September 2025: Record DDoS Attacks, Salesforce Records Theft, $130M Fintech Fraud & Ransomware Disruption at JLR

September 2025 marked one of the most consequential months of the year for global cybersecurity, defined by record-breaking DDoS activity, large-scale SaaS supply chain breaches, and mounting financial and manufacturing disruptions.

Threat actors continued to target high-value ecosystems, from Salesforce integrations exploited to steal 1.5 billion records, to fintech networks where attackers attempted to divert $130 million through Brazil’s Pix system. Meanwhile, infrastructure assaults reached unprecedented scale, with Cloudflare and other providers mitigating floods exceeding 22 terabits per second.

Let’s review the major cyberattacks of September 2025, highlighting the most significant incidents, emerging attack patterns, and lessons for defenders worldwide.

1.5 Billion Salesforce Records Exfiltrated via Salesloft Drift Tokens

The ShinyHunters extortion group claimed responsibility for stealing over 1.5 billion Salesforce records from 760 organizations by exploiting compromised OAuth tokens linked to the Salesloft Drift integration. The actors had earlier accessed Salesloft’s GitHub repository, using the TruffleHog tool to extract credentials for Drift and Drift Email platforms. These stolen tokens enabled large-scale data exfiltration from Salesforce tables, including Account, Contact, Opportunity, User, and Case records.

According to Google Threat Intelligence, the attackers searched the exfiltrated Case data for embedded secrets such as AWS access keys and authentication tokens to pivot into additional environments. Victims reportedly included major technology firms such as Google, Cloudflare, Zscaler, and Palo Alto Networks. Although the threat actors announced plans to cease operations, analysts warned that related campaigns targeting financial institutions were still active.

The FBI released Indicators of Compromise (IOCs) and urged Salesforce customers to enforce MFA and review third-party OAuth permissions.

Cloudflare Mitigated Record 22.2 Tbps DDoS Attack

Cloudflare successfully mitigated a record-breaking Distributed Denial-of-Service (DDoS) attack that peaked at 22.2 Tbps and 10.6 Bpps, the largest ever observed to date. The 40-second volumetric flood generated traffic equivalent to roughly one million concurrent 4K video streams, overwhelming routers and firewalls with packet volume rather than bandwidth saturation.

Cloudflare had already faced a comparable 11.5 Tbps flood just weeks prior, signaling a new normal of hyper-volumetric DDoS activity.

Researchers linked the earlier 11.5 Tbps assault to the AISURU botnet, which has compromised over 300,000 devices worldwide. The botnet continues to exploit vulnerabilities to spread, targeting IP cameras, Realtek chips, and routers from several vendors including Zyxel and D-Link.

1.5 Billion PPS DDoS Attack Targeted European Mitigation Provider

The surge in hyper-volumetric attacks wasn’t limited to Cloudflare. FastNetMon handled a record 1.5 Bpps flood – among the largest packet-rate DDoS incidents ever recorded, highlighting how quickly such assaults are scaling worldwide.

The assault targeted a European DDoS mitigation service provider and originated from a botnet composed of thousands of compromised IoT devices and MikroTik routers distributed across more than 11,000 networks worldwide. The flood consisted primarily of UDP traffic from hijacked customer-premises equipment (CPE).

The incident exemplifies the growing risk of consumer hardware being weaponized for large-scale DDoS operations, urging the adoption of ISP-level defenses. Despite the surge in such activity in September 2025, data theft and ransomware remained the month’s primary cyber threats.

Quickly evaluate how your domain holds up against Denial of Service risks with the DoS Resilience tool on SOCRadar Labs

Allianz Life Breach Exposed Data of 1.5 Million Customers via Third-Party CRM Compromise

Allianz Life reported that a July 16 security incident exposed the personal information of nearly 1.5 million individuals.

The breach originated from a third-party cloud-based CRM platform used by the insurer, allowing threat actors to access sensitive data such as names, addresses, dates of birth, and Social Security numbers (SSNs). The company emphasized that no internal Allianz Life systems were affected and that the breach was isolated to the external CRM environment.

Attribution points to the Scattered Spider group, which has been linked to a series of coordinated intrusions targeting Salesforce environments used by major global brands, including Cisco, Dior, and Air France.

See the operations and TTPs of the threat group on SOCRadar’s Dark Web Profile: Scattered Spider

Security analysts noted that despite recent claims of retirement by Scattered Spider and ShinyHunters, both groups continue to pose an ongoing supply chain threat.

Allianz notified regulators in October and offered two years of complimentary identity protection and credit monitoring to affected individuals and partners.

WestJet Data Breach Exposed Personal Information of 1.2 Million Passengers

WestJet confirmed in September 2025 that a cyberattack earlier this year led to the theft of personal information belonging to approximately 1.2 million passengers.

