and misuse. 
This report covers the controls for identity access management (IAM) systems that rely on digitally signed assertions and tokens when making access decisions. It discusses how CSPs and cloud consumers, including government agencies, can better define their respective roles and responsibilities for managing IAM controls in cloud environments. It establishes principles for both CSPs and cloud consumers, calling on CSPs to apply Secure by Design best practices, and to prioritize transparency, configurability, and interoperability, empowering consumers to better defend their diverse environments.

Microsoft wants to replace its entire C and C++ codebase, perhaps by 2030
Unlike C and C++, Rust is a memory-safe language, meaning it uses automated memory management to avoid out-of-bounds reads and writes, and use-after-free errors, as both offer attackers a chance to control devices. In recent years, governments have called for universal adoption of memory-safe languages – and especially Rust – to improve software security.
“Our strategy is to combine AI and Algorithms to rewrite Microsoft’s largest codebases,” he added. “Our North Star is ‘1 engineer, 1 month, 1 million lines of code.’”

Hong Kong’s newest anti-scam technology is over-the-counter banking
Scarcely a day passes without Hong Kong’s government warning about newly-discovered phishing campaigns or fake bank websites. Scammers sometimes establish internet banking accounts without customers’ permission. The Monetary Authority therefore required all local banks to establish Money Safe accounts that allow customers to set aside funds which they can only access by visiting a brick-and-mortar bank. Digital banks that don’t operate branches require customers to visit their offices for ID checks. When customers need to use the protected deposits, banks will conduct a face-to-face anti-scam verification with the customers, thus offering them a chance to carefully consider whether they have been scammed. Customers can transfer or withdraw the deposits only after completing the process. 

VENDORS & PLATFORMS

Why Google Dark Web Report Is Discontinued
"While the report offered general information, feedback showed that it didn't provide helpful next steps. We're making this change to instead focus on tools that give you more clear, actionable steps to protect your information online." What those tools may be is anyone's guess as Google only pointed users to existing tools for securing their Google accounts.

IPv6 just turned 30 and still hasn’t taken over the world, but don't call it a failure
Less than half of all netizens use IPv6 today. Migration costs, complexity, and training requirements remain high, while short-term ROI is low.
The most important change from IPv4 to IPv6 was moving from 32-bit to 128-bit addresses, a decision that increased the available pool of IP addresses from around 4.3 billion to over 340 undecillion – a 39-digit number. IPv6 was therefore thought to have future-proofed the internet, because nobody could imagine humanity would ever need more than a handful of undecillion IP addresses, never mind the entire range available under IPv6.
IPv6 was an extremely conservative protocol that changed as little as possible. IPv6 didn't add features that represented major improvements, and IPv6 was not backward-compatible with IPv4, meaning users had to choose one or the other – or decide to run both in parallel. Many of the security, plug-and-play, and quality of service features that didn't make it into IPv6 were eventually implemented in IPv4.
Network address translation (NAT) allows many devices to share a single public IPv4 address. Operators could connect thousands of devices with a single IP address, meaning their existing IP addresses became more useful. These solutions were relatively easy to deploy. Because NAT stalled IPv6 adoption, vendors didn't rally behind the new protocol.

ServiceNow opens $7.7B ticket titled 'Buy security company, make it Armis'
Customers will be able to see vulnerabilities, prioritize risks, and close them with automated workflows.

brow6el: Finally - a terminal solution to the browser wars
AI-powered web browsers are such a serious risk that Gartner warned organizations to block any and all web browsers with so much as an AI sidebar in them for fear that the companies running the models powering them would "accidentally" slurp up confidential information. As full-featured as it is, brow6el might not be an end-all, be-all alternative to less secure and AI-bloated browsers.
brow6el runs entirely within terminal emulators that support the Sixel graphics format: a bitmap graphics format designed for terminals and printers that encodes bitmap data into terminal escape sequences, with each printable character representing a 6-pixel-high, 1-pixel-wide column. Tile enough of them together and you've got full-color images, and even animation. It also supports full mouse input, bookmarks, a download manager, private and normal browsing modes, HTML5/CSS/JavaScript support via Chromium, a page inspection mode, JavaScript console, popup handling, a pre-installed ad blocker - basically the works, all running inside a terminal with graphics good enough that it looks like your typical corporate, AI-ified browser.

Recent analysis by the Australian Strategic Policy Institute found that of 64 crucial technologies, China leads in 57 and the United States in the remaining seven. Europe leads in none.
The US led in 60 of 64 technologies in the five years from 2003 to 2007, but in the most recent five years (2019–2023) is leading in seven. China led in just three of 64 technologies in 2003–20074 but is now the lead country in 57 of 64 technologies in 2019–2023.
China’s new gains have occurred in quantum sensors, high-performance computing, gravitational sensors, space launch and advanced integrated circuit design and fabrication (semiconductor chip making). The US leads in quantum computing, vaccines and medical countermeasures, nuclear medicine and radiotherapy, small satellites, atomic clocks, genetic engineering and natural language processing.
India now ranks in the top 5 countries for 45 of 64 technologies (an increase from 37 last year) and has displaced the US as the second-ranked country in two new technologies (biological manufacturing and distributed ledgers) to rank second in seven of 64 technologies. Another notable change involves the UK, which has dropped out of the top 5 country rankings in eight technologies, declining from 44 last year to 36 now.
Besides India and the UK, the performance of most secondary S&T research powers (those countries ranked behind China and the US) in the top 5 rankings is largely unchanged: Germany (27), South Korea (24), Italy (15), Iran (8), Japan (8) and Australia (7). 

