Cyber 2025 in review: four cases that explain the year

Four incidents with explicit editorial criterion, not exhaustive ranking. What these four have in common: each one shifts the defensive posture of a whole category of company and not of a specific sector. Multi-sig in crypto, retail with UK helpdesk, on-prem SharePoint anywhere, and the Windows 10 installed base. Four operational lessons for 2026, one per case.

Not the only thing that happened in 2025. The thing that deserves being read together.

1. ByBit — the frontend as visualisation chain

21 February 2025. Lazarus Group (TraderTraitor per FBI) pulls off the largest crypto heist in history: ~$1.5 billion in ETH from a ByBit cold wallet. The vector isn’t a multi-sig bug, isn’t a blockchain bug, isn’t phishing the signer. It’s compromise of the Safe{Wallet} frontend (app.safe.global), the UI that ByBit and half the industry use to sign multi-sig transactions.

The attacker injects JavaScript code into the hosted frontend bundle. When the ByBit signers open the page to approve a routine transfer, the UI shows them a benign transaction. The real transaction — a setImplementation() that swaps the wallet’s proxy contract for one controlled by the attacker — is signed without the signer seeing it, because the hardware wallet shows the hash and not the decoded calldata. Three signers in sequence. On-chain operation executed. ETH moved through mixers and bridges over the following weeks.

The February technical covers the full chain. The pattern that matters for 2026:

• The visualisation chain between the real transaction and what the signer sees depends on the hosted frontend. Any multi-sig — DeFi, custodian, organisation — that uses UI served by third parties is in the same posture. The hardware wallet isn’t the defensible last mile; it shows a hash a human can’t validate by eye.
• Structural defence is offline calldata verification: a tool independent from the frontend that decodes the transaction from the raw bytecode before signing. It exists (Safe added it after the incident as the Safe Transaction Service decoder), but most operators don’t use it because it adds friction.
• The “hosted frontend is compromised” threat model becomes a named case, not hypothesis. It applies to any financial operation depending on third-party UI — not only crypto.

Safe{Wallet} publishes the post-mortem on 26 February. ByBit restores operations in 72 hours with bridge loans. Lazarus moves the ETH through THORChain in quantities that exceed the bridge’s normal volume for days. The FBI advisory confirms attribution on 26 February.

2. UK retail wave — the helpdesk as industrial vector

25 April 2025. Marks & Spencer detects intrusion in its systems. Ecommerce down, contactless payments interrupted, loyalty base affected. Reported vector: social engineering against the helpdesk for privileged credential resets, attributed to DragonForce with Scattered Spider affiliates. Four days later, 29 April, Co-op Group detects intrusion with identical vector. By end of month, Harrods announces a contained intrusion attempt. Three UK retailers in fifteen days, same vector.

M&S keeps ecommerce offline for six weeks. Costs reported at fiscal year-end: £300 million impact per official statement. Co-op temporarily loses in-store payment processing for several days. The playbook reconstructed by NCSC and Mandiant:

1. OSINT reconnaissance of the company’s active directory (LinkedIn + leaked breaches) to identify senior employees with IT privileges.
2. Call to tier-1 outsourced helpdesk. Impersonate the employee. Request MFA reset “because I’ve lost my phone”.
3. Helpdesk resets, the attacker registers a new MFA method, accesses the directory.
4. Privilege escalation with Scattered Spider techniques known since MGM 2023.
5. DragonForce ransomware deployment with double extortion.

The April technical covers the chain. The lesson for 2026:

• Tier-1 support identity verification doesn’t scale with outsourcing templates. The helpdesk operator reads a script; the attacker reads the same script. The asymmetry is resolved by adding alternative-channel verification (internal Slack with one-time code, callback to the registered manager), not by more operator training.
• UK retailers share outsourcing patterns. When a playbook works against M&S, it works against Co-op the next week because the helpdesk is run by the same provider or uses the same procedure. The industrialisation of social engineering against retail is real.
• Realistic compensating control: for privileged credential resets, asynchronous two-person approval with an automatic 30-minute time delay. It doesn’t stop the CTO’s legitimate reset; it does stop the Scattered Spider playbook because the opportunity window closes.

