December 2025: Coupang & WIRED Data Leaks, Record DDoS, React2Shell Exploitation

December 2025 closed with a heavy mix of consumer-scale data exposure, supply-chain style vendor fallout, and fast-moving exploitation of newly tracked application flaws.

Major themes included insider risk and weak release controls, attackers leveraging shared service providers to reach many downstream organizations, and continued pressure from botnets capable of brief but extreme traffic spikes. Crypto incidents also stood out, with both a browser-extension compromise and a governance takeover enabling direct asset theft.

Cloudflare Mitigated Record 29.7 Tbps AISURU Botnet DDoS Burst

Cloudflare said it detected and mitigated what it described as the largest Distributed Denial-of-Service (DDoS) attack it had observed, peaking at 29.7 terabits per second.

The company attributed the activity to a botnet-for-hire it tracked as AISURU and said the peak event lasted 69 seconds; the target was not disclosed. The traffic pattern was described as a UDP “carpet-bombing” attack that hit an average of 15,000 destination ports per second while randomizing packet attributes in an attempt to evade defenses.

Cloudflare also associated AISURU with a 14.1 billion packets-per-second attack and estimated the botnet’s size at roughly 1 to 4 million infected hosts worldwide. It said AISURU activity had frequently targeted telecom providers, gaming companies, hosting providers, and financial services organizations.

Marquis Software Ransomware Breach Exposed Data Across Banks and Credit Unions

Marquis Software Solutions, a Texas-based vendor serving hundreds of community banks and credit unions, was tied to a breach that regulators and other public notices associated with downstream customer exposure across multiple financial institutions.

Public breach notices described a ransomware attack on August 14, 2025, in which attackers accessed Marquis systems via a SonicWall firewall used for remote access, with data theft occurring before any encryption. The affected environment reportedly included systems storing files containing customer data for many client institutions, turning a single compromise into a multi-organization impact.

Public reporting cited at least hundreds of thousands of affected customers, with counts expected to change as more institutions completed reviews and filed notifications; a Maine attorney general breach portal listing was cited as confirmation that notifications were underway.

Coupang Announced $1.18B Vouchers After 33.7M-Account Data Leak

Coupang said personal details tied to 33.7 million customer accounts were compromised in a breach it attributed to a former employee, triggering scrutiny from users and lawmakers. In response, the company announced a 1.69 trillion won (about $1.18 billion) compensation plan that provided 50,000 won vouchers per affected account, a structure that drew public criticism because the credits could be used only on Coupang services.

During the investigation, Coupang also said it recovered a smashed laptop allegedly linked to the incident after it had been placed in a bag, weighted with bricks, and thrown into a river in an apparent attempt to destroy evidence.

Coupang said it had followed government orders and cooperated with authorities, while legal challenges, including U.S. class action litigation, remained ongoing.

Such breaches often surface on underground forums, Telegram channels, and data leak sites, where stolen records, access claims, and extortion threats appear long before formal notifications follow.

SOCRadar’s Dark Web Monitoring tracks these spaces continuously, identifying leaked datasets, actor chatter, and early signs of targeting across forums, marketplaces, and private channels. By detecting issues at the point where threat actors coordinate and monetize breaches, SOCRadar supports your organization for faster investigation, earlier containment, and more informed response decisions.

React2Shell RCE Exploitation Compromised 30+ Orgs, Hit React and Next.js

A critical Remote Code Execution (RCE) issue tracked as React2Shell was linked to compromises at more than 30 organizations across multiple industries.

The exploitation was tied to React Server Components and the RSC “Flight” protocol, with CVE-2025-55182 and a related Next.js issue (CVE-2025-66478) described as affecting specific React Server DOM packages and Next.js deployments using the App Router across listed version ranges.

Reporting cited Chinese state-backed activity (UNC5174, also referred to as CL-STA-1015) as being behind some intrusions, and said the activity enabled deployment of the Snowlight malware dropper and the Vshell backdoor for remote access and lateral movement. Separate telemetry referenced large-scale exposure estimates, including tens of thousands of potentially affected IPs globally and a substantial U.S. share.

700Credit Incident Exposed Data for 5.8 Million People

In an incident detected on October 25, 2025, 700Credit disclosed that attackers copied certain records from its web application involving dealership-client customers.

The company attributed initial access to a compromised third-party API tied to its application. Authorities said the attackers had compromised a partner’s system in July 2025 and then used access to the API to reach consumers’ personal information.

Reported stolen data included names, addresses, dates of birth, and Social Security numbers. The exposure affected more than 5.8 million individuals, with information collected from dealers between May 2025 and October 2025 downloaded before the attackers were removed from the environment.

