KrebsOnSecurity Marks 16 Years of Exposing the Dark Side of Cybercrime

KrebsOnSecurity.com celebrates 16 years of in-depth reporting on the ever-evolving landscape of cybercrime, a period marked by increasingly sophisticated attacks and a relentless pursuit of those who enable them. The past year saw a notable trend: accountability for key players in the cybercrime ecosystem, offering a glimmer of “comeuppance” amidst ongoing threats.

A Year of Accountability and Emerging Threats

Throughout 2025, KrebsOnSecurity focused on dismantling the infrastructure and exposing the individuals behind complex, globally-dispersed cybercrime services. This included investigations into entities providing critical support to malicious actors, as well as dissecting the tactics employed in widespread attacks.

Sanctions and Rebranding: The Case of Stark Industries Solutions Ltd.

In May 2024, scrutiny turned to Stark Industries Solutions Ltd., a “bulletproof hosting” provider that launched just before the invasion of Ukraine. The company quickly became a staging ground for repeated cyberattacks and disinformation campaigns attributed to the Kremlin. While the European Union sanctioned Stark and its co-owners a year later, analysis revealed that the penalties had limited impact, with the proprietors successfully rebranding and transferring assets to affiliated entities.

Cryptomus: A Payment Gateway for Cybercrime

KrebsOnSecurity also profiled Cryptomus, a Canada-based financial firm that emerged as the preferred payment processor for numerous Russian cryptocurrency exchanges and websites catering to Russian-speaking cybercriminals. In October 2025, Canadian regulators found Cryptomus in gross violation of anti-money laundering laws, imposing a record $176 million fine.

LastPass Heists and Cryptocurrency Theft

Investigations into major cyberheists continued to yield results. In September 2023, researchers linked a series of six-figure thefts to compromised master passwords stolen from password manager LastPass in 2022. U.S. federal agents investigating a $150 million cryptocurrency heist in March 2025 reached the same conclusion, confirming the scale of the breach.

The Rise of Phishing: Voice, SMS, and Beyond

Phishing remained a dominant threat, with KrebsOnSecurity delving into the daily operations of voice phishing gangs. A detailed report, “A Day in the Life of a Prolific Voice Phishing Crew,” revealed how these groups exploit legitimate services at Apple and Google to deliver convincing and financially devastating cryptocurrency scams. The proliferation of SMS phishing, or “smishing,” originating from China-based vendors also came under intense scrutiny, highlighting how easily stolen payment card data is converted into mobile wallets.

Unmasking Infrastructure: Funnull, Heartsender, and Beyond

Investigations extended to the underlying infrastructure supporting cybercrime. In January, research exposed Funnull, a content delivery network aiding China-based gambling and money laundering operations. The U.S. government subsequently sanctioned Funnull, identifying it as a key source of “pig butchering” investment scams.

In May, a collaborative effort between law enforcement in Pakistan, the FBI, and Dutch police led to the arrest of 21 individuals allegedly linked to Heartsender, a phishing and malware dissemination service first profiled by KrebsOnSecurity in 2015. The arrests followed the seizure of numerous servers and domains, with many suspects identified through malware inadvertently installed on their own computers.

From Opioids to Trademark Scams: Uncovering Hidden Connections

KrebsOnSecurity also uncovered connections between seemingly disparate criminal activities. The U.S. Department of Justice indicted the owners of a Pakistan-based e-commerce company for distributing synthetic opioids. Further investigation revealed that these same individuals were operating a long-running scheme to defraud Westerners seeking assistance with trademarks, book writing, and other professional services.

Academic Cheating and Kremlin Ties

An investigation revealed a lucrative academic cheating empire fueled by Google Ads, with potential ties to a Kremlin-connected oligarch whose Russian university builds drones for the war in Ukraine. An advertisement for an attack drone was even hosted on the same network as Russia’s largest private education company, Synergy University.

DDoS Attacks and the Rise of Aisuru and Kimwolf

Distributed denial-of-service (DDoS) attacks continued to escalate, reaching unprecedented levels of size and impact. In June, KrebsOnSecurity.com itself was targeted by the largest DDoS attack Google had ever mitigated at the time, thanks to the protection of Google’s Project Shield. The attack was attributed to the rapidly growing Aisuru Internet-of-Things botnet.

However, recent analysis suggests that some activity previously attributed to Aisuru may have been the work of the creators of Kimwolf, now identified as the world’s largest and most dangerous collection of compromised machines, boasting approximately 1.83 million devices as of December 17. Notably, the author of Kimwolf has demonstrated an “obsessive” fixation on cybersecurity journalist Brian Krebs, leaving hidden references within the botnet’s code.

Looking Ahead: The Kimwolf Threat

KrebsOnSecurity plans to publish in-depth reports in 2026 detailing the origins of Kimwolf and its invasive methods of spreading. The first article will include a security notification concerning devices and proxy services inadvertently supporting the botnet’s growth.

KrebsOnSecurity extends its gratitude to its readership for their continued support. Readers are encouraged to consider whitelisting the domain in their ad blockers, as ads are limited to static images vetted by the site’s author. Signing up for the email newsletter – currently boasting over 62,000 subscribers – ensures timely updates on new investigations.

Thank you again, and Happy New Year everyone! Be safe out there.