July 2025: Allianz, Qantas, M&S, Co-op Breaches, $140M Bank Hack & SharePoint 0-Day Exploits

From airlines and insurers to banks and retailers, July 2025 showed no sector was off-limits for cybercriminals. Attacks came through phone calls, poisoned code, stolen credentials, and zero-day exploits – each one exposing just how many doors are left open to determined adversaries.

Among the month’s most notable cases were the Allianz Life and Qantas breaches, which exposed millions of customer records, a $140 million insider-enabled bank heist in Brazil, and the sudden disappearance of Abacus Market in what experts believe was a darknet exit scam.

Keep reading for a closer look at each major incident and discover the patterns every security team should be watching.

Allianz Life Data Breach Exposed 1.4 Million U.S. Customers in Supply Chain Attack

On July 16, 2025, Allianz Life disclosed a data breach stemming from a supply chain compromise involving its cloud-based Customer Relationship Management (CRM) system. Threat actors employed social engineering to impersonate IT helpdesk staff, persuading Allianz employees to grant access to the Salesforce Data Loader tool. This utility allowed bulk extraction of sensitive records from the platform, which Allianz uses to manage customer, financial professional, and employee information.

The attack scheme (Mandiant)

The exposed data set included names, addresses, birth dates, Social Security numbers (SSNs), contact details, insurance policy details, and potentially other financial information. Although Allianz confirmed its internal infrastructure was not directly breached, the incident highlighted the risks of third-party dependencies. In the United States alone, the insurer serves approximately 1.4 million customers.

Qantas Data Breach Exposed 5.7 Million Customers

On July 1, 2025, Australian airline Qantas detected a breach of a third-party platform supporting its contact center operations. Soon after, the company confirmed that data from approximately 5.7 million customers had been exposed.

Impacted records varied in detail, with 4 million limited to names, email addresses, and frequent flyer information, while another 1.7 million included more sensitive data such as addresses, dates of birth, phone numbers, and, in some cases, meal preferences. Qantas stressed that passwords, payment data, and passport information were not compromised, and said it has notified customers and implemented additional safeguards.

Breaches Connected to ShinyHunters Salesforce Campaign

Later in July, Qantas was named alongside Allianz Life, LVMH, and Adidas in a wave of breaches tied to the ShinyHunters extortion group. According to Google’s Threat Intelligence Group, these attacks exploited Salesforce CRM instances through voice phishing. Threat actors impersonated IT staff in phone calls to employees, tricking them into linking malicious apps such as altered versions of Salesforce’s Data Loader.

ShinyHunters threat actor card

Also check out our blog post, “Salesforce Related Data Breach Affecting Multiple Companies”, for a deeper analysis of this campaign.

Malicious Command Planted in Amazon Q AI Coding Assistant

In mid-July 2025, Amazon confirmed that a malicious code injection had been discovered in version 1.84.0 of its Q Developer Extension for Visual Studio Code. The tool, part of AWS’s AI development suite, is used by nearly one million developers for coding, debugging, and configuration tasks.

The attacker, using the alias “lkmanka58,” gained repository access by submitting a pull request to Amazon Q’s GitHub, likely exploiting workflow misconfigurations or inadequate permission controls.

The injected prompt instructed the AI agent to erase local files and, under certain conditions, dismantle AWS cloud infrastructure. Although Amazon stated the code was incorrectly formatted and would not execute in customer environments, some reports indicated limited execution without damage.

The compromised version was published on July 17 and replaced with a clean build (v1.85.0) on July 24 following security researcher alerts. AWS revoked affected credentials, removed the unapproved code, and assured that no customer resources were impacted.

Major Dark Web Marketplace ‘Abacus’ Vanishes Amid Suspected Exit Scam

In July 2025, Abacus Market abruptly shut down all of its online infrastructure, sparking widespread speculation of an exit scam. While not a cyberattack, this closure is a major development in the cybercrime ecosystem, given Abacus’s scale and influence.

Blockchain intelligence firm TRM Labs noted that users first reported withdrawal problems in late June, with daily deposits collapsing from $230,000 across 1,400 transactions to just $13,000 and 100 deposits by early July. Administrators blamed the slowdown on a DDoS attack and a wave of new users following the takedown of rival Archetyp Market, but transaction activity continued to plummet. Soon after, Abacus and its clearnet mirror went offline without any law enforcement seizure notice.

Researchers estimate that the popular Dark Web platform facilitated at least $300 million in illicit sales, the majority through privacy-focused Monero transactions. The site’s disappearance, whether due to an administrator cash-out or an unannounced takedown, removes a dominant player in darknet trade involving drugs, cybercrime tools, counterfeit goods, and illicit services.

Discover what’s being traded about your organization in hidden corners of the web.

The sudden disappearance of Abacus Market shows how fast the underground economy evolves – but also how much risk it leaves behind. Stolen data, malware kits, and access credentials don’t vanish with the marketplaces; they scatter to new forums and threat actors.

With SOCRadar’s Dark Web Monitoring, you gain visibility into chatter, leaks, and sales tied to your brand or supply chain, so you can act before it is too late.

Clorox Sought $380 Million in Damages Over 2023 Cyberattack

In July 2025, Clorox filed a lawsuit in California state court against IT services provider Cognizant, alleging that the company’s staff facilitated a 2023 breach by failing to verify password reset requests.

The incident, attributed to the Scattered Spider threat group, occurred in August 2023 and reportedly caused $380 million in damages, including $50 million in remediation costs and the remainder from halted product shipments.

According to the complaint, attackers posing as Clorox employees repeatedly obtained valid credentials by calling Cognizant’s service desk and requesting password resets without undergoing identity verification. The lawsuit claims this allowed the group to access Clorox’s network and deploy ransomware. Cognizant denied the allegations, stating it was contracted for limited help desk services and did not manage Clorox’s cybersecurity.

