Cybersecurity Update 1-12 December 2025

United States of America

Former Government Contractors Delete 96 Databases across Multiple Agencies. On 3 December 2025, Twin brothers Muneeb and Sohaib Akhter were arrested in Alexandria, Va., for allegedly stealing and destroying government data held by a government contractor minutes after they were fired from the company earlier this year. They worked at Washington-based Opexus which provides services and hosts data for more than 45 federal agencies. The Department of Justice stated, “these defendants abused their positions as federal contractors to attack government databases and steal sensitive government information.” The 18 November 2025 indictment states that following the termination of their employment, the brothers allegedly sought to harm the company and its U.S. government customers by accessing computers without authorization, issuing commands to prevent others from modifying the databases before deletion, deleting 96 databases, stealing information, and destroying evidence (clearing log files) of their unlawful activities. In 2015, the brothers pleaded guilty to wire fraud and conspiring to hack into the State Department and other crimes while they were employed as contractors for federal agencies. They served prison time. (Cyberscoop, DOJ Press Release)

Washington State Regulators Ordered Seattle Crypto Startup Coinme to Halt Money Transfers. On 1 December 2025, the Washington State Department of Financial Institutions (DFI) issued both a Temporary Order to Cease and Desist (TCD) and a Statement of Charges (Charges) against Seattle, WA-based company, CoinMe, Inc. (CoinMe). The TCD and Charges relate to CoinMe’s money transmission and virtual currency kiosk operations in Washington, and allege the company has committed multiple violations of the Uniform Money Services Act (Chapter 19.230 RCW). DFI states that Coinme “inappropriately claimed more than $8 million owed to consumers as its own income through a system that required consumers to purchase virtual currency paper vouchers at kiosks to be redeemed on CoinMe’s website or mobile application. When consumers did not redeem their purchased vouchers during a specific timeframe, CoinMe claimed the amounts owed to those consumers as income. DFI also asserts that CoinMe did not disclose material information to consumers about the timeframe allowed to redeem vouchers and did not properly return unclaimed consumer property to the State of Washington as required by law. CoinMe also listed an inactive consumer support phone number on the vouchers provided to consumers.” Coinme calls it an accounting dispute over a discontinued product. DFI is seeking to revoke Coinme’s money transmitter license, impose a $300,000 fine, and ban CEO and co-founder Neil Bergquist from Washington’s money transmitter and currency-exchange industry for 10 years. (Washington State Dept of Financial Institutions, GeekWire)

New Executive Order on Artificial Intelligence — Limit States Rights. On 11 December 2025, President Trump signed a new executive order (EO), “Ensuring a National Policy Framework for Artificial Intelligence. The EO is aimed at preempting state-level AI regulations. It instructs federal agencies to sue and withhold funds from states whose AI laws the administration deems problematic. The White House cites three reasons for the order:

• “First, State-by-State regulation by definition creates a patchwork of 50 different regulatory regimes that makes compliance more challenging, particularly for start-ups.

• Second, State laws are increasingly responsible for requiring entities to embed ideological bias within models. For example, a new Colorado law banning 'algorithmic discrimination' may even force AI models to produce false results in order to avoid a 'differential treatment or impact' on protected groups.

• Third, State laws sometimes impermissibly regulate beyond State borders, impinging on interstate commerce."

California, Utah, Colorado, and Texas—have already passed their own laws regulating AI. States that refuse to comply with the executive order may face Federal funding restrictions. Technology companies that have lobbied to limit the power of states when it comes to regulating AI. AI companies have been opening offices close to the Capitol and launching campaigns through a super PAC with at least $100 million to spend on the midterm elections in 2026. The EO may trigger court challenges from states and others regarding the legality of pursuing federal preemption through these executive actions. (EO on AI, CNBC, Reuters, Wilmer Hale, Axios)

Largest Leak of Lead Generation Data. On 10 December 2025, CyberNews researchers published a report that they had discovered 16 terabytes/over 4.3 billion records in an exposed/ unprotected MongoDB cloud database of fully structured and likely comprised scraped professional and corporate intelligence data. It was discovered on 23 November 2025 and secured by its owner two days later but exposure duration and malicious access remain unknown. The database exposed deeply detailed LinkedIn-derived profiles, contact information, corporate relationships, and employment histories. Nine collections were uncovered within the dataset and a single collection alone contained 732 million records, including photographs. Three datasets of 2 billion records contained personally identifiable information (PII). The unnamed lead generation company “helps businesses find and connect with potential customers, providing access to a large-scale B2B database of leads that strongly correlates with the type of information included in the exposed database,” the report states. (CyberNews, TechRadar, Forbes)

