Major Cyber Attacks in Review: May 2025

May 2025 saw a series of high-impact cyberattacks across multiple industries, exposing vulnerabilities in everything from decentralized finance to retail giants and telecom infrastructure.

This month’s highlights include a $223 million crypto theft from Cetus Protocol, a supply chain breach exposing 27 million SK Telecom phone numbers, and Coinbase revealing data access by rogue insiders affecting nearly 70,000 users. LockBit was hacked, leaking thousands of Bitcoin addresses and chats. The CoGUI phishing kit sent over 580 million emails worldwide, while UK retailers faced coordinated ransomware and social engineering attacks causing major disruption.

This review outlines these headline incidents from May 2025, examining the threats, impacts, and responses that defined last month’s cybersecurity landscape.

$223 Million Stolen from Cetus Protocol

On May 22, 2025, attackers exploited a vulnerability in the smart contract of Cetus Protocol’s liquidity pools, stealing approximately $223 million in virtual assets. The flaw originated from an open-source library used in the liquidity provider’s smart contract, allowing hackers to manipulate pool prices and repeatedly drain token reserves.

The attackers first swapped stablecoins USDT for USDC, then bridged funds to the Ethereum blockchain where they converted them to native assets. Cetus identified two SUI and two Ethereum wallet addresses linked to the theft.

Despite the scale of the theft, Cetus managed to freeze $162 million of the stolen assets, making this the second-largest crypto heist of 2025 after the $1.5 billion Bybit attack.

The company worked with the Sui Foundation and partners on recovery efforts, proposing the hackers a $6 million bounty as an incentive to return the remaining stolen assets.

Attackers exploited a smart contract vulnerability in Cetus Protocol to steal $223 million in crypto assets.

SK Telecom Supply Chain Breach Exposed 27 Million Phone Numbers Over Three Years

SK Telecom revealed that the SIM data breach disclosed in April dates back to 2022, involving a prolonged malware-based supply chain breach that exposed over 27 million mobile phone numbers, raising new concerns about telecom security and customer privacy.

The attack targeted SK Shieldus, a security affiliate spun off in 2021, affecting hundreds of corporate clients using its endpoint protection software.

Malware in SK Shieldus software enabled the exposure of 27 million phone numbers.

Discovered by South Korea’s Ministry of Science and ICT, the malware operated from May 2021 to early 2024, extracting phone numbers undetected. Attackers inserted a malicious module during SK Shieldus’s software packaging, enabling data theft through external Command and Control (C2) servers.

SK Shieldus confirmed no names, personal IDs, or location data were leaked. Still, the compromise of security software itself highlights risks in trusted vendor environments.

Coinbase Data Breach Exposed Customer Information of Nearly 70,000 Users

In a significant breach disclosed in May 2025, Coinbase revealed that cybercriminals collaborated with rogue support agents to steal sensitive data from approximately 69,461 customers. The breach involved insiders at Coinbase’s overseas retail support centers who accessed and exfiltrated customer information without authorization.

In May 2025, Coinbase suffered a data breach exposing info of nearly 70,000 customers via rogue agents.

While crucial security details such as passwords, private keys, and seed phrases were not compromised, the stolen data included personally identifiable information like names, birth dates, partial social security and bank account numbers, contact details, government ID images, and transaction histories. This information puts victims at risk of social engineering attacks designed to trick them into transferring funds.

The attackers attempted to extort Coinbase for $20 million to prevent the leak of stolen data. Coinbase refused to pay and instead set up a $20 million reward fund for leads leading to the attackers’ capture. The company has pledged to reimburse customers who were defrauded through scams related to this incident, estimating remediation costs could range between $180 million and $400 million.

Coinbase urged users to stay vigilant against impersonation scams, advising them to enable Two-Factor Authentication (2FA) and withdrawal allow-listing.