Clorox further asserted that recovery efforts were delayed due to additional errors by Cognizant staff, such as failing to deactivate accounts or properly restore data after the intrusion.

Widespread SharePoint Exploitation Campaign Leveraged Critical Zero-Day

In July 2025, attackers launched large-scale exploitation of a critical SharePoint zero-day, CVE-2025-53770, as part of the ToolShell campaign. The flaw, caused by insecure deserialization, enabled unauthenticated remote code execution and persistent access through stolen cryptographic keys.

Details of CVE-2025-53770 (SOCRadar CVE Radar)

ToolShell originally chained CVE-2025-49706 (authentication bypass) and CVE-2025-49704 (code injection), but adversaries quickly adapted these techniques to exploit CVE-2025-53770 and the related spoofing vulnerability CVE-2025-53771. Operations attributed to Chinese state-linked groups, including Linen Typhoon, Violet Typhoon, and Storm-2603, targeted high-value entities such as the U.S. National Nuclear Security Administration, government agencies, and critical infrastructure operators.

By late July, Shadowserver identified over 420 unpatched servers, with ransomware campaigns actively exploiting the flaws. Although Microsoft issued patches, researchers cautioned that unrotated keys left compromised environments at risk. Public proof-of-concept exploits further heightened the threat, and organizations worldwide were urged to take immediate action.

Read more about the campaign and its implications on SOCRadar’s blog: “ToolShell Campaign: New SharePoint Zero-Day (CVE-2025-53770) Triggers Widespread Exploitation”.

BigONE Lost $27 Million in Hot Wallet Breach

On July 16, 2025, cryptocurrency exchange BigONE confirmed a $27 million loss following a third-party attack on its hot wallet infrastructure. The breach was detected when abnormal asset movements triggered real-time monitoring alerts. According to the exchange, all private keys remain secure, and the attack vector has been contained to prevent further losses.

The attacker targeted the platform’s production network, likely via compromised CI/CD or server management channels, modifying business logic and disabling risk-control checks. Stolen assets included 120 Bitcoin, 350 Ether, millions of USDT across multiple chains, and various altcoins such as CELR, SNT, and SHIB. Blockchain security firm SlowMist assisted in tracing the stolen funds, which were consolidated and partially converted to WETH, suggesting preparation for laundering through intermediaries or decentralized exchanges.

BigONE pledged to cover all customer losses, deploying internal reserves and securing external liquidity to restore affected wallets.

Co-op Breach Exposed Data of 6.5 Million Members

The Co-op Group confirmed that a recent cyberattack compromised personal details for all 6.5 million members in its nationwide membership program.

CEO Shirine Khoury-Haq stated the intrusion was detected when attackers began moving within internal systems, prompting an emergency shutdown. While no financial or transactional data was taken, the stolen information included names, addresses, and contact details.

Co-op was able to maintain operations throughout, keeping stores and funeral homes open, but acknowledged significant internal disruption.

M&S Breach Linked to DragonForce Ransomware After Social Engineering Attack

Marks & Spencer confirmed that its April 17, 2025, network breach originated from a sophisticated impersonation attack against a third-party service provider. Threat actors posed as a legitimate associate to convince help desk staff to reset an employee’s password, granting them access to M&S systems. The attack, involving IT outsourcing partner Tata Consultancy Services, has been attributed to actors linked to the Scattered Spider group, who deployed the DragonForce ransomware.

Scattered Spider threat actor card

The intrusion led to the encryption of VMware ESXi servers and the theft of an estimated 150GB of data. DragonForce, a ransomware operation believed to be based in Russia, is distinct from the similarly named Malaysian hacktivist group. The attackers employed a double-extortion strategy, encrypting systems while threatening to leak stolen data. Although M&S has not confirmed whether a ransom was paid, the absence of the company’s data on DragonForce’s leak site suggests negotiations or settlement may have occurred.

M&S stated that all systems were deliberately shut down to contain the attack and that ransomware response was handled by external professionals in coordination with UK authorities.

Arrests Linked to UK Retail Attacks

The UK’s National Crime Agency later announced the arrest of four individuals in connection with cyberattacks on major retailers (including Marks & Spencer and Co-op, among others). Authorities seized electronic devices for analysis and believe the suspects are linked to incidents between late April and early May 2025 that caused significant operational disruption.

Hackers Stole $140 Million from Six Brazilian Banks via Insider Access

Another major cyberattack revealed in July involved the theft of more than $140 million USD from six Brazilian banks.

The breach occurred on June 30, when hackers bribed an employee of financial connectivity provider C&M to hand over login credentials and run commands inside its systems. The employee, João Nazareno Roque, admitted to the scheme, receiving less than $3,000 in payments before his arrest in São Paulo on July 3.

The attackers, who instructed Roque via the Notion platform, gained access to systems linked to Brazil’s central banking infrastructure. Blockchain researcher ZachXBT reported that $30 – 40 million of the stolen funds has already been converted to BTC, ETH, and USDT through OTC markets in Latin America. C&M stressed the incident was not due to technical flaws but to human error and social engineering. Authorities continue to investigate while working to trace and freeze the stolen assets.

SOCRadar Attack Surface Management module, Digital Footprint page

From insider-enabled bank fraud and ransomware in retail to zero-day exploits and massive supply chain breaches, July proved attackers are not slowing down. The question is: how quickly can you detect, prioritize, and respond when your turn comes?

SOCRadar’s all-in-one platform unites CyberThreat Intelligence, Brand Protection, and Attack Surface Monitoring, and more to give security teams the edge they need.