Accenture Employee Indicted for Misleading US Army on Security of Cloud. On 9 December 2025, a Federal Grand Jury in the District of Columbia returned an indictment charging a former senior manager at a Virginia-based government contractor with two counts of wire fraud, one count of major government fraud, and two counts of obstruction of a federal audit for allegedly carrying out a multi-year scheme to mislead federal agencies about the security of a cloud-based platform used by the U.S. Army and other government customers. “The indictment alleges that, although the platform was marketed as a secure environment for federal agencies, Ms. Hillmer concealed the platform’s noncompliance with security controls under the Federal Risk and Authorization Management Program (FedRAMP) and the Department of Defense’s Risk Management Framework. Specifically, the indictment alleges that Hillmer falsely represented that security controls were implemented at the FedRAMP High baseline and at Department of Defense Impact Levels 4 and 5, despite repeated warnings that the system lacked required access controls, logging, monitoring, and other security capabilities.” An Accenture spokesperson said: “As previously disclosed in our public filings, we proactively brought this matter to the government’s attention following an internal review.” (DOJ Blog, NextGov, FedScoop)

Russia Targets Critical Infrastructures’ Operational Technology. On 9 December 2025, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Department of Energy (DOE), Environmental Protection Agency (EPA), EC3, and international partners from thirteen countries shared information about cyber incidents affecting the operational technology (OT) and industrial control systems (ICS) of critical infrastructure entities in the United States and globally. Russian malicious actors are targeting water and wastewater systems, food and agriculture entities, and the energy sector. The advisory notes, "These groups have limited capabilities, frequently misunderstanding the processes they aim to disrupt. Their apparent low level of technical knowledge results in haphazard attacks where actors intend to cause physical damage but cannot accurately anticipate actual impact. Despite these limitations, the authoring organizations have observed these groups willfully cause actual harm to vulnerable critical infrastructure.” The authoring organizations urge critical infrastructure entities to review and act now to improve their cybersecurity posture against cyber threat activities specifically and intentionally targeting internet connected OT and ICS: (1) Remove OT connections to the public internet; (2) Change default passwords immediately and use strong, unique passwords; (3) Secure remote access to OT networks; (4) Segment IT and OT networks; and (5) Practice and maintain the ability to operate OT systems manually. (CISA Advisory, Fact Sheet on Protecting OT)

International Items of Interest

Data Breach at South Korea’s Coupang Affects 65% of the Population. On 30 November 2025, Coupang — often called the South Korea’s Amazon — confirmed a breach that potentially exposed the personal details of 33.7 million customer accounts. The company said it discovered the breach on 18 November 2025, and “immediately reported [the data breach] to the relevant authorities, including the National Police Agency, the Personal Information Protection Commission, and the Korea Internet & Security Agency.” On 2 December 2025, Coupang’s Chief Information Security Officer stated that a former employee (Chinese national) may have taken a signed authentication key before leaving the company. He had been a “developer working on the authentication system.” That key, which could be valid for two years, was allegedly used externally to generate tokens and gained unauthorized access to internal systems and obtain customer information including names, email addresses, phone numbers, and certain order information. The malicious actor (insider) avoided detection (since June 2025) in part by using multiple IP addresses from different sources. South Korean authorities are calling for harsher penalties on companies that fail to protect their customers’ sensitive information. On 11 December 2025, Coupang Corp. Chief Executive Park Dae-jun has resigned over what is viewed as the worst data breach in South Korea. (E-Security Planet, The Record, Yonhap, Barrons, Bloomberg, WSJ)

European Authorities Dismantle Cryptomixer. On 1 December 2025, Europol announced that Between 24-28 November 2025, Swiss and German law enforcement agencies took control of the servers and domain name behind Cryptomixer, which helped ransomware gangs and other dark web market participants obfuscate their payments. Cryptomixer is a hybrid mixing service accessible via both the clear web and the dark web. “It facilitated the obfuscation of criminal funds for ransomware groups, underground economy forums and dark web markets. Its software blocked the traceability of funds on the blockchain, making it the platform of choice for cybercriminals seeking to launder illegal proceeds from a variety of criminal activities, such as drug trafficking, weapons trafficking, ransomware attacks, and payment card fraud.” Cryptomixer has been used to launder at least 1.3 billion euros ($1.5 billion) since 2016. Europol said authorities confiscated more than 12 terabytes of data from the service, as well as more than 25 million euros ($29 million) in laundered Bitcoin. “As many digital currencies provide a public ledger of all transactions, mixing services make it difficult to trace specific coins, thus concealing the origin of cryptocurrency.” (CybersecurityDive, Europol)

China Targets VMware. On 4 December 2025, Crowdstrike published its findings regarding a sophisticated Chinese malicious actor (WARP PANDA) that is targeting VMware vCenter environments at U.S.-based entities and deploying Brickstorm malware. WARP PANDA frequently gains initial access by exploiting internet-facing edge devices and subsequently pivots to vCenter environments, using valid credentials or exploiting vCenter vulnerabilities. “We’ve observed them access information related to topics aligned with Chinese government interests, sensitive data related to network-engineering and incident-response teams,” said Adam Meyers. “The data they have accessed provides insight into proprietary technology, sensitive negotiation information, operations, and potentially how companies work with government partners.” CISA stated that BRICKSTORM malware is used to establish long-term persistence on victim systems. (CybersecurityDive, Crowdstrike, CISA Alert)

