Mixed Cybersecurity Roundup: AI-Enabled Crypto Fraud, DDoS Campaigns, and 2026 Risk Predictions
Reporting in this set is not a single coherent incident; it is a mixed roundup dominated by (1) AI-enabled cryptocurrency fraud and (2) DDoS activity and botnet trends, alongside several forward-looking or non-incident items. Chainalysis-linked coverage describes industrialized crypto crime, including an estimate of $17B in 2025 crypto-scam losses and a sharp rise in AI-driven impersonation/deepfake tactics, with links to organized crime networks and forced-labor scam compounds in Cambodia and Myanmar; separate reporting notes a $26.44M theft from the Ethereum-based Truebit protocol, with Truebit urging users to avoid a compromised smart contract while investigations continue. In parallel, threat reporting highlights large-scale DDoS: Cloudflare’s mitigation of a 29.7 Tbps burst attributed to the AISURU botnet-for-hire (plus a 14.1 Bpps event and an estimated 1–4M infected hosts), and a concentrated NoName057(16)/DDoSia campaign against the UK (1,812 attack entries targeting 86 domains/87 IPs, heavily hitting government and some critical infrastructure, with port 443 most targeted). Spamhaus also reports a 24% increase in botnet C2 activity in 2H 2025, with RATs comprising a large share of top botnet-associated malware.
Several items are not incident-driven and should be treated as lower-signal for operational response: SC Media and Security Boulevard pieces largely provide 2026 predictions/opinion on agentic AI, non-human identities (NHIs), and deepfakes as governance/identity risks; Dark Reading and CIO discuss regulatory/compliance and IT leadership challenges; TechTarget lists 2026 conferences; and two Substack posts are general news roundup/essay content (one recounting lessons from Ukraine’s cyber conflict, including the Kyivstar destructive attack narrative). For CISOs, the actionable takeaways across the incident-focused items are: expect continued growth in AI-assisted social engineering and deepfake fraud impacting financial loss and brand trust; maintain smart-contract incident playbooks for rapid user guidance; and harden DDoS readiness (capacity planning, upstream mitigation, and monitoring) given both record-scale botnet bursts and geopolitically motivated DDoS targeting government and critical infrastructure.
Timeline
Jan 13, 2026
Chainalysis published 2025 crypto fraud losses at an estimated $17 billion
On January 13, Chainalysis published research estimating that cryptocurrency scammers stole $17 billion through fraud in 2025. The report highlighted rapid growth in AI-enabled impersonation, deepfakes, phishing-as-a-service, and laundering networks supporting large-scale scams.
Jan 12, 2026
Truebit disclosed a $26.44 million cryptocurrency theft
Truebit reported that $26.44 million in cryptocurrency was stolen from its Ethereum-based verification protocol and said an investigation was underway. The company urged users to ignore a compromised smart contract, indicating the theft likely involved smart-contract compromise or abuse.
Jan 5, 2026
NoName057(16) concentrated a large DDoS campaign on the United Kingdom
During January 5–11, 2026, SOCRadar recorded 1,812 DDoS attack entries in a coordinated campaign attributed to NoName057(16) and its DDoSia project. The United Kingdom accounted for 85.2% of observed attacks, with UK government, transport, financial, and telecom targets heavily affected.
Dec 31, 2025
December 2025 saw multiple major cyber incidents, including a 29.7 Tbps DDoS attack
A roundup of major December 2025 incidents said Cloudflare mitigated a record 29.7 Tbps DDoS burst attributed to the AISURU botnet. The same period also included major data leaks, vendor-related downstream exposures, active exploitation of React2Shell flaws, and notable crypto theft incidents.
