From hacks to headlines, here are two months of cyber news in retrospect (May and June 2025):
Cyber Top 10
|

New Podcast: Cross Examining Karen Kukoda
In this episode of Cross Examining Cyber, we interview Karen Kukoda, cyber risk partner for Mandiant (part of Google Cloud). Taking place in both the IAPP Global Conference in Washington and the RSAC Conference in San Francisco, we discuss the interaction between law and cyber forensic firms, her views on the current threat landscape and the remarkable rise of the Google Mandiant cyber team.
You can listen to the episode here.
Look out for our next Podcast: Cross Examining Tamir Maltz
In this episode, we cross examine Tamir Maltz, Barrister at 12 Wentworth Selborne Chambers, Sydney. With over 20 years of experience working with clients across a variety of sectors, one of Tamir’s recent career highlights includes securing the first Australian injunction against a foreign hacking group. We discuss the pros and the cons for obtaining an injunction, the legal mechanism itself, and how the courts and regulators view these arrangements.
The episode will be dropping later this week. Look out for the episode – to be uploaded here.
Congratulations to our new Senior Associate, Annie Zhang!
Annie Zhang, an integral member of our HSF Kramer Cyber team, was promoted to Senior Associate on 1 July. With a genuine passion for cyber, deep experience and a technical understanding of the subject matter, and an incredible work ethic, Annie consistently delivers excellent outcomes for our clients. We are lucky to have her on our team, and we congratulate her on her well-deserved promotion.

Mandatory ransomware and cyber extortion payment reporting is active from 30 May 2025 – Department of Home Affairs – 30 May 2025
From 30 May 2025, many Australian businesses are subject to mandatory ransom payment reporting to the Australian Signals Directorate (ASD), within 72 hours of making a payment or becoming aware one was made on their behalf. The new reporting regime, introduced under the Cyber Security Act 2024, applies to both monetary and non-monetary payments, including gifts or services. The Department of Home Affairs will oversee compliance, while the ASD will use the reports to assist with incident response and intelligence gathering. Reports must include details about the incident, the payment, communications with the extorting party, and any known vulnerabilities.
APRA reinforces expectations on authentication controls in superannuation sector – Australian Prudential Regulation Authority – 10 June 2025
APRA contacted all superannuation board chairs reinforcing expectations around information security and authentication controls following recent credential stuffing attacks. The regulator reminded Registrable Superannuation Entity (RSE) licensees of their obligations under Prudential Standard CPS 234 and directed them to complete a self-assessment of their security controls. APRA expects multi-factor authentication or equivalent protections to be in place for high-risk activities and privileged access, and for entities to notify APRA of any material weaknesses or breaches. Entities must also identify their Accountable Person under the Financial Accountability Regime responsible for CPS 234 compliance.
Police charge woman over hacks on Western Sydney University, threat to sell data on the dark web – ABC News – 26 June 2025
Birdie Kingston, a 27-year-old former Western Sydney University student, has been charged with 21 offences, including 10 counts of accessing or modifying data held in a computer, after allegedly hacking the Western Sydney University’s systems over a four-year period. Initially accessing the system for free parking, she later changed her grades and downloaded over 100GB of personal information, threatening to publish it on the dark web unless the university paid a $40,000 ransom. The university did not pay the ransom, and according to police there is no evidence that the data was published or sold on the dark web. Her actions were purportedly driven by grievances with the university. It is not clear whether this arrest relates to the theft of 580 terabytes of data stolen in a cyber incident in July 2024.
Stronger safeguards for identity security in ID support bill – NSW Government – 7 May 2025
The NSW Parliament introduced a new Bill aiming to limit identity fraud due to breached or stolen documents. The Identity Protection and Recovery Bill 2025 would establish a fraud check service, enabling government agencies and accredited organisations to verify if identity details have been compromised. The Bill would also create a secure ‘Compromised Credential Register’ for quick notifications and replacements of compromised documents. The NSW Government has committed $22.7 million to ID Support over four years.

Sensitive NSW medical records at risk of falling into hackers’ hands, damning leak reveals – Sydney Morning Herald (subscription only) – 28 June 2025
A draft report purportedly released by the Audit Office of NSW raises questions about the management of cybersecurity risks relevant to the state’s local health districts. The document concluded that a preventable cybersecurity incident could disrupt access to healthcare services and compromise the security of sensitive patient information.
