The past year has seen an unprecedented number of cyber-attacks targeting large enterprises and globally recognized brands.

Among the major trends Infosecurity reported on in 2025, we saw organized ransomware groups and more nebulous collectives of teenager hackers alike manage to break into systems using clever but often unsophisticated tactics.

Additionally, we saw a series of software supply chain attacks, where adversaries – spanning from low-skilled cybercriminals to nation-state groups – leveraged critical vulnerabilities in globally deployed corporate tools or popular open source software and packages to reach a wide range of victims.

In this article, Infosecurity has set out the top ten cyber-attacks of 2025, which have been decided based on factors such as data loss, recovery costs, real-world impacts and wider geopolitical implications.

The cyber-attacks have been listed from the most recently reported incident to the oldest.

Clop Exploits Oracle E-Business Suite Zero-Day Vulnerability

In early October 2025, Oracle advised customers that hackers may be exploiting vulnerabilities in unpatched instances of its E-Business Suite (EBS).

This warning came after Google Threat Intelligence Group (GTIG) reported that an individual or group of hackers were sending extortion emails to executives in several companies, claiming to have stolen sensitive data from the EBS.

The exploit campaign was attributed to the Clop group, a notorious Russian-speaking ransomware-as-a-service (RaaS) cybercrime gang first identified back in 2019.

The vulnerability exploited in the EBS campaign, CVE-2025-61882, was a zero-day, for which Oracle released a patch in an emergency update on October 5.

GTIG said it was exploited by Clop hackers alongside other flaws for which Oracle released patches in its July 2025 Critical Patch Update.

A large number of organizations are believed to have been targeted, including GlobalLogic, a US-headquartered software company owned by Japanese conglomerate Hitachi, and Barts Health, a London-based NHS trust.

Asahi Data Breach Hits Two Million, Disrupts Brewery Operations

Japanese-headquartered brewing giant Asahi announced at the end of September 2025 it was suspending operations in Japan following a “system failure” caused by a cyber-attack.

The incident was quickly confirmed to be a ransomware attack and data had been stolen from Asahi’s servers. In early October, consumer website Comparitech revealed that the Qilin ransomware group had listed Asahi on its data leak site, claiming to have stolen 27 GB of files from the company.

The brewing group owns a range of Asahi-branded beers but also Italian beer Peroni, Czech beer Pilsner Urquell and Hungarian beer Dreher.

Following the cyber-attack, the group established an Emergency Response Headquarters to investigate the incident and isolated affected systems to try and safeguard critical data, including the personal information of customers and business partners.

Despite these efforts, the personal data of approximately 1.914 million individuals, including 1.525 million customers, were or may have been exposed.

Additionally, operational disruptions could last until at least February 2026. Once this recovery phase is over, CEO Atsushi Katsuki said he wants to create a new dedicated cybersecurity unit within the group as part of the company’s “reconstruction phase.”

Jaguar Land Rover Hack Described as UK's Costliest Ever

A cybersecurity incident had “severely disrupted” sales and production operations for UK-based carmaker Jaguar Land Rover (JLR) in September 2025.

As a result of the incident, staff working at JLR’s Halewood production plant in Merseyside were told not to go to work while the company was responded to the incident.

The incident had a significant impact on the wider automotive economy as car dealers were unable to register new JLR vehicles on September 1 as a result of the incident – during one of the busiest periods in the year for new car registrations in the UK.

An individual purporting to be a spokesperson for the Scattered Lapsus$ Hunters group – an alleged collaboration between Scattered Spider, ShinyHunters and Lapsus$ - told the BBC that the group had accessed JLR’s systems and was trying to extort the firm for money.

Despite JLR restarting full manufacturing operations in October, the cyber-attack proved extremely costly for the carmaker, which revealed that revenue for the three months to September 30, 2025, was down 24% year on year.

The hack also had a ripple effect on the British economy as a whole, with the UK-based independent organization, the Cyber Monitoring Centre (CMC), characterizing the incident as a “systemic cyber event”. The CMC’s evaluation found that the incident caused a UK financial impact of £1.9bn ($2.55bn) and affected over 5000 UK organizations.