Dec 31, 2025
Spamhaus observed botnet C&C activity rise 24% in H2 2025
Spamhaus reported that botnet command-and-control activity increased by 24% from July through December 2025. Its update also said RATs accounted for 42% of the top 20 malware families tied to botnets and highlighted a major surge in C&C domains at a Russia-based registrar.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Threat Actors
Organizations
Affected Products
Sources
Related Stories
Predictions and guidance on AI-driven cyber risk and emerging threats in 2026
Commentary from *Dark Reading* and the *Resilient Cyber* newsletter highlights **agentic AI** and broader **AI-enabled social engineering (including deepfakes)** as growing enterprise attack-surface concerns heading into 2026, alongside continued emphasis on fundamentals like vulnerability management. A *Dark Reading* readership poll framed agentic AI as the most likely major security trend for 2026, reflecting expectations that increasingly autonomous systems will become attractive targets and/or tools for cybercrime. A separate *Dark Reading* “Reporters’ Notebook” discussion urged security leaders to prioritize practical steps for 2026, including improving resilience against **phishing/social engineering**, accelerating **patching**, and preparing for **quantum-era cryptography** transitions. The *Resilient Cyber* newsletter echoed the “inflection point” theme for operationalizing AI security, citing model-provider discussions (e.g., OpenAI’s Cyber Preparedness Framework and Anthropic’s reporting on abuse) and arguing that defenders will need to adopt AI capabilities to keep pace with attackers, while acknowledging that guardrails can be bypassed and that AI-driven fraud (e.g., deepfake phishing) is already a near-term risk.
1 months ago
AI-driven shifts in cybersecurity: agentic AI risks, AI-assisted offensive tradecraft, and evolving cybercriminal ecosystems
Security reporting and research highlighted how **AI and automation are reshaping both attacker tradecraft and defender operations**, while introducing new enterprise risk. ZDNET described research findings that **agentic AI implementations** from *ServiceNow* and *Microsoft* can be **exploitable**, warning that broadly permissioned agents could enable **lateral movement and privilege escalation** across systems of record if an attacker compromises an agent or chains between agents with different access levels; a **least-privilege** posture for agents was emphasized. Dark Reading separately reported that **AI agents are increasingly augmenting—and in some cases supplanting—human penetration testing** for “low-hanging” vulnerabilities, but that **false positives and the need for human oversight** remain material constraints as agentic testing matures. Threat-intelligence coverage also underscored the **industrialization of cybercrime** and the ecosystems enabling it. CloudSEK detailed the evolution of the English-speaking cybercriminal milieu known as **“The COM,”** tracing its roots in OG-handle trading communities and forum migrations into a service-oriented underground linked to groups such as **Lapsus$**, **ShinyHunters**, **Scattered Spider (UNC3944)**, and **Silent Ransom Group**, and associated activity spanning breaches, extortion, SIM swapping, ransomware, and crypto fraud. SC Media’s commentary similarly described a cyber underground where criminals can readily buy capabilities (credentials, tooling, automation), calling out techniques including **carding** and **ClickFix** social engineering that tricks users into running copied commands to install infostealers. Separately, Dark Reading reported allegations that the **Chronus Group** posted **2.3TB** of purported Mexican government data affecting up to **36 million** people, while Mexico’s **ATDT** disputed it as largely **repackaged data from prior breaches** and said no new sensitive accounts were identified and that impacted systems were primarily **obsolete, third-party-administered** state-level platforms.
1 months ago
Annual threat reports highlight faster intrusions and expanding cloud-focused attacker activity
CrowdStrike’s 2025 global threat reporting says financially motivated intrusions are accelerating, with **average breakout time** (lateral movement after initial access) dropping to **29 minutes** and the fastest observed breakout time at **27 seconds**; the report also describes attackers increasingly using **social engineering**, **living-off-the-land** techniques, and abuse of **trusted systems** to move across *cloud, identity, enterprise,* and unmanaged device boundaries, alongside a reported **37% year-over-year increase** in cloud-focused attacks and a growing set of tracked adversaries (281 named groups plus additional activity clusters). Check Point Research’s 2025 retrospective similarly emphasizes that many 2025 operations relied on **familiar techniques combined in new ways**, highlighting themes such as early **ToolShell** exploitation assessed as Chinese-nexus activity against North American government targets and **identity-centric** intrusions (including **AiTM** credential theft) against US think-tank researchers. Several other items in the set are not about these annual threat-report findings and instead cover separate topics: Romania’s cyber chief warning that ransomware incidents against critical infrastructure may align with **Russian hybrid objectives**; sector-level reporting that **manufacturing** remains heavily targeted by ransomware due to IT/OT interconnectivity and downtime pressure; and US law-enforcement/FBI reporting on a surge in **ATM jackpotting** losses and related indictments. Additional entries are primarily **generic commentary, newsletters, or professional/educational content** (e.g., quantum-preparedness opinion, Enigma/RSAC history piece, a weekly video briefing, a malware-newsletter link roundup, a recon how-to article, and a governance/career feature page) and do not substantively corroborate the specific annual threat-report story.
1 months ago