Porsche Cars Immobilized by Cyberattacks in Russia. In early December 2025, hundreds of Porsches in Russia were rendered immobile with symptoms including unresponsive security systems, complete battery depletion, and failure of factory-installed Vehicle Tracking Systems (VTS) — systems that also serve as integral components of the car’s alarm mechanisms. All Porsche models with factory VTS since 2013 are impacted, affecting various popular models. Russia’s largest dealership group, Rolf, confirmed that the problem stems from a complete loss of satellite connectivity to the VTS. When it loses its connection, it interprets the outage as a potential theft attempt and automatically activates the engine immobilizer. The simultaneous failure across Russia suggests a systemic problem rather than just isolated incidents. In a statement to The Register, a Porsche spokesperson said no other markets were affected by the issue. Porsche HQ was unable to help or diagnose the nature of the problem. It's understood that systems like VTS are operated by local Porsche subsidiaries or dealer networks. (Cybersecurity Insider, The Register, Auto Blog, Moscow Times)

Poland Arrests Ukrainians Utilizing 'Advanced' Hacking Equipment. On 8 December 2025, Poland announced the arrest of three Ukrainian nationals on suspicion of attempting to compromise critical IT systems and acquire sensitive national defense data within the country. The men face charges including fraud, computer fraud, and possession of devices and software intended for criminal activity. Seized items included "advanced FLIPPER hacking equipment," a spy device detector, various antennas, laptops, a large number of SIM cards, routers, portable hard drives, and cameras. This arsenal suggests a capability to conduct both offensive cyber operations and counter-surveillance, raising significant concerns about the scope and intent of their activities against national infrastructure. Poland’s Central Bureau for Combating Cybercrime (CBZC) have successfully collected evidence of illegal activities. The immediate detention of the suspects for three months pending trial underscores the gravity with which these alleged attempts to compromise national defense IT systems are being treated (BleepingComputer, Poland Press Release)

UK's NCSC Warns of Threats Posed by AI Prompt Injection Attacks. On 8 December 2025, the UK's National Cyber Security Centre (NCSC) published a report looking at threats posed by AI prompt injection, a type of attack in which large language models (LLMs) are tricked into carrying out malicious instructions. The NCSC stresses that these attacks are fundamentally different from SQL injection, despite conceptual similarities: "Whilst the comparison of prompt injection to SQL injection can be tempting, it's also dangerous. SQL injection can be properly mitigated with parameterised queries, but there's a good chance prompt injection will never be properly mitigated in the same way. The best we can hope for is reducing the likelihood or impact of attacks.” Prompt injection attacks are regularly reported in systems that use generative AI (genAI), and are the OWASP’s #1 attack to consider when “developing and securing generative AI and large language model applications”. (NCSC Blog, OWASP Top 10, Cornell Report on Mitigations)

G7 Cyber Expert Group Publishes Paper on Collective Cyber Incident Response and Recovery in the Financial Sector. On 3 December 2025, the G7 Cyber Expert Group - chaired by the U.S. Department of the Treasury and the Bank of England - released a September 2025 policy paper on Collective Cyber Incident Response and Recovery in the Financial Sector. Since major cyber incidents increasingly have a global character, effective cyber incident response and recovery are ever-more dependent on a collective response. This includes cooperation, both domestically and across borders, between financial authorities, financial entities and their relevant third-party service providers, as well as with actors from other sectors, including government authorities. The G7 Fundamental Elements of Collective Cyber Incident Response and Recovery in the Financial Sector are non-binding, high-level principles that may guide the establishment and refinement of Collective Cyber Incident Response and Recovery Arrangements across the financial sector and beyond. They aim to facilitate greater convergence and compatibility among different approaches, while allowing flexibility and tailoring to national, sectoral, or organizational needs based on the unique markets and regulations within each jurisdiction. (Policy Paper on IR & Recovery, Treasury Blog)

India Rescinds Order for Back-Door in Smartphones. On 3 December 2025 India rescinded a 28 November 2025 order from India's telecom ministry that asked all smartphone manufacturers to preload their new devices with the app, stating that it must be "visible, functional, and enabled" upon first setup. It was demanding that Apple, Samsung and other manufacturers pre-install what officials call a “safety app” on all new smartphones within 90 days. The main opposition Congress Party demanded it be rolled back, calling the mandate unconstitutional. (Reuters)

China's ZTE Might Pay $1B for Foreign Bribery Allegations. On 10 December 2025, it was reported that ZTE Corp. may pay at least $1 billion to the U.S. government to resolve years-old allegations of foreign bribery. On 9 December 2025, the Justice Department moved ahead with a U.S. investigation into ZTE for allegedly violating the Foreign Corrupt Practices Act (FCPA) in South America and other regions, the sources said. The act prohibits payments or anything of value to foreign officials to obtain business. (Reuters, Telecoms)

Drones Over Military Base in France. On 4 December 2025, French forces responded to unknown drones flying over a military base detected above the Crozon Peninsula. "The military personnel stationed on the peninsula and responsible for site protection responded promptly and appropriately, in full accordance with the procedures in force. An investigation is underway," the official said. (Axios)