No, the 16 billion credentials leak is not a new data breach – Bleeping Computer – 19 June 2025
Reports of a massive leak involving 16 billion credentials are apparently misleading, as experts conclude that the leak, first reported by researchers at CyberNews, is in fact a compilation of credentials previously stolen by infostealers, data exposed in past breaches, and via credential stuffing attacks. The dataset, briefly exposed online, includes credentials formatted in logs typical of infostealer malware. While timestamps suggest recent activity, experts argue they reflect when data was compiled, not stolen.
#StopRansomware: Play ransomware – Australian Signals Directorate – 5 June 2025
The Play ransomware group has been identified as one of the most active ransomware threats globally, with over 900 known victims as of May 2025. First observed in Australia in April 2023, Play uses a double extortion model, stealing and encrypting data before demanding payment via email. Victims are often contacted by phone and threatened with data leaks. Authorities including the US Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA) and the ACSC are urging organisations to patch known vulnerabilities, enable multifactor authentication, maintain offline backups and implement strong access controls to reduce the risk of compromise.
Cyber Attacks Surge 47% in Q1 2025, Report Warns – WebProNews – 3 June 2025
A Check Point Software report revealed a 126% surge in ransomware cases in early 2025, with 2,289 publicly named victims claimed by 74 different groups. According to Check Point’s report for Q1 2025, Cl0p led the charge with 392 victims, using zero-day attacks and encryption-less extortion tactics. New players like RansomHub and AI-aided FunkSec are also rising, employing fake leaks and data extortion. The US remains the top target, with significant activity in the UK and Germany. Despite the surge in reported victims, actual crypto payments to ransomware actors have dropped by 35%.
New joint advice on artificial intelligence data security – Australian Signals Directorate – 23 May 2025
A new cybersecurity information sheet released by the Australian Cyber Security Centre (ACSC), alongside agencies from the United States, United Kingdom and New Zealand, outlines best practice guidance for securing data used in artificial intelligence systems. The publication highlights the importance of protecting data across the AI lifecycle, from design and training through to deployment and monitoring, and identifies key risks including poisoned datasets, data drift and compromised supply chains. It recommends practical steps such as encryption, digital signatures, provenance tracking, secure storage and access controls.
OAIC stats show record year for data breaches – Office of the Australian Information Commissioner – 15 May 2025
A record 1,113 data breaches were reported by businesses and government agencies to the Office of the Australian Information Commissioner (OAIC) in 2024, according to the OAIC’s data breach report for July to December 2024. This marks a 25% increase from 893 notifications in 2023. Australian Privacy Commissioner, Carly Kind, commented on the growing threats to privacy, urging organisations to enhance their security measures. Malicious attacks accounted for 69% of reported breaches in the 6 months to December 2024, with health service providers and the Australian Government being the most affected sectors (20% and 17% of all breaches respectively). The public sector continues to lag behind the private sector in terms of timeliness of breach notifications.
Over half of cybersecurity incidents in Australia occur due to unmanaged assets – Trend Micro – 1 May 2025
Over 60% of Australian cybersecurity leaders have experienced incidents due to unknown or unmanaged assets, according to research conducted by Trend Micro. The proliferation of generative AI and IoT devices have increased these risks. Despite 87% acknowledging the connection between attack surface management and business risk, only 45% use dedicated tools to proactively manage attack surface risks.

NHS patient death linked to cyber attack delays – DigWatch – 27 June 2025
A patient at King’s College Hospital in London died allegedly due to delays caused by a ransomware attack on Synnovis, a provider of NHS blood test services. The June 2024 cyberattack, attributed to the Russian group Qilin, disrupted thousands of treatments, including 1,100 cancer therapies and over 1,000 surgeries. Hospitals resorted to using universal O-type blood, leading to a national shortage. Sensitive patient data was also leaked online.
Downfall: BreachForums’ admins arrested as IntelBroker’s identity revealed – Cyber Daily – 26 June 2025
US law enforcement agencies have arrested four individuals believed to run the notorious hacking community, BreachForums, a platform known for trading stolen data. The alleged hackers operated under the names “ShinyHunters”, “Hollow”, “Noct”, and “Depressed”. It has also emerged that, in February 2025, French authorities arrested a 25-year-old British national, Kai West, who is believed to be behind the “IntelBroker” handle. West is charged with conspiracy to commit computer intrusions, conspiracy to commit wire fraud, accessing a protected computer to obtain information, and wire fraud. If found guilty on all counts, West could face up to 50 years in prison. The US is seeking West’s extradition from France.
