SuperGrosz
November 3, 2025
•[ vulnerability exploit, cryptocurrency theft, phishing ]
On 3 November 2025, attackers exploited faulty access-control logic in Balancer's V2 Composable Stable Pools to drain more than $100 million in cryptocurrency, with blockchain security firms estimating overall losses above $120 million and at least $99 million in ETH. Balancer acknowledged the exploit, began a forensic investigation and placed any pools it could pause into recovery mode while warning customers about phishing messages spoofing its security team. Partner platforms such as Berachain temporarily halted their networks and froze some of the stolen funds as they worked to protect user assets across the wider DeFi ecosystem.
Millicom (TIGO)
November 3, 2025
•[ data leak ]
Millicom was contacted by ShinyHunters on November 3 following an intrusion in which threat actors exfiltrated hundreds of millions of customer-related records; negotiations failed after Millicom attempted to make installment payments, leading the group to list the stolen data for sale on November 13.
BLIK
November 1, 2025
•[ denial of service ]
Polish outlet GazetaPrawna, citing BLIKs statements and comments by the minister for digital affairs, reports that from the early morning of November 1, 2025 the operator observed a significant external distributed denial-of-service attack against Polish settlement infrastructure supporting the BLIK mobile payment system. The volumetric attack generated enough malicious traffic to disrupt the smooth processing of BLIK transactions and caused users to encounter problems with mobile payments. BLIKs operator said that it secured the infrastructure, continued to monitor the systems and by 10:33 stated that users should no longer experience transaction issues, later confirming on social media that BLIK functions had been restored and apologizing for the inconvenience while officials noted that such DDoS attacks occur regularly but are usually blocked before users notice.
OnSolve CodeRED platform
November 1, 2025
•[ ransomware ]
Risk management firm Crisis24 confirmed that its OnSolve CodeRED emergency notification platform suffered a cyberattack attributed to the INC Ransom group which caused a widespread outage of automated phone text and email alerts for city county and state agencies leaving many jurisdictions in the Saint Louis region and elsewhere to rely on manual channels while remediation efforts continue
Australian Treasury Department
November 1, 2025
•[ cyber espionage, phishing, Shadow Campaigns ]
BleepingComputer summarized Unit 42 research on a state-aligned espionage group tracked as TGR-STA-1030/UNC6619 conducting global operations dubbed Shadow Campaigns. The report said the actor compromised at least 70 government and critical infrastructure organizations across 37 countries and conducted reconnaissance activity targeting government entities connected to 155 countries during NovDec 2025. The article describes initial access via tailored phishing (Mega-hosted archives) and exploitation of multiple known vulnerabilities, use of webshells and tunneling tools, and a custom Linux eBPF rootkit (ShadowGuard)
An undisclosed critical infrastructure company in Zambia
November 1, 2025
•[ espionage, phishing, vulnerability exploitation ]
BleepingComputer summarized Unit 42 research on a state-aligned espionage group tracked as TGR-STA-1030/UNC6619 conducting global operations dubbed Shadow Campaigns. The report said the actor compromised at least 70 government and critical infrastructure organizations across 37 countries and conducted reconnaissance activity targeting government entities connected to 155 countries during NovDec 2025. The article describes initial access via tailored phishing (Mega-hosted archives) and exploitation of multiple known vulnerabilities, use of webshells and tunneling tools, and a custom Linux eBPF rootkit (ShadowGuard), but it does not provide a single discrete victim organization record with a specific primary effect suitable for one CED event entry.
Undisclosed Ukrainian Regional News outlet
November 1, 2025
•[ iPhone hacking, DarkSword, UNC6353 ]
The Record reported Lookout researchers attributed an advanced iPhone hacking tool dubbed DarkSword to a likely Russia-linked actor tracked as UNC6353. The campaign has been active since at least late 2025 and continued through March 2026, primarily targeting Ukrainians via watering-hole attacks on compromised Ukrainian websites. Lookout said DarkSword can break into iPhones with little to no user interaction, extract sensitive data within minutes, and then erase traces of intrusion. The article is campaign-level reporting rather than a single named-victim incident, but it describes successful device compromise and data theft capability against targeted Ukrainian users.
University of Pennsylvania
October 31, 2025
•[ data leak ]
Hacker alias WeGotHacked infiltrated University of Pennsylvania systems around Oct 31 2025, stealing an estimated 1.2 million donor records and compromising multiple @upenn.edu email accounts. On Nov 1 the actor used those accounts to send vulgar emails to the campus community. BleepingComputer later verified portions of the dataset. UPenn initially denied a breach but launched an investigation after the claims were substantiated.
At least one Belgian diplomat
October 31, 2025
•[ cyber-espionage, spear-phishing, vulnerability ]
Arctic Wolf Labs and other researchers detailed a Chinese state-aligned cyber-espionage campaign in which UNC6384 targeted European diplomatic entities, notably in Hungary and Belgium, between September and October 2025. The group sent spear-phishing emails referencing real EU and NATO events that carried malicious Windows shortcut (.LNK) files exploiting the ZDI-CAN-25373 (CVE-2025-9491) vulnerability to execute obfuscated PowerShell, unpack a signed Canon utility and side-load a PlugX remote access trojan. The resulting implants, communicating over HTTPS to attacker-controlled domains, provide long-term access for reconnaissance, keylogging, command execution and collection of sensitive diplomatic documents and credentials aligned with PRC strategic intelligence priorities.
