In 2025, cybercrime stopped looking like a technical problem and started behaving like a systemic one. Attackers no longer relied solely on obscure malware or suspicious emails. Instead, they embedded themselves into platforms people trust, services economies depend on, and digital habits that feel routine and safe.
From ransomware crippling global transport networks to phishing emails sent from legitimate Meta domains, from malware hidden in YouTube tutorials and GitHub repositories to NFC payment fraud and location-sharing risks on social media, the year revealed a stark reality, the more interconnected and convenient our digital ecosystems become, the more powerful they are as attack surfaces.
What unites these incidents is not their targets, but their strategy, exploiting trust at scale to turn digital access into physical, financial, and societal disruption.
Target Travelers
Recently, Cyble Inc. released its Transport & Logistics Threat Landscape Report 2025, revealing a sharp escalation in cyber threats targeting one of the most critical pillars of global commerce. The report documented a record 283 ransomware attacks against transport and logistics organizations, more than the combined total of attacks observed in 2023 and 2024, alongside major data breaches, destructive hacktivist campaigns, and a thriving underground market for compromised network access.
The comprehensive analysis highlights how cybercriminals increasingly exploit the sector’s low tolerance for downtime, operational technology dependencies, and globally interconnected supply chains to maximize disruption and financial gain.
“The transport and logistics sector has become a prime target for cybercriminals because operational disruption translates directly into economic and societal impact.” — Daksh Nakra, Senior Manager of Research and Intelligence, Cyble
“The transport and logistics sector has become a prime target for cybercriminals because operational disruption translates directly into economic and societal impact,” said Daksh Nakra, Senior Manager of Research and Intelligence at Cyble. “In 2025, we observed ransomware campaigns capable of crippling airlines, shipping firms, and ground logistics providers within hours, often by exploiting a single vulnerability across dozens of organizations.”
Ransomware activity disproportionately impacted land-based operations, accounting for nearly three out of every four attacks, with logistics and freight services emerging as the most targeted sub-sector. Airlines, maritime shipping firms, trucking companies, rail operators, and even public transit authorities were affected, underscoring the systemic risk to both commercial and public infrastructure.
The report documents a fragmented but highly active data breach ecosystem, where both persistent threat actors and opportunistic sellers leaked or sold sensitive data throughout the year. Notable incidents include abreach affecting approximately 6 million Qantas customers, exposing personal information such as names, email addresses, and frequent flyer numbers. Also, there were multiple courier and postal service data leaks across Europe and Asia, exposing customer PII and operational data.
In 2025, there were over 40,000 data leak and dump posts affecting over 44,000 unique domains worldwide owing to hacktivist activity. Repeatedly, the transport and logistics sector became a target in campaigns propelled by geopolitical conflicts. In July, a pro-Ukrainian group unleashed a devastating cyberattack on Russian airline Aeroflot resulting in flight cancellations and large-scale infrastructure damage.
Target Shoppers
Another Cyble Research and Intelligence Labs (CRIL) report identified a newly emerging and technically advanced Android malware family, dubbed RelayNFC, which is actively targeting mobile payment users across Brazil.
The malware allows real-time NFC relay attacks, capturing victims’ card details and PINs by conning them to tap their contactless payment cards against infected Android devices. RelayNFC then transmits the stolen credentials directly to attacker-controlled servers, allowing fraudulent transactions to happen as if the physical card were present.
This discovery marks a significant evolution in mobile payment fraud, combining social engineering, NFC manipulation, and advanced code obfuscation to bypass traditional mobile security mechanisms.
Target SMBs
In November, email security researchers at Check Point uncovered a large-scale phishing campaign abusing Facebook’s Business Suite and facebookmail.com features to send convincing fake notifications that appear to come directly from Meta. This method makes their campaigns extremely convincing, bypasses many traditional security filters, and demonstrates how attackers are exploiting trust in well-known platforms.
