Operation Endgame 2.0
May 23, 2025
•[ ransomware, malware, government ]
In May 2025, a coalition of law enforcement agencies took down the criminal infrastructure behind the malware used to launch ransomware attacks in a new phase of "Operation Endgame". This followed the first Operation Endgame exercise a year earlier, with the latest action resulting in 15.3M victim email addresses being provided to HIBP by law enforcement. A further 43.8M victim passwords were also provided for HIBP's Pwned Passwords service.
Independent film makers
May 21, 2025
•[ espionage, malware, government ]
While detained in May 2025, filmmakers phones were allegedly infected with FlexiSPY; forensic analysis ties installation to police custody (May 21). Devices were returned July 10. CPJ/Citizen Lab publicly detailed findings on Sept 1012; The Standard reported the allegations Sept 10.
Union County (Ohio) government / county systems
May 18, 2025
•[ ransomware, malware, government ]
A ransomware attack on Union County, Ohios public administration systems led to both encryption and data exfiltration. Data was stolen from internal government databases containing personal, financial, and biometric records of 45,487 individuals. Approximately 12 systems were encrypted, causing partial disruption for several days. No ransomware group has claimed responsibility.
Pravosudiye
May 15, 2025
•[ hacktivism, data destruction, government ]
Russias national case management/e-filing system was reportedly hacked in Oct 2024, erasing roughly a third of its archive and disrupting court websites and communications for about a month; the operation has been claimed by pro-Ukraine hackers.
State of Alabama
May 13, 2025
•[ service disruption, government ]
Alabama announced a cybersecurity event and warned of possible website or service disruptions. Subsequent updates indicated limited impact with no specific primary effect confirmed.
Service public de Wallonie
May 12, 2025
•[ government, unknown ]
Belgian media reported a cyberattaque at SPW but authorities said the attackers objective is unknown and there was no evidence of massive data exfiltration at the time.
Undisclosed Japan/Taiwan public institutions
May 8, 2025
•[ government, cyberattack campaign ]
The linked Asahi AJW page is blocked by robots; relying on parallel reporting, this is a campaign/technique article (no discrete victim outcome to code as an event).
Romanian state websites
May 4, 2025
•[ ddos, hacktivism, government ]
Russia-aligned hacktivist group NoName057(16) claimed DDoS attacks on Romanian state and candidate websites on election day; Romanias DNSC confirmed the incidents and said sites were restored.
Government entities (36, Central Asia & APAC)
May 1, 2025
•[ espionage, phishing, malware ]
Phishing lures and Telegram botbased malware were used by the ShadowSilk cluster to compromise 36 government entities across Central Asia and the Asia-Pacific region between May and July 2025. The campaign focused on espionage, enabling unauthorized access and data theft, and was publicly reported in August 2025 by The Hacker News.
City of Tahlequah municipal systems
April 30, 2025
•[ hack, government ]
City of Tahlequah reported a cyberattack; IT isolated affected systems the same day. Officials reported no ransomware encryption and no evidence of data exfiltration or resident impact.
City Administration of Dresden
April 30, 2025
•[ ddos, government, outage ]
On April 30 2025, the City of Dresdens official websites became inaccessible due to a massive distributed denial-of-service (DDoS) attack. Officials blocked access to protect municipal IT systems, causing full disruption of online services such as parking ticket applications, petitions, and appointment scheduling. A similar outage occurred the previous weekend. No data theft, ransom demand, or perpetrator identification has been reported.
Pike County (via Ohio Valley Technologies)
April 28, 2025
•[ ransomware, malware, government ]
Third-party ransomware attack via OVT disclosed April 28 2025. Resulted in unauthorized access and exfiltration of Pike Countys sensitive data for over 33,000 individuals. No encryption of county systems was reported.
Legal Aid Agency
April 23, 2025
•[ data leak, government ]
Breach of LAA digital services first detected April 23; by May 16 the scope was deemed far wider. Government confirms theft of sensitive data on applicants dating back to 2010; online services were shut down as a precaution while NCSC/NCA investigated.
At least one government agency or state-owned enterprise in Southeast Asia
April 10, 2025
•[ data leak, espionage, government ]
The Record, citing Symantecs Threat Hunter Team, reported that the China-linked APT group Billbug (also known as Thrip and Lotus Blossom) compromised multiple government and critical infrastructure organizations in a Southeast Asian country in April 2025. The campaign involved exploitation of legitimate digital certificates and living-off-the-land tools to exfiltrate sensitive documents from government and military networks. No encryption or disruption was reported, and the activity is assessed as political espionage conducted under Chinas Ministry of State Security.
United States Government Senior Officials
March 27, 2025
•[ data leak, government, leaked credentials ]
Reports said private contact details and some passwords of top officials were leaked online.
German Association for Eastern European Studies (DGO)
March 27, 2025
•[ data leak, espionage, government ]
SVR (COZYBEAR) infiltrated email servers of the German Association for Eastern European Studies in late March 2025, exfiltrating correspondence and membership data; the German Interior Ministry formally attributed the intrusion to Russias foreign intelligence service on April 22 2025.
City Of Sausalito
March 10, 2025
•[ hacking, government ]
Sausalito reported hacking targeting city systems, prompting meeting cancellation and recovery steps.
French government officials
March 9, 2025
•[ espionage, malware, government ]
Apple notified French officials of targeted mercenary-spyware attacks (latest Sep 3, 2025); CERT-FR says this is the fourth wave in 2025; highly targeted espionage against high-profile users; Apple recommends Lockdown Mode and expert assistance; no attribution disclosed.
Government of Canada
March 8, 2025
•[ hack, social, phishing ]
A software-update vulnerability at MFA provider 2Keys allowed access to contact data for federal service users (CRA/ESDC phone numbers; CBSA emails) authenticating between Aug 315, 2025; attacker sent phishing SMS to some numbers; government deems no further sensitive data accessed.
U.S.–China Business Council
March 7, 2025
•[ espionage, phishing, government ]
China-linked APT41/TA415 impersonated Rep. Moolenaar and USCBC in July 2025 spear-phishing to deliver malware and create remote tunnels to spy on U.S. trade-policy stakeholders; investigations ongoing; success not verified.