Salesforce Hit with Third-Party Hacks, Affecting High-Profile Firms

Rumors of a massive data theft campaign targeting Salesforce customers was confirmed by Google in early August 2025.

The tech giant verified that data has been retrieved by a threat actor, believed to be ShinyHunters, but said the stolen data was largely publicly available business information, such as business names and contact details.

In late August, however, Google Threat Intelligence Group (GTIG) confirmed that another threat group, tracked as UNC6395, had targeted “numerous” Salesforce customer instances between August 8 and August 18, systematically exfiltrating large volumes of data. 

The latter campaign seemed to spread via compromised OAuth tokens associated with the third-party Salesloft Drift application, which integrates with Salesforce to help sales and marketing teams collaborate on projects.

Some high-level companies admitted having customer data stolen from this campaign, including  BeyondTrust, Bugcrowd, Cato Networks, Cloudflare, CyberArk, Elastic, Google, JFrog, Nutanix, PagerDuty, Palo Alto Networks, Qualys, Rubrik, SpyCloud, Tanium, Tenable and Zscaler. Fashion giants Chanel and Pandora also disclosed breaches linked to compromised Salesforce accounts.

In November, a similar breach was confirmed by Gainsight via its SFDC Connector, which allows Gainsight applications to connect to Salesforce.

While Salesforce and Gainsight first mentioned that only three customers were affected by the breach, Gainsight later admitted that the number “has been expanded to a larger list.”

On-Prem SharePoint Customers Targeted in ‘ToolShell’ Exploit

In late July 2025, Microsoft warned that attackers were actively exploiting SharePoint vulnerabilities in campaign targeting SharePoint on-premises servers and impacting critical sectors like government and healthcare.

The attack campaigns chained two critical and high-severity vulnerabilities, CVE-2025-53770 and CVE-2025-53771, in internet-facing SharePoint servers. The chained exploitation of these two flaws was dubbed ‘ToolShell’ by the cybersecurity community.

While Microsoft released a patch for these vulnerabilities in July, Eye Security, the Dutch company that discovered the global zero-days, confirmed that a total of 396 SharePoint systems has been compromised.

Some of the first threat groups behind these attacks were rapidly identified as Linen Typhoon (APT27) and Violet Typhoon (APT31), two Chinese-aligned advanced persistent threat groups as well as Storm-2603, a more hybrid group as it is known for deploying ransomware but believed by Microsoft researchers to be based in China.

Other reporting suggested that the notorious Chinese hacking group Salt Typhoon may also have attempted to target government entities with the ToolShell exploit.

Within a few months, the chained exploits were allegedly attempted by numerous threat actors, with almost 40% of Cisco Talos Incident Response (Talos IR) engagements recorded in late October targeting the exploitation of public-facing SharePoint servers.

Qantas, WestJet and Hawaiian Airlines Hit in Wave of Cyber-Attacks 

In early July 2025, a flurry of cyber incidents targeting airlines that started in June was revealed. Those affected included Australian airline Qantas, Canada’s WestJet Airlines and Hawaiian Airlines.

On June 30, the FBI issued a warning that the threat group Scattered Spider was actively targeting airlines with ransomware and data extortion attacks.

 At Qantas, the incident was detected on June 30, when a cybercriminal targeted a call center and gained access to a third-party customer servicing platform. Although the company initially did not specifying how many customers may be affected, it later confirmed the compromise affected as much as 5.7 million customers.

The Australian airline also disclosed it was contacted by the alleged culprit.

Coinbase Turns $400m Hack Into $20m Bounty Hunt

In May 2025, in a bold move against cybercrime, cryptocurrency exchange Coinbase offered a $20m reward to anyone who could help identify and bring down the perpetrators of a recent cyber-attack it had just reported.

Coinbase stated that cybercriminals bribed and recruited a group of rogue overseas support agents to steal its customer data and facilitate social engineering attacks. The attackers planned to use the stolen data to impersonate Coinbase and trick customers into handing over their cryptocurrency holdings.

The US crypto company was asked to pay a $20m ransom to put an end to the scam. However, instead of paying the ransom, Coinbase decided to work with law enforcement and security industry experts to trace the stolen funds and hold those responsible for the scheme accountable.