Lazarus Group Linked to Taiwan Exchange Hack – DigWatch – 23 June 2025
The North Korean state-sponsored Lazarus Group has been linked to a cyberattack on a Taiwanese cryptocurrency exchange. The group reportedly exploited security weaknesses to steal digital assets, continuing its pattern of targeting financial institutions to fund state activities. Authorities are investigating the breach and implementing measures to prevent future incidents. The breach adds to a growing list of Lazarus-linked attacks targeting decentralised finance platforms, exchanges, and cross-chain bridges.
AT&T's US$177M Data Breach Settlement Wins US Court Approval – IT News – 23 June 2025
A US judge has preliminarily approved AT&T's $177 million settlement in relation to lawsuits arising from data breaches in 2024 that exposed personal information of tens of millions of AT&T customers. The lawsuits alleged negligence in protecting customer data. The settlement aims to compensate affected customers whose losses are ‘fairly traceable’ to the incidents. After payments are made for direct losses, funds remaining following payments made for direct losses will be distributed to customers whose personal information was accessed.
DHS Issues National Terrorism Advisory System Bulletin Amid Israel-Iran Conflict – US Department of Homeland Security – 22 June 2025
The United States Department of Homeland Security have warned of an ‘increased threat in the form of a possible cyberattack’ in the wake of heightened geopolitical tensions. The USA expects pro-Iranian hacktivists to target them after they involved the USA military in the current conflict.
Cyber threat bulletin: People's Republic of China cyber threat activity: PRC cyber actors target telecommunications companies as part of a global cyberespionage campaign – Government of Canada – 19 June 2025
The Canadian Centre for Cyber Security and the FBI have warned that China's state-sponsored group, Salt Typhoon, is targeting global telecommunications providers in a cyberespionage campaign. In February 2025, three network devices of a Canadian telecoms provider were compromised, allowing attackers to extract configurations and set up GRE tunnels for data interception. These reconnaissance activities, the Canadian Centre for Cyber Security have said, suggest a broader targeting beyond telecoms – a threat that will evolve over the next two years.
Telecom giant Viasat breached by China's Salt Typhoon hackers – Bleeping Computer – 19 June 2025
Viasat Inc., a US satellite communications provider, has been revealed as the victim of a hack by China's state-sponsored hacking group Salt Typhoon. The hacking group has previously infiltrated multiple telecom networks globally. Viasat discovered the breach earlier in 2025 and collaborated with federal authorities to investigate. Viasat reported that the unauthorised access occurred through a compromised device but found no evidence of customer data being affected. Viasat believes the incident has been resolved and has not detected any recent related activity.
Coinbase faces legal action following data breach impacting more than 69k customers – Cyber Daily – 27 May 2025
Coinbase is facing a securities class action lawsuit after a data breach exposed personal information of more than 69,000 customers, including scans of government-issued IDs and partial bank details. The breach, discovered on 11 May, was linked to overseas-based support staff who were bribed to access customer data. The company refused a USD 20 million ransom demand and instead offered a reward for information on the attacker’s identity. Investors in Coinbase have alleged that the company failed to disclose earlier regulatory issues and that the breach caused a drop in share value.
EU, US Authorities Take Down Malware Network – ITNews – 26 May 2025
European and U.S. law enforcement agencies have dismantled a significant malware network responsible for numerous cyberattacks. The latest phase of ‘Operation Endgame’ targeted “initial access malware” which enables cybercriminals to infiltrate systems and deploy further attacks like ransomware. More than three dozen suspects were identified, 20 individuals were charged, over 300 servers were taken down, 650 domains were neutralised and 3.5 million euros in cryptocurrency were seized. In total, 21.2 million euros have been seized since the operation started in 2024.
Leader of Qakbot Malware Conspiracy Indicted for Involvement in Global Ransomware Scheme – US Department of Justice – 22 May 2025
Rustam Gallyamov, a Russian national, has been indicted for leading a group of cyber criminals who developed and deployed the Qakbot malware. Since 2008, Gallyamov developed, deployed, and controlled the Qakbot malware, and since 2019, Gallyamov allegedly used the Qakbot malware to infect thousands of victim computers around the world to establish a “botnet” of infected computers. Allegedly, once Gallyamov gained access to victim computers, he provided access to co-conspirators who infected the computers with ransomware, including Revil and Conti, in exchange for a cut of the ransoms received from victims.
