Cybersecurity Update 13-31 December 2025

United States of America

United States Approves First Round of Crypto-Focused Banks. On 12 December 2025, the Trump Administration approved plans to launch five new cryptocurrency-focused national banks, part of its push to give the industry broader access to the traditional financial system. Circle, Ripple, BitGo, Fidelity Digital Assets, and Paxos received approval on applications filed with the Office of the Comptroller of the Currency (OCC) to launch or convert to national trust banks, allowing them to operate under federal oversight for digital asset custody and related services, a move integrating crypto into the mainstream financial system. The federal banking system includes more than 1,000 national banks, federal savings associations, and federal branches of foreign banking organizations operating in the United States that range in size from 1,000 smaller community banks under $30 billion in assets focused on meeting local needs to the largest internationally active banks. These banking companies conduct a wide array of businesses that range from retail and wholesale banking activity to trust, credit card and other more narrowly focused services. The institutions that make up the federal banking system conduct approximately 67 percent of the banking activity in the United States, hold more than $17 trillion in assets combined and administer more than $85 trillion under their control. (OCC Press Release, WSJ)

Proposed SEC Rule on AI. On 4 December 2025, an advisory committee of the U.S. Securities and Exchange Commission (SEC) voted to advance a recommendation that the agency issue guidance requiring issuers to disclose information about the impact of artificial intelligence (AI) on their companies. The IAC reviewed recent filings and academic analysis and concluded that, despite years of spending on AI, “markets are still looking for guidance” on the AI that firms are developing and deploying. Only 40% of the S&P 500 provide AI-related disclosures, and just 15% disclose information about board oversight of AI, while 60% of S&P 500 companies view AI as a material risk (with concerns spanning across cybersecurity, competition, and regulation, among others). The IAC endorsed a recommendation to establish the “initial scaffolding” of a disclosure framework: (1) Require that issuers define what they mean when they use the term “Artificial Intelligence”; (2) Disclose board oversight mechanisms, if any, for overseeing the deployment of AI at the firm; and (3) If material, issuers should report on how they are deploying AI and the effects of AI deployment on (a) internal business operations, and (b) consumer facing matters. (SEC Advisory Committee, CIO, Crowell, IAC Membership)

New York Establishes Laws for Frontier AI Models — RAISE ACT. On 19 December 2025. Govenor Kathy Hochul (NY) signed the RAISE Act into Law. The RAISE Act requires transparency, reporting by powerful frontier AI model developers for incidents of critical harm. New York and California are setting de facto safety rules for frontier AI companies in the U.S. as Congress struggles to settle on federal standards. “The agreed-upon chapter amendments to the RAISE Act (S6953B/A6453B) requires large AI developers to create and publish information about their safety protocols, and report incidents to the State within 72 hours of determining that an incident occurred. It also creates an oversight office within the Department of Financial Services that will assess large frontier developers and en able greater transparency.” Under the new law the Attorney General can bring civil actions against large frontier developers for the failure to submit required reporting or making false statements. Penalties are up to $1 million for the first violation and up to $3 million for subsequent violations. (NY Blog, Axios)

Texas Sues TV Manufacturers Over Data Collection. On 15 December 2025, Texas Attorney General Ken Paxton sued five large TV manufacturers (e.g., Samsung, LG, Sony, Hisense, and TCL) alleging that their smart TVs unlawfully collect users' personal data through Automated Content Recognition (ACR) without consent. This (ACR) “software can capture screenshots of a user’s television display every 500 milliseconds, monitor viewing activity in real time, and transmit that information back to the company without the user’s knowledge or consent. The companies then sell that consumer information to target ads across platforms for a profit. This technology puts users’ privacy and sensitive information, such as passwords, bank information, and other personal information at risk.” Attorney General Paxton remains committed to holding corporations accountable for deceptive, abusive, or exploitative practices. (TX AG Press Release, ArsTechnica)

Lawsuit Claims Seattle-based F5 Overstated Cybersecurity Strength Before Revealing Major Breach. Rosen Law Firm announced a class action lawsuit on behalf of purchasers of securities of F5, Inc. (NASDAQ: FFIV) between 28 October 2024 and 27 October 2025, both dates inclusive (the “Class Period”). The proposed class action filed in the U.S. District Court for the Western District of Washington, alleges that technology company F5 misled investors about its cybersecurity strength — the company repeatedly told investors it offered industry leading application and API security while a long-term breach was already underway inside key development systems tied to its BIG-IP product line. But then disclosed a significant breach that later coincided with steep stock declines. (F5 Complaint, Kiro7, RosenLegal)