LEGAL & REGULATORY

US cybersecurity experts plead guilty to BlackCat ransomware attacks
Two former employees of cybersecurity incident response companies Sygnia and DigitalMint have pleaded guilty to targeting U.S. companies in BlackCat (ALPHV) ransomware attacks in 2023. 33-year-old Ryan Clifford Goldberg of Watkinsville, Georgia (in federal custody since September 2023), and 28-year-old Kevin Tyler Martin of Roanoke, Texas, who were charged in November, have now pleaded guilty to conspiracy to obstruct commerce by extortion and are set to be sentenced on March 12, 2026, facing up to 20 years in prison each.

Disney will pay $10 million to settle children's data privacy lawsuit
A federal judge has approved an order requiring Disney to pay a $10 million civil penalty to settle claims that it violated the Children's Online Privacy Protection Act by mislabeling videos and allowing data collection for targeted advertising.
Disney allegedly failed to tag kid-directed videos on YouTube as "Made for Kids" (MFK), a label that instructs YouTube to block personal data collection and stop displaying personalized ads on correctly designated content to protect children's privacy.
The Justice Department added that Disney also failed to correctly designate children-focused content, even after YouTube alerted the entertainment giant that it switched labels in 2020 for over 300 Disney videos from NMFK to MFK.

Europe gets serious about cutting digital umbilical cord with Uncle Sam's big tech
The US CLOUD Act of 2018 allows American authorities to compel US-based technology companies to provide requested data, regardless of where that data is stored globally. This places European organizations in a precarious position, as it directly clashes with Europe's own stringent privacy regulation, the General Data Protection Regulation (GDPR). Furthermore, these warrants often come with a gag order, legally prohibiting the provider from informing their customer that their data has been accessed. This creates a risk that is difficult, if not impossible, to mitigate contractually. Any private contract between a European customer and a US cloud provider is ultimately subordinate to US federal law.
A recent acquisition in the Netherlands illustrates this risk. In November 2025, the American IT services giant Kyndryl announced its intention to acquire Solvinity, a Dutch managed cloud provider. This came as an “unpleasant surprise” to several of its government clients, including the municipality of Amsterdam and the Dutch Ministry of Justice and Security. These bodies had specifically chosen Solvinity to reduce their dependence on American firms and mitigate CLOUD Act risks. The case demonstrates that even a deliberate choice for a local provider offers no guarantee of long-term sovereignty when that provider can be acquired by a US-based entity, exposing a critical flaw in Europe's strategy that cannot be solved by procurement alone.

There’s so much stolen data in the world, South Korea will require face scans to buy a SIM
The nation has a problem with criminals registering mobile phone accounts and then using them to run scams such as voice phishing. The nation's new policy therefore extends existing customer authentication arrangements, which see buyers required to present verifiable identity documents at the point of sale, to add verification of a facial scan.
South Korea has a population of almost 52 million and has experienced two major data theft incidents this year that impacted more than half of all residents. E-tailer Coupang leaked over 30 million records, an incident that cost its CEO his job.
SK Telecom, exposed data describing all of its 23 million customers.
Korean authorities have already fined SK Telecom $100 million after learning of the carrier's woefully bad infosec practices, which included exposing plaintext credentials for its infrastructure on an internet-facing server. The telco also stored millions of user credentials without encryption in its database, making it easy for attackers to clone customers or add devices to their accounts.
The incident will now cost the carrier another $1.55 billion, after South Korea's Consumer Dispute Mediation Commission on Sunday ordered the telco to compensate all 23 million customers to the tune of ₩100,000 ($67).

NYC Mayoral Inauguration bans Raspberry Pi and Flipper Zero alongside explosives
If the goal is to restrict electronic interference, the language should say so plainly. Unauthorized transmitters. Signal interception tools. Electronic hacking devices. Those are enforceable things already. Naming a short list of familiar gadgets reads less like safety planning and more like anxiety fossilized into policy.
There is a cultural cost to banning brand names like Raspberry Pi. New York is full of educators, artists, technologists, and journalists who use small embedded computers as tools of expression and access. A device-specific ban turns curiosity itself into something suspicious, while ignoring the far more capable computers already in everyone’s pockets.

Brit lands invite-only Aussie visa after uncovering vuln in government systems
Riggs, a 36-year-old Londoner and aspiring Australian resident for most of his adult life, submitted an expression of interest for the NIV in April and patiently waited for the outcome. Months later, with his application still sitting in the review queue, he went about looking for holes in the Australian government's networks. Riggs zeroed in on the Department of Foreign Affairs and Trade (DFAT) after seeing that it had a responsible vulnerability disclosure framework. He said that it took him a couple of hours to find a critical-severity vulnerability in DFAT's systems, which was promptly fixed, resulting in his name appearing as one of just four to have successfully reported a bug under the scheme.