ENISA unveils cyber stress testing handbook to strengthen critical infrastructure resilience under NIS2 – DigWatch – 21 May 2025
The European Union Agency for Cybersecurity (ENISA) has released a Cyber Stress Testing Handbook aimed at enhancing the resilience of critical infrastructure under the NIS2 directive. The Handbook provides guidelines for conducting stress tests to assess and improve cybersecurity preparedness. Cyber stress tests may be used to inform national risk assessments, prepare for cyber exercises, identify sector-wide vulnerabilities, and support supervisory planning, noting that the guidance is intended for use at the national, regional, and EU levels.
Malicious actors using AI to pose as senior US officials – ITNews – 16 May 2025
Malicious actors are using AI-generated voice and text messages to impersonate senior US officials in a scheme targeting personal accounts of federal and state government personnel. The FBI warns that these messages aim to build trust before redirecting victims to hacker-controlled websites that steal login credentials. The campaign could be used to access further government contacts or extract sensitive information and funds. It remains unclear how many individuals were targeted or whether the attackers are financially motivated or state-sponsored. This follows a broader trend of criminals using AI for fraud, extortion, and impersonation, as previously warned by the FBI.
Cyberattacks surge amid India-Pakistan clashes after strikes – Security Brief – 14 May 2025
Following renewed tensions between India and Pakistan, cyberattacks by hacktivist groups have escalated significantly. In anticipation of cyber reprisals, India temporarily blocked overseas access to the National Stock Exchange. Reports indicate that hacktivist campaigns targeting India have intensified, with groups like RipperSec, AnonSec, and Keymous+ leading the charge. These attacks have targeted government agencies, financial institutions, and telecommunications.
China cyberattacks targeting Taiwanese: MAC – Taipei Times – 7 May 2025
China is allegedly conducting large-scale cyberattacks against Taiwan, using spyware like "Badbazaar" and "Moonshine" to target devices of Taiwanese, Hong Kongers, Uighurs, Tibetans, and democracy advocates. The Mainland Affairs Council (MAC) cited a report by the British National Cyber Security Centre, which highlighted the spyware's ability to access geolocation data, cameras, and microphones. Hackers are spreading the spyware through popular apps like Line and Tibet One. The MAC urges people to download apps only from legitimate stores and check app authorisation settings.
Europol Shuts Down Six DDoS-for-Hire Services Used in Global Attacks – The Hacker News – 7 May 2025
Europol has announced the dismantling of six distributed denial of service (DDoS) for-hire platforms, including cfxapi, cfxsecurity, neostress, jetstress, quickdown, and zapcut, used to launch thousands of cyber attacks globally. ‘Operation PowerOFF’ aims to shut down DDoS infrastructure facilitating DDoS-for hire activity. These services allow users to pay as little as €10 to flood websites and servers with malicious traffic. Four suspects were arrested in Poland. The US seized nine domains. The platforms, disguised as stress-testing tools, enabled non-technical users to launch attacks easily.
France Blames Russia for Cyber Espionage Campaign Against Government – Cyber Insider – 1 May 2025
France confirms the Russian military intelligence unit’s campaign APT28 has been conducting cyber intrusions targeting French government institutions and critical sectors since at least 2021. This revelation supports France's recent accusations at the United Nations, escalating tensions with Moscow, which has denied the claims. The French Cybersecurity Agency (ANSSI) report details how the campaign exploited entities using techniques like zero-day exploits, brute-force attacks, and phishing campaigns. APT28 has targeted various sectors across Europe, including France's Defense Technological and Industrial Base. France's Digital Minister Jean-Noël Barrot linked APT28 to attacks on Macron’s 2017 election campaign and Olympic organisations for the Paris 2024 games.
Cameron Whittfield
Partner, Melbourne
Peter Jones
Partner, Head of TMT, Asia, Singapore
Heather Kelly
Senior Associate, Melbourne
Magdalena Blanch-de Wilt
Executive Counsel, Melbourne
Christine Wong
Partner, Sydney
Merryn Quayle
Managing Partner, Melbourne Office, Melbourne
Josh Kain
Foreign Law Clerk (Australia), New York
Kaman Tsoi
Special Counsel, Melbourne
Key contacts
Cameron Whittfield
Partner, Melbourne
Peter Jones
Partner, Head of TMT, Asia, Singapore
Heather Kelly
Senior Associate, Melbourne
Magdalena Blanch-de Wilt
Executive Counsel, Melbourne
Christine Wong
Partner, Sydney
Merryn Quayle
Managing Partner, Melbourne Office, Melbourne
Josh Kain
Foreign Law Clerk (Australia), New York
Kaman Tsoi
Special Counsel, Melbourne
Caitlyn Bellis
Senior Associate, Sydney
Disclaimer
The articles published on this website, current at the dates of publication set out above, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action.