U.S. Bans Sale of Foreign-Made Drones, Citing Security Concerns. On 22 December 2025, the Federal Communications Commission (FCC) banned the sale of all new foreign-made drones within the United States, citing "unacceptable risks to the national security of the United States and to the safety and security of U.S. persons." “As President Trump stated in the Restoring American Airspace Sovereignty Executive Order, unmanned aircraft systems (UAS), otherwise known as drones, offer the potential to greatly enhance public safety and innovation. At the same time, criminals, hostile foreign actors, and terrorists can use them to present new and serious threats to our homeland. As the United States prepares to host several mass-gathering events, including the 2026 FIFA World Cup, America250 celebrations, and the 2028 LA Summer Olympics, the federal government is taking additional actions to safeguard Americans and restore American airspace sovereignty.” The ruling primarily affects the Chinese drone manufacturer DJI, which represents more than ninety percent of the world's consumer drone market. It is important to note that many small business owners in the US have built their companies using DJI equipment. The FCC refrained from banning existing models to avoid disrupting emergency and law enforcement operations, which use DJI drones for rescue operations or for tracking suspects. (FCC Entities List, NYT)

U.S. Department of Justice Disrupts Bank Phishing Operation. On 22 December 2025, the US Department of Justice (DOJ) announced that it has seized a web domain and database that held a passwords used in phishing attacks against US bank customers. The domain, web3adspanels.org, was used by those involved in the scheme as a backend web panel to store and manipulate illegally harvested bank login credentials. The account takeover scheme resulted in "attempted losses of approximately $28 million dollars and actual losses of approximately $14.6 million dollars.” "The seized domain hosted a server that contained the stolen login credentials of thousands of victims.” (DOJ Press Release, Security Week)

Google Announces End to Dark Web Report. On 16 December 2025, Google announced that it will discontinue its dark web report beginning on 15 January 2026. The report monitors breach data circulating on the dark web. New scans will stop on 15 January 2026. “On 16 February 2026, all data related to dark web report will be deleted. You can also delete your data ahead of time. After you delete your profile, you'll no longer have access to dark web report.” Google states that it is shifting its focus towards “tools that give you more actionable steps,” like Password Manager, Security Checkup, and Results About You. (Google Blog, MalwareBytes, Reddit)

Microsoft Copilot Studio Opens Serious {Agentic} Security Risks. On 29 December 2025, Zenity Labs published a report about how to exploit Microsoft’s Pilot Agentic infrastructure. Connected Agents enable AI-to-AI integration, allowing agents to share functionality and reuse logic across environments. Microsoft’s new Connected Agents feature in Copilot Studio, revealed at Build 2025 (May 2025), opens a serious security risk. Malicious actors are gaining unauthorized backdoor access to vital business systems. Microsoft’s feature is meant for efficiency and allows AI-to-AI integration, and sharing tools and logic across environments, but introduces vulnerabilities if misconfigured. Unfortunately, Connected Agents is active — by default — on all new agents, exposing their capabilities to all others within the same environment. In addition, Microsoft did not build-in visibility (security) for connected agents Which creates a blind spot in security monitoring. Zenity Labs warns that malicious actors are exploiting these gaps by connecting to privileged agents, especially those with email-sending and sensitive data access. As such, organizations should audit current agents, disable Connected Agents on those with unauthenticated tools, and ensure sensitive actions require explicit user credentials. Moreover, technology leaders should ttreat any agent with Connected Agents enabled as publicly accessible. (Cybersecurity News, Zenity Labs)