The breach highlighted downstream risk to consumers when service providers aggregate identity and credit-check data on behalf of large dealership networks.

ErrTraffic Scales “ClickFix” Social Engineering Into a Paste-and-Run Malware Pipeline

Researchers have identified a campaign and tooling ecosystem associated with ClickFix, operationalized through a framework called ErrTraffic.

ErrTraffic is designed to convert compromised websites into stealthy malware delivery points, and the documented user flow is as follows: a victim clicks a “Fix Glitch” style prompt, which triggers JavaScript to copy a PowerShell command to the clipboard and guides the user to paste and run it, downloading and executing a payload.

The tooling was described as easy to integrate into compromised sites using a single injected script tag, including a “.js.php” pattern that allows server-side logic while serving JavaScript to the browser.

The framework emphasizes persistence by overlaying the lure under selective conditions so the underlying site appears normal to most visitors, reducing the chance of rapid detection.

University of Phoenix Breach Affected 3.5M in Oracle EBS Attack Campaign

In a breach tied to attacks against Oracle E-Business Suite (EBS) environments, the University of Phoenix reported that roughly 3.5 million individuals were affected.

The intrusion was linked to a broader campaign in which attackers exploited zero-day vulnerabilities in Oracle EBS to access customer-stored data. The university said it became aware of an EBS-related cybersecurity incident on November 21, 2025, shortly after being named publicly by the cybercriminals behind the campaign. The operation was claimed by the Cl0p ransomware group, while reports also noted attribution to a FIN11-linked cluster.

The campaign affected more than 100 organizations, including companies and universities, with activity believed to have occurred over the summer of 2025 before becoming widely known in early October.

Unleash Protocol Lost Nearly $3.9M After Multisig Governance Takeover

Unleash Protocol disclosed the theft of nearly $3.9 million in cryptocurrency after attackers took over its multisig governance and pushed an unauthorized smart contract upgrade.

The project said the unpermitted upgrade enabled withdrawals of multiple assets, including USDC, wrapped IP, staked IP, voting-escrowed IP, and wrapped Ether. According to researchers, a third-party infrastructure was used to bridge the stolen assets to Ethereum before they were deposited into Tornado Cash.

The incident was framed as a governance control failure leading directly to a contract-level change and immediate fund movement, rather than an exchange compromise or wallet-draining event tied to end users.

Trust Wallet Chrome Extension Incident Triggered About $7M in Losses

Trust Wallet said a security incident involving its Google Chrome browser extension resulted in losses of about $7 million and stated it would refund affected users.

The company said the issue affected extension version 2.68 and advised users to update to version 2.69; it also said mobile-only users and other extension versions were not affected. Trust Wallet’s CEO said the malicious version was published outside the company’s manual release process, and the company’s findings indicated a leaked Chrome Web Store API key was used to submit the tampered build via the Chrome Web Store API, bypassing standard checks.

The malicious version was released on December 24, 2025 at 12:32 p.m. UTC, affecting users who logged in before December 26, 2025 at 11 a.m. UTC.

Threat Actor Leaked 2.3M WIRED Subscriber Records, Claimed Wider Condé Nast Access

A dataset linked to over 2.3 million WIRED subscribers appeared on underground hacking forums in late December 2025 and was later assessed by independent security researchers as legitimate rather than fabricated.

The leak is attributed to a threat actor using the alias “Lovely,” who claimed the data was released after the company failed to respond to vulnerability reports. The actor also threatened that additional datasets affecting more than 40 million Condé Nast users would be released in the following weeks, a claim that was presented as unverified.

The leaked material is described as a WIRED database export, with shared screenshots and samples indicating structured JSON data. The analysis suggested the dataset reflected direct access to internal account endpoints rather than third-party scraping, based on the format and how it was presented in the leak materials.

For more details into the data leak incident, refer to SOCRadar’s blog post: “WIRED Data Leak Exposes 2.3M Users Amid Broader Claims”.

Unifying Threat Intelligence With SOCRadar XTI

December 2025 closed out the year with a clear reminder of how modern threats converge around exploited vulnerabilities, leaked access, supply-chain exposure, identity abuse, and large-scale infrastructure attacks. Many of the incidents reviewed this month reflected patterns outlined in SOCRadar’s Holiday Shopping Cyber Threats whitepaper, which examined how attackers take advantage of year-end slowdowns and reduced monitoring windows.

As organizations move into 2026, visibility across external threat activity, exposed assets, and third-party risk remains critical. SOCRadar’s platform brings together capabilities such as Attack Surface Management, Dark Web Monitoring, Brand Protection, and more to help teams track active exploitation, identify leaked data, and prioritize response with clearer context – supporting a more informed start to the new year.