NCSC publishes a consolidated advisory on 7 May. Microsoft Threat Intelligence attributes the activity to Storm-0875, aligned with Scattered Spider / Octo Tempest, now affiliated with DragonForce as ransomware-as-a-service.

3. SharePoint ToolShell — auth bypass + pre-auth deserialisation

19-20 July 2025. Microsoft publishes an emergency advisory on on-premises SharePoint. The chain Eye Security names ToolShell:

• CVE-2025-49706 + CVE-2025-49704 — first pair published on 8 July at Patch Tuesday. Pre-auth RCE on the ToolPane endpoint with auth bypass via header Referer: /_layouts/SignOut.aspx. Public PoC from watchTowr Labs same day.
• CVE-2025-53770 + CVE-2025-53771 — on 18 July a variant appears that bypasses the 8 July patch. Microsoft ships an out-of-band patch; CISA issues Emergency Directive 25-XX on 23 July. CVSS 9.8.

Mass exploitation by China-nexus actors from before the patch. Microsoft tracking publishes the three identified groups: Linen Typhoon, Violet Typhoon, Storm-2603. Eye Security reports ~85 compromised servers in the first 48 hours after the bypass; the final count exceeds 400 organisations in the first two weeks, including US federal agencies and European governments. The deployed web shell — spinstall0.aspx — steals SharePoint’s IIS MachineKeys and enables post-patch persistence because the keys are what sign ViewState; whoever has them can forge malicious ViewState after the fix.

The July technical covers the chain with PoC. The lesson for 2026:

• Legacy on-prem SharePoint Server in large enterprises is an exposed perimeter left out of the modernisation cycle. Most victims had unpatched SharePoint for weeks to months. Patch hygiene on legacy on-prem remains the industry’s failed assignment.
• The incomplete 8 July patch is the structural lesson. When the first patch addresses the specific CVEs without auditing the full gadget chain, the variant appears. For vendors: the mantra is root cause analysis of the bypass class, not of the specific bug. For customers: assume the first patch may be incomplete during the panic-patching window.
• Stolen MachineKeys = persistence that survives the patch. Any affected organisation that only applied the patch without rotating MachineKeys stays compromised. The post-incident forensic decision tree has to include rotation.

CISA, Mandiant, Eye Security and watchTowr publish detailed analysis during August. Microsoft eventually publishes hardening and key rotation guidance in the August KB.

4. Windows 10 end of support — the installed base that stays behind

14 October 2025. Microsoft closes free support for Windows 10. As of that date ~40% of Windows desktops worldwide run Windows 10 per StatCounter — several hundred million machines. The Extended Security Updates (ESU) program comes out: free for consumers in the EEA for one year after a DG-GROW regulatory decision; $30 / year for consumers outside the EEA; $61 / device / year in year one for enterprise, escalating to $122 and $244 in years 2 and 3.

It’s not a CVE; it’s the support model running out. The October technical covers the first CVEs seen exploiting the installed base and the realistic enterprise cost calculation. The lesson for 2026:

• The support cliff creates a predictable attack surface. Any critical CVE affecting the kernel or core components in Windows 10 from October on will have a longer exploitation window than on Windows 11, because ESU is opt-in and most consumers don’t enable it. Microsoft Defender keeps updating until October 2028, which gives some cushion — but only against detection-after-the-fact.
• The migration calculation isn’t only licences. Companies that didn’t migrate before 14 October arrive late because of hardware (Windows 11 requires TPM 2.0 and SSE 4.2, which excludes ~25% of the existing enterprise fleet) or because of legacy applications. For 2026 the real enterprise inventory is ESU paid / migrated to Win11 / migrated to Linux+VM Windows / accepting risk. All four categories are acceptable; without an explicit inventory, none is.
• The Windows 7 transition (January 2020) left data: WannaCry-equivalents against unsupported Windows 7 appeared over 2-3 years. The curve for Windows 10 will be similar, with a bigger installed base and ransomware groups better coordinated to target EoL systems.