According to regulatory filings, the stolen data included names, dates of birth, postal addresses, passport and government ID details, and customer service records such as special requests and complaints. Information linked to the airline’s rewards program (such as points balances and account identifiers) was also compromised.

The incident was first detected in June when WestJet discovered unauthorized access to its network. While the company did not disclose the intrusion method, this breach was also linked to the Scattered Spider threat group on media reports, known for using social engineering and impersonation tactics.

Uncover Threat Actor Movements Before They Strike

Track ransomware groups, black markets, and Telegram channels with SOCRadar’s Dark Web Monitoring and Threat Actor Tracking. These capabilities map connections between actors, campaigns, and compromised assets, helping analysts identify early warning signs of breaches and extortion attempts.

SOCRadar Dark Web Monitoring module

Whether monitoring activity from groups like Scattered Spider, ShinyHunters, or Lapsus$, SOCRadar provides contextual intelligence drawn from millions of underground sources. Teams can view actor profiles, monitor leaked credentials or data, and receive automated alerts when their organization, domains, or executives appear in dark web chatter.

npm Breach Exposed Developers to Cryptocurrency-Stealing Malware

A large-scale compromise in the npm ecosystem exposed millions of developers to malicious code that hijacked cryptocurrency transactions.

Threat actors gained control of maintainer accounts via a phishing campaign impersonating npm security notifications, then published trojanized versions of popular packages including chalk, debug, and ansi-styles, which together account for billions of weekly downloads.

The email used for phishing

The injected code intercepted wallet activity by hooking browser functions such as fetch and window.ethereum, redirecting transactions to attacker-controlled addresses. npm removed the malicious versions within hours, though applications freshly installed during that period may still be affected.

The attack highlighted persistent risks in open-source supply chains and the importance of securing developer accounts with strong authentication and dependency auditing.

Full technical details and IoCs available on SOCRadar’s blog: “Massive npm Supply Chain Attack Exposes Millions to Crypto-Stealing Malware”.

Sinqia Cyberattack Attempted to Divert $130 Million Through Pix Payment System

In September 2025, Brazilian fintech firm Sinqia (a subsidiary of Evertec) disclosed a cyberattack in which threat actors attempted to steal roughly $130 million through unauthorized Pix transactions.

Detected on August 29, the incident involved fraudulent transactions between two financial institutions, using Sinqia’s Pix processing platform. These institutions were later identified as HSBC and Artta. According to Sinqia’s SEC filing, the attackers exploited compromised credentials from one of its IT vendors to initiate the illicit transfers.

Upon detecting the activity, Sinqia immediately suspended Pix operations, engaged forensic experts, and reported the event to law enforcement and Brazil’s central bank (BCB). The BCB temporarily barred Sinqia from resuming Pix and SPB transaction processing pending review.

The company stated that a portion of the stolen funds has been recovered and confirmed that no customer data was exfiltrated during the attack.

Jaguar Land Rover Cyberattack Halted Production and Triggered £1.5 Billion UK Loan Guarantee

Jaguar Land Rover (JLR) suffered a major cyberattack in late August that severely disrupted global manufacturing and retail operations, forcing the automaker to suspend production for weeks.

The company initially stated that no customer data appeared compromised but later confirmed that threat actors had stolen some internal information. The attack prompted the UK government to issue a £1.5 billion loan guarantee to help JLR stabilize its supply chain and pay affected suppliers.

The incident was attributed to Scattered Lapsus$ Hunters, believed to include members from the Scattered Spider, Lapsus$, and ShinyHunters collectives. The group claimed to have deployed ransomware on JLR’s network and posted screenshots of internal SAP systems as proof of compromise.

Find out more about the threat group on SOCRadar’s Dark Web Profile: Scattered Lapsus$ Hunters

JLR worked with the UK National Cyber Security Centre (NCSC) and law enforcement to investigate, while gradually restoring systems in a controlled restart.

Build Resilience with Unified Threat Intelligence and Early Detection

The line between opportunistic breaches and systemic disruption is narrowing. Maintaining context, visibility, and speed is now the difference between control and crisis.

SOCRadar’s Extended Threat Intelligence (XTI) platform brings together real-time monitoring for breaches, vulnerabilities, and dark web leaks, helping security teams detect and respond faster. Its Attack Surface Management, Digital Risk Protection, and Dark Web Monitoring modules deliver complete visibility into external threats targeting your infrastructure.

SOCRadar’s ASM module, Company Vulnerabilities

From exploit alerts to credential exposure and active ransomware tracking, the platform consolidates intelligence into a single view, enabling defenders to prioritize high-impact risks and act before attackers.