Blazer Real Estate Services LLC
October 30, 2025
•[ data leak ]
Blazer Real Estate Services LLC reported that an unauthorized party accessed company systems on October 30 and exfiltrated customer identity and financial information, including drivers license and Social Security numbers; no operational disruption was reported.
Associated Radiologists of the Finger Lakes P.C.
October 30, 2025
•[ data leak ]
A subset of ARFLs network was accessed by an unauthorized party between October 28 and October 30 2025 during which files containing personal and health information were viewed or copied without permission Notifications were issued on December 29
University of Pennsylvania
October 30, 2025
•[ data breach, ransomware, donor records ]
In October 2025, the University of Pennsylvania was the victim of a data breach followed by a ransom demand, largely affecting its donor database. After the incident, the attackers sent inflammatory emails to some victims. The data was later published online in February 2026 and included 624k unique email addresses alongside names and physical addresses. For some donor records, additional personal information was exposed, including gender and date of birth. A small subset of records also contained religion, spouse name, estimated income and donation history.
Kaplan
October 30, 2025
•[ data leak, unauthorized access, personally identifiable information ]
The Record reported Kaplan notified regulators and individuals about a fall 2025 cybersecurity incident in which an unauthorized actor accessed Kaplans servers for 19 days (Oct. 30 to Nov. 18, 2025) and leaked/removed personal data. Kaplans notifications across several states totaled at least 230,941 people in states that publish counts, and an update said Kaplan later informed Oregon that 1.4 million people were affected. The exposed data included Social Security numbers and drivers license numbers (and related identifiers). The report did not name the attacker or provide a detailed intrusion method, but confirmed the access window and sensitive identifiers involved.
Paterson & Dowding Family Lawyers
October 28, 2025
•[ ransomware, data leak ]
Threat actors from the Anubis ransomware gang listed Perth based Paterson & Dowding Family Lawyers on their dark web site in late October 2025, claiming to have compromised the Western Australian family law firm and stolen large volumes of sensitive client, business and staff data, which they showcased in detailed samples. The posted material includes financial documents such as superannuation statements, tax information, pay slips and a crypto wallet screenshot, along with correspondence relating to client businesses and deeply personal family messages, emails and social media content connected to ongoing disputes. The firm subsequently confirmed it had suffered a cyber incident and determined that a subset of personal information had indeed been accessed and taken, engaged external experts to contain and investigate the breach, began notifying affected clients and staff, and reported the matter to relevant privacy and cybersecurity authoriti
Cohen's Fashion Optical LLC
October 28, 2025
•[ data leak ]
Cohen's Fashion Optical LLC reported that an unauthorized third party accessed company systems on October 28 and acquired files containing customer personal, financial, insurance, and medical information; no operational disruption or actor attribution was identified.
Poltronesofà
October 27, 2025
•[ ransomware, data leak, phishing ]
Italian furniture retailer Poltronesof disclosed that its IT environment suffered a ransomware attack on October 27, 2025, in which intruders compromised group servers and encrypted virtual machines, making several internal systems temporarily unavailable. The companys incident-response team isolated affected infrastructure and launched a forensic investigation, but it warned that attackers may have exfiltrated customer data including identification and contact details. While payment information was reportedly not impacted, customers were advised to be vigilant for phishing attempts and to change passwords used with company services.
CareOregon / Health Share of Oregon
October 27, 2025
•[ data leak ]
Unauthorized viewing of member information occurred within CareOregon-managed systems supporting Health Share of Oregon, leading to notifications to affected members.
Catwig LLC d/b/a Victory Disability
October 27, 2025
•[ unauthorized access, data breach, Personally Identifiable Information (PII) ]
Catwig LLC (doing business as Victory Disability) stated it became aware in November 2025 of claims that an unknown party obtained information belonging to the firm. The company initiated an investigation with third-party cybersecurity specialists and notified federal law enforcement. The investigation concluded that an unknown party accessed a portion of Victory Disabilitys environment between October 27 and November 12, 2025 and may have viewed or copied certain information stored there. Potentially impacted data included names, contact information, Social Security numbers, and in some cases dates of birth and medical information (diagnosis, treatment, medications, lab results) if provided to Victory in connection with a case. The company reported filing notice with the California Attorney General and beginning written notifications on December 12, 2025.
PoltronesofÃ
October 27, 2025
•[ ransomware, phishing, data breach ]
Italian furniture retailer Poltronesof disclosed that its IT environment suffered a ransomware attack on October 27, 2025, in which intruders compromised group servers and encrypted virtual machines, making several internal systems temporarily unavailable. The companys incident-response team isolated affected infrastructure and launched a forensic investigation, but it warned that attackers may have exfiltrated customer data including identification and contact details. While payment information was reportedly not impacted, customers were advised to be vigilant for phishing attempts and to change passwords used with company services.
Svenska Kraftnät
October 25, 2025
•[ ransomware, data leak ]
Swedens national power grid operator Svenska Kraftnt experienced a data breach on October 25, 2025, when ransomware group Everest accessed an external file-transfer system and claimed to have stolen roughly 280 GB of data. Electricity transmission operations were not affected.