What doesn’t appear in these four and gets flagged

• Snowflake one-year postmortem (May) — Mandiant publishes the consolidated UNC5537 analysis a year on. Confirmed lesson: analytical PaaS without MFA enforce by default is still an exposure category. Snowflake changed defaults in July 2024; the 2025 data shows how many customers still had optional MFA at the anniversary.
• CrowdStrike anniversary (19 July) — one year of Channel File 291. Microsoft closes during 2025 the Windows Resiliency Initiative with EDR vendors. The technical recommendations on kernel mode driver alternatives stay in staging; no EDR vendor migrates fully off-kernel during 2025.
• Volt Typhoon / Salt Typhoon updates — CISA publishes a consolidated advisory in Q3 on the persistence of China-nexus activity in US telco infrastructure. The interesting bit: retroactive detection in routers assumed clean. Not a new incident; it’s the 2023-2024 incident still producing findings two years later.
• Cleo MFT (echo of December 2024) — Cl0p maintains activity through the first quarter of 2025 with additional victims of the previous year’s leak. Covered in the Cleo technical from December 2024.

Cross-cutting pattern

If I have to distil 2025 cyber into one sentence: the operational attacker industrialises playbooks that in 2024 were still research or isolated cases. Lazarus has an industrial playbook for frontend compromise against crypto exchanges — ByBit isn’t the last. Scattered Spider has a playbook against UK retail — European retail CISOs have spent six months waiting for their turn. China-nexus has a playbook for auth bypass + deserialisation against on-prem server software — ToolShell is one of several. The groups are specialised, disciplined, and reproduce with less variation than the defenders.

The operational plan that comes out for 2026:

1. Audit of financial visualisation chains. Any critical operation that depends on UI served by third parties — multi-sig wallets, payment gateways, signing portals — needs offline verification of the raw transaction before signing. The friction is real; the alternative is more expensive.
2. Alternative-channel verification for privileged resets. Two-person approval with automatic time delay for credentials and MFA on senior IT accounts. Applies to helpdesk, to IAM self-service, to break-glass flows.
3. Patch hygiene on legacy on-prem with incomplete-patch assumption. SharePoint, Exchange, on-prem Confluence, Citrix appliances. Post-incident key / secret rotation as part of the standard playbook, not a case-by-case decision.
4. Explicit Windows 10 post-EoL inventory. ESU paid / migrated / accepting risk / unknown. The fourth category is the dangerous one.

For this year’s AI security patterns, the parallel retrospective has six threads worth reading together.

Key references

• ByBit post-mortem (Ben Zhou, CEO, 22-Feb-2025): https://www.bybit.com/en/blog/post/incident-update-bybit-eth-cold-wallet-compromise
• Safe{Wallet} post-mortem (26-Feb-2025): https://safe.global/blog/safe-wallet-statement-on-targeted-attack-on-bybit
• FBI PSA, North Korea Responsible for $1.5 Billion Bybit Hack (26-Feb-2025): https://www.ic3.gov/PSA/2025/PSA250226
• Mandiant, Threat Activity Targeting Retail Industry (May 2025): https://cloud.google.com/blog/topics/threat-intelligence/scattered-spider-attacking-financial-and-insurance-industries
• NCSC UK, Retail sector cyber incidents — consolidated advisory (May 2025): https://www.ncsc.gov.uk/news/advice-following-recent-cyber-attacks-affecting-retail-sector
• Microsoft Threat Intelligence, Storm-0875 / Octo Tempest tradecraft update: https://www.microsoft.com/en-us/security/blog/2025/05/13/scattered-spider-shifts-focus-to-retail/
• Eye Security, ToolShell technical analysis: https://research.eye.security/sharepoint-toolshell/
• watchTowr Labs, Pre-auth RCE in SharePoint via ViewState abuse: https://labs.watchtowr.com/sharepoint-toolshell-cve-2025-53770/
• CISA Emergency Directive on SharePoint (July 2025): https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-203a
• Microsoft, SharePoint Server: Hardening guidance and MachineKey rotation (August 2025 KB): https://learn.microsoft.com/en-us/sharepoint/security-for-sharepoint-server/rotate-machine-keys
• Microsoft, Windows 10 end of support: https://www.microsoft.com/en-us/windows/end-of-support
• Microsoft, Extended Security Updates for Windows 10: https://learn.microsoft.com/en-us/windows/whats-new/extended-security-updates
• StatCounter Global Stats — desktop OS market share (October 2025): https://gs.statcounter.com/os-market-share/desktop/worldwide