Massive CoGUI Phishing Campaign Sends Over 580 Million Malicious Emails

Between January and April 2025, the CoGUI phishing kit drove an unprecedented email scam, sending over 580 million phishing messages targeting users mainly in Japan, with smaller waves hitting the U.S., Canada, Australia, and New Zealand.

The attacks impersonated major brands like Amazon, PayPal, Apple, and financial institutions, using spoofed emails with urgent calls to action linked to convincing fake login pages designed to harvest credentials and payment data.

CoGUI’s sophistication lies in its conditional redirection – links activate only if the victim’s device matches attacker-set criteria like IP location, browser language, or device type, otherwise redirecting to the real brand website to evade detection.

Although linked to China-based threat actors and sharing some traits with other phishing kits like Darcula, CoGUI operates independently and supports multiple threat groups.

This large-scale campaign highlights the growing threat of Phishing-as-a-Service (PhaaS) platforms, underlining the need for vigilance, 2FA, and user awareness to counter evolving scams.

Stay ahead of phishing attacks and safeguard your users and brand reputation with SOCRadar

Phishing scams often use fake emails, websites, or social profiles to impersonate trusted brands and steal data. SOCRadar’s Brand Protection detects these threats early by monitoring across channels and alerts your team instantly.

LockBit Ransomware Gang Hacked, Nearly 60,000 Bitcoin Addresses and Internal Data Leaked

The LockBit ransomware group was hacked when attackers defaced their Dark Web panel and leaked almost 60,000 Bitcoin addresses used for ransom payments, along with internal chat logs and backend data.

The leaked data included:

• Nearly 60,000 Bitcoin addresses linked to ransom payments
• Ransomware builds targeting specific companies
• Over 4,400 negotiation messages between affiliates and victims
• Credentials for 75 affiliates and admins, including plaintext passwords

LockBit admitted the breach but said no private keys or highly sensitive data were exposed. The chat logs showed varied ransom demands, victim negotiations, and scripted replies. The breach likely exploited a PHP vulnerability (CVE-2024-4577) allowing Remote Code Execution (RCE) on LockBit’s server.

This leak offered law enforcement and analysts key data to trace ransom movements and disrupt operations, while also damaging LockBit’s reputation after recent infrastructure takedowns.

UK Retail Giants Hit by Coordinated Cyber Attacks Fueled by Social Engineering and Ransomware

Between April and May 2025, major UK retailers – including Marks & Spencer, Co-op, Harrods, and Dior – fell victim to a wave of cyber attacks attributed to the Scattered Spider group and DragonForce Ransomware affiliates.

DragonForce Ransomware threat actor card by SOCRadar

The attacks exploited social engineering tactics focused on service desk teams, tricking staff into granting access that allowed threat actors to deploy ransomware, steal customer data, and disrupt critical services.

Marks & Spencer faced a ransomware assault that encrypted VMware ESXi virtual machines, forcing the shutdown of online orders across 1,400 stores and causing an estimated £300 million in losses.

Similarly, Co-op experienced a breach leading to the theft of member data and operational challenges. Harrods successfully contained unauthorized access attempts but restricted internet access to mitigate further risks.

Dior confirmed a data breach exposing customer contact and purchase information.

The UK’s National Cyber Security Centre (NCSC) has issued guidance following these attacks, calling them a “wake-up call” for all large businesses to strengthen defenses.

Protect Your Organization with SOCRadar’s Threat Intelligence Solutions

In today’s fast-moving threat landscape, timely and actionable intelligence is key to reducing risk. SOCRadar’s Extended Threat Intelligence (XTI) platform combines powerful modules to help your security team:

• Monitor the Dark Web for leaked data and threat actor chatter,
• Track emerging vulnerabilities and exploit trends,
• Map your Attack Surface to identify exposed assets and misconfigurations,
• Analyze threat actors and ransomware campaigns to anticipate attacks.

SOCRadar’s Dark Web Monitoring

Leverage SOCRadar to gain actionable insights and improve your defenses before threats impact your business.