The $20m reward fund is part of a ‘bounty’ program launched by Coinbase. The funds will be awarded to anyone who can provide information leading to the arrest and conviction of the criminals responsible for the attack.

Later reports assessed that the hack affected almost 70,000 customers and cost the cryptocurrency exchange $400m.

In an unusual turn of event, a class action lawsuit filed in September with the US District Court for the Southern District of New York revealed that Coinbase customers alleged that “rogue overseas support agents” from TaskUs, a Delaware-registered but Texas-based company owned by private equity firm Blackstone and hired by Coinbase to handle customer support from India, were involved in the hack.

TaskUs was also accused of security failures that allowed them to deploy their malicious scheme.

According to the court filing, TaskUs confirmed the involvement of its staff but minimized the extent of its security failures.

Marks & Spencer and Co-op Suffer Disruptions Amid Retail Hack Wave

A massive wave of cyber-attacks targeting high-profile companies in the retail sector started in April 2025.

One of the first victims was British supermarket chain Marks & Spencer (M&S), which informed customers and investors of a cyber incident that has affected some of its services on April 22. In May, while M&S was still facing operational disruptions, its Chief Executive, Stuart Machin, confirmed customer data had been stolen.

The cyber-attack was estimated to have cost the retailer £300m ($400m).

Shortly after the M&S hack was disclosed, the Co-op, another British supermarket chain, reported a similar incident, which eventually cost it a £206m ($277m) revenue loss.

Both cyber-attacks, as well as a third one targeting London department store Harrods, have been linked to Scattered Spider. In July, UK law enforcement arrested four individuals, three of whom were teenagers, on suspicion of offenses relating to the three attacks.

The same moth, executives from M&S and the Co-op gave evidence to a Parliamentary committee about the incidents. However, during this hearing, M&S chairman Archie Norman declined to say whether a payment was made to the threat actors.

Unfortunately, M&S, the Co-op and Harrods were just a few names of high-profile retail, sportswear and luxury companies that were hit by cyber-attacks in the spring of 2025. Others included Adidas, Alexander McQueen, Gucci and Louis Vuitton.

Read now: Tata Consultancy Services Refutes Losing M&S Contract After Cyber-Attack

Bybit Hack, the Largest Crypto Heist in History

In the early months of 2025, the year was already on course to set new records in the cyber realm. The February breach of Dubai-based cryptocurrency exchange Bybit was described as the largest crypto theft in history.

The attack, which was later estimated to have netted $ 1447.063bn worth of Ethereum (ETH), was swiftly linked by the FBI to the infamous Lazarus Group, a North Korean state-sponsored hacking collective. Bybit offered a reward of 10% of any recovered funds.

Quickly, companies identified that hackers around the world were leveraging the news of this historic crypto heist, with BforeAI detecting in April 596 suspicious domains linked to phishing campaigns designed to siphon cryptocurrency from its customers

Furthermore, according to CertiK’s Hack3d: Q1 2025 Report, the Bybit hack largely fueled a rise in crypto theft in the first quarter of 2025, with hackers stealing over $1.67bn in digital assets across 197 security incidents – marking a staggering 303% increase from the previous quarter.

Three months later, CertiK reported that around $2.47bn in cryptocurrency has been stolen via scams, hacks and exploits in the first half of 2025, already exceeding the total amount lost during 2024.

PowerSchool Pays Ransom to Prevent Student Data Leak

The year 2025 started with alarming news for many cybersecurity professionals: North American school software provider PowerSchool was hit by a cyber-attack in December 2024 and reportedly paid a ransom to prevent attackers from releasing stolen data of students and teachers.

Although the company told parents, in a message seen in January by US news outlet NBC 26, that no data had been encrypted in the attack, the threat actor threatened to leak compromised data.

The company publicly admitted to paying the (undisclosed) ransom four months later.

In late May, a 19-year-old college student in Massachusetts pleaded guilty for his involvement in the cyber-attack.

Other major cyber-attack Infosecurity covered in 2025 included the ones targeting Ingram Micro, Coupang and Allianz Life.