Over 40,000 phishing emails were distributed to more than 5,000 customers, primarily across the US, Europe, Canada, and Australia, targeting industries that rely heavily on Facebook for advertising. These include automotive, education, real estate, hospitality, and finance.
The campaign primarily focused on small and mid-sized businesses (SMBs) and mid-market enterprises, with a smaller number of large, well-known companies also caught in the mix. These sectors, particularly those that rely on Meta platforms for customer engagement, are ideal targets because their employees frequently receive genuine “Meta Business” notifications and are therefore more likely to trust such messages.
This trend where cyber criminals weaponize legitimate services to gain trust and bypass security controls is growing. In July, a sweeping cyber espionage operation targeting Microsoft server software compromised about 100 organizations.
Target Social Media Users
In October, according to Check Point Research report, a large-scale malware distribution operation called YouTube Ghost Network used fake and compromised YouTube accounts to distribute infostealers such as Rhadamanthys and Lumma. The operation relied on cracked software and game hack videos to lure victims into downloading password-protected archives containing malware. Compromised accounts were used to post videos, share links, and flood comment sections with fake endorsements, creating a false sense of trust.
The investigation identified over 3,000 malicious videos, revealing a growing trend of cyber criminals exploiting social platforms and engagement tools to distribute malware at scale.
Location sharing features on social media platforms like Instagram’s new “Friend Map, can also blur the line between digital privacy risks and physical security threats, exposing users to targeted attacks, stalking, and unwanted profiling. As per Check Point Research, the way the feature is designed, combined with the social pressures that drive behavior on Instagram, means that even cautious users could end up revealing more about their movements and habits than they ever intended.
Target Minecraft Players
Also, last year, a Check Point Research report uncovered a multistage malware campaign in which the malware itself was embedded within fake Minecraft mods, shared on GitHub to specifically target active players. The attack involved a Java downloader, a second-stage stealer, and a final advanced stealer that harvests passwords, crypto wallets, and other sensitive data. Russian-language comments and behavior aligned with the UTC+3 time zone suggest the malware was developed by a Russian-speaking attacker.
The fun of Minecraft, the popular video game with over 200 million monthly active players that has sold more than 300 million copies, is the ability to customize and enhance the game through mods, user-created tools that improve gameplay, fix bugs, and add new content. It’s estimated that more than a million players actively mod Minecraft, forming a vibrant and creative community.
But in that popularity, cyber criminals found opportunity. With approximately 65% of Minecraft’s player base under the age of 21, the platform became an attractive target for cyber criminals looking to exploit a large, engaged, and often less-protected audience.
In March 2025, Check Point Research (CPR) began tracking a malicious campaign targeting Minecraft players through a network known as Stargazers Ghost Network. First identified by CPR in July 2024, this network operates under a distribution-as-a-service (DaaS) model, leveraging multiple GitHub accounts to spread malicious links and malware at scale.
The network delivered a multistage attack designed to quietly infect users’ machines, masquerading as popular mods like Oringo and Taunahi, both commonly known as cheat tools within the community. The malware was developed in several stages. The first two stages were written in Java and required Minecraft to be pre-installed on the victim’s device, allowing the attackers to target a specific vulnerable group: active Minecraft players.
What to Trust by Default
The cyber incidents of 2025 show that security can no longer be treated as a backend IT concern or a user-awareness checkbox. When logistics networks grind to a halt, flights are cancelled, money is stolen through a simple tap, or young gamers unknowingly install malware through trusted communities, the impact spills far beyond data loss.
Read more: Microsoft’s Unified XDR is the future of security operations
As we move into 2026, defending against cyber threats will require rethinking how trust is granted, how platforms are governed, and how digital features are designed with real-world consequences in mind. The challenge ahead is not just to secure systems, but to secure ecosystems, where technology, human behavior, and physical infrastructure are now inseparably linked.
In a world where attackers thrive by blending in, the future of cybersecurity will depend less on spotting the obvious threat, and more on questioning what we trust by default.