International Items of Interest

South Korean Coupang, Class Action Lawsuit. On 18 December 2025, a class action lawsuit was filed against South Korean e-commerce giant Coupang. The complaint alleges that CEO Bom Kim and CFO Gaurav Anand knew or recklessly disregarded that the company had “inadequate cybersecurity protocols” allowing a former employee to access customer data for nearly six months without detection. The breach exposed personal information from 33.7 million customer accounts. Coupang did not file their SEC 8K in a timely manner for a material event and this lawsuit appears to be among the first securities class actions directly challenging compliance with the SEC’s 2023 cybersecurity disclosure guidelines. The complaint is seeking damages for investors who purchased Coupang securities between 6 August and 16 December 2025. On 29 December 2025, Coupang announced one of the most costliest trust-repair moves in South Korean history, pledging more than $1.1 billion in customer compensation. Payments will be issued sequentially starting 15 January 2026, with all eligible users receiving purchase vouchers valued at 50,000 won. The vouchers can be used across Coupang’s main shopping platform and its food delivery, travel, and luxury product services. (CSOonline, Legal Files, Insurance Journal, Reuters, Tech Republic, Coupang Blog)

China Issues Drafts Rules to Regulate AI with Human-like Interaction. On 27 December 2025, the Cyberspace Administration of China (CAC) released a draft of the “Interim Measures for the Management of Artificial Intelligence Human-like Interactive Services” which aim to tighten oversight of AI services designed to simulate human personalities and engage users in emotional interaction. The proposed rules would apply to AI products and services offered to the public in China that present simulated human personality traits, thinking patterns and communication styles, and interact with users emotionally through text, images, audio, video or other means. The proposed rules would: (1) require service providers to assume safety responsibilities throughout the product lifecycle and establish systems for algorithm review, data security and personal information protection; (2) target potential psychological risks by requiring providers to identify user states and assess users’ emotions and their level of dependence on the service; (3) require providers to take necessary measures to intervene if users are found to exhibit extreme emotions or addictive behavior; and (4) set content and conduct red lines, stating that services must not generate content that endangers national security, spreads rumors or promotes violence or obscenity. The measures are open to public comment by 25 January 2026. (Reuters, Legal Wire, CAC Press Release)

Venezuela Blames the US for Disruptive Cyberattack on State-owned Oil Company. On 13 December 2025, Venezuela's state-owned oil company, Petróleos de Venezuela (PDVSA), sustained a ransomware attack that shut down systems and caused the company to suspend oil cargo deliveries, PDVSA and Venezuela's oil ministry blamed the United States for the incident, saying the attack was launched by "foreign interests in complicity with domestic entities who are seeking to destroy the country's right to sovereign energy development.” The cyberattack comes one week after the U.S. military took the extraordinary step of seizing a PDVSA tanker carrying nearly two million barrels of Venezuelan crude oil. On 17 December 2025, PDVSA stated it was resuming oil cargo deliveries at its terminals following a cyberattack that affected its centralized administrative system. (Reuters, CyberWire, The Record, PDVSA Facebook, Marine Link)

Germany Launches Joint Defence Drone Centre. On 17 December 2025, Germany officially opened its Joint Drone Defence Centre that will combine state and federal capabilities to provide better protection against the growing threat of espionage and sabotage heralded by the series of drone overflights of airports and military bases in Germany. Itnterior Minister Alexander Dobrindt said "this will increase our speed and accuracy in the fight against hybrid threats, sabotage and targeted provocations.” Earlier this month, Germany also launched a new police unit focused on drone defense and earlier this year gave police broader authorities to shoot down unidentified drones. In 2025 alone, Germany has registered over 1,000 suspicious drone flights. Drones are shutting down commercial aerospace and have been observed conducting reconnaissance at German military installations. (Reuters, DW)

Russia Hits Critical Organizations via Misconfigured Edge Devices. On 15 December 2025, Amazon detailed a long-running campaign by Russia against critical infrastructure organizations, particularly in the energy sector. The blog post details operations conducted on behalf of Russia's Main Intelligence Directorate (GRU) from 2021 through the present. According to Amazon, malicious actors are targeting enterprise routers, routing infrastructure, VPN concentrators, network management appliances, collaboration platforms, cloud-based project management systems, and more. Russia is targeting misconfigured customer edge devices as the primary initial access vector. This tactical adaptation enables the same operational outcomes, credential harvesting, and lateral movement into victim organizations' online services and infrastructure, while reducing the actor's exposure and resource expenditure.” Amazon recommends that, "organizations must prioritize securing their network edge devices and monitoring for credential replay attacks to defend against this persistent threat.” (Amazon Blog, Dark Reading, Cybersecurity Dive, DarkReading)

PornHub Breached by ShinyHunters — Premium Members’ Data Stolen. On 12 December 2025, PornHub announced that there was a cybersecurity incident involving data from a third party data analytics service provider — Mixpanel — that impacted some Pornhub Premium users. Pornhub is a Canadian-owned internet pornography video-sharing website. The ShinyHunters hacking group, claimed that they had stolen 200 million pieces of personal information and at least 94GB of data relating to Pornhub’s premium customers. The malicious actor says the data covers PornHub Premium users’ historical search, watch, and download activity, containing highly sensitive details such as emails, locations, video metadata, and timestamps. Although Pornhub emphasizes that this was not a direct breach of its systems, the situation highlights the risks associated with third-party vendors managing sensitive analytics data. PornHub faces extortion issues after ShinyHunters along with Google, ChatGPT and others who were compromised as a part of the same attack. The exfiltrated data can be used for blackmail, extortion, or reputational damage, especially given its sensitive nature. Users may also face phishing or social engineering attacks. (PornHub, Bleeping Computer, Cybersecurity News, Security Affairs)

Asahi to Launch Cybersecurity Overhaul after Crippling Cyberattack. On 15 December 2025, the CEO of Ashai stated that the company would elevate cybersecurity to a top management priority and is considering the creation of a dedicated cybersecurity unit within the group. This decision follows a ransomware attack conducted by the Qilin Ransomware Syndicate in September that exposed the personal data of two million people, including 1.5 million Asahi customers, and forced operational disruptions that may last at least until February 2026. The company is scrapping VPNs for a zero-trust security model. The financial impact is severe: alcohol sales in Japan dropped 20% year-over-year in November 2025, and Asahi has skipped three months of sales disclosures due to ongoing system disruptions. (InfoSecMag, CodeKeeper)

Russia Attacks Denmark’s Water Utility. On 18 December 2025, the Danish Defence Intelligence Service (DDIS) identified two groups operating on behalf of the Russian state: Z Pentest, linked to the destructive water-utility attack, and NoName057(16), flagged as responsible for the DDoS assaults ahead of November's local elections in Denmark before the 2025 elections. According to the DDIS, ”the Russian state uses both groups as instruments of its hybrid war against the West. The aim is to create insecurity in the targeted countries and to punish those that support Ukraine....The DDIS assesses that the Danish elections were used as a platform to attract public attention – a pattern that has been observed in several other European elections.” “FE assesses that the pro-Russian group Z-Pentest, which was behind a destructive cyberattack against a Danish waterworks in 2024, has connections to the Russian state. FE also assesses that the group NoName057(16), which carried out overload attacks against Danish websites in the run-up to the Danish municipal and regional council elections in 2025, has connections to the Russian state.” reads the press release published by FE. (BleepingComputer, DDIS Blog, Security Affairs)

Ransomware Hits Romania's National Water Authority. On 21 December 2025, Romania’s national water authority, Romanian Waters, sustained a ransomware attack. The National Cyber Security Directorate (DNSC) stated that at least 1,000 computer systems at the national water authority and 10 of its 11 regional offices were impacted. The malicious actors used the built-in Windows BitLocker security feature to lock files on compromised systems. A few days later, Romania’s largest coal-based energy producer, employing over 19,000 people, was targeted by the Gentlemen ransomware on 26 December 2025, crippling its IT infrastructure. Some documents were encrypted, and critical systems like ERP and email services were temporarily unavailable. The company is working to rebuild systems using backups, and the incident has been reported to national authorities. The Gentlemen group, emerging in August, is known for targeting exposed services and encrypting files. Unfortunately, Romanian companies are face increasing ransomware incidents, prompting heightened cybersecurity measures. (BleepingComputer, Reuters)

The European Space Agency (ESA) Breached. On 30 December 2025, the European Space Agency (ESA) confirms that it “is aware of a recent cybersecurity issue involving servers located outside the ESA corporate network. We have initiated a forensic security analysis— currently in progress—and implemented measures to secure any potentially affected devices," The incident involved external servers containing unclassified collaborative engineering data. The malicious actor declared on BreachForums that they had access to ESA’s JIRA and Bitbucket servers, posting screenshots as evidence. The leaked data allegedly includes source code, API tokens, and confidential documents. In a statement on X, ESA said, “Our analysis so far indicates that only a very small number of external servers may have been impacted. These servers support unclassified collaborative engineering activities within the scientific community.” (Bleeping Computer, The Register, ESA X Post)