The most interesting cybercrime takedowns of 2025

How trusted insiders became one of the biggest cybersecurity threats of the year

Takeaways

• 2025's most notable cybercrime takedowns reveal a shift from external threats to malicious insiders as a major cybersecurity concern.
• Trusted employees with privileged access, including several high-profile examples in 2025, have exploited their positions to sell sensitive information to cybercriminals.
• Law enforcement efforts have been successful in arresting prominent a number of cybercriminals, but insider threats remain especially difficult to detect and prevent.
• Organizations must recognize that no employee is beyond suspicion and should strengthen internal security protocols to mitigate insider risks.

Every year seems to bring with it the next “biggest data breach in history.” But in an encouraging turn of events, more and more of the world’s most prolific attackers are being caught and arrested. 2024 saw a record-setting data breach that compromised over 2.9 billion sensitive files around the world, but it also saw the swift arrest of the person responsible, an attacker going by the alias USDoD. A new trend shows that data breaches from external threats might be the least of your worries, though.

Here’s the problem: the most interesting cyber takedowns of 2025 point to a more troubling trend. The most prominent individuals targeted by law enforcement this year aren’t malicious outsiders or nation-state actors. Instead, they’re insiders — trusted experts who have decided to forgo ethics and use their expertise to make money by breaking the law.

The inside man: Defense exec sold cyber secrets

Defense contractor L3Harris is worth $21 billion in revenue and employs nearly 50,000 people worldwide. They sell everything from autonomous undersea drones to satellite optics. Their cybersecurity division, Trenchant, specializes in developing penetration tools for the U.S. and allied governments. They’ve also learned a painful lesson: even the most trusted employees could be an insider threat.

Peter Williams, previously the general manager at Trenchant, recently pled guilty to selling sensitive material to nation-state actors, including the Russian government. This material consisted of eight previously unknown zero-day exploits, which would allow its owners to compromise and spy on systems such as smartphones and web browsers.

According to Techcrunch, Williams was able to use his “super user” clearance to access this material — which normally resided on secure, air-gapped systems — and then transfer it to a personal hard drive. After the organizations was alerted that its code was being leaked, Williams was put in charge of the investigation and used this power to frame another employee.

This episode shows that in cybersecurity, there’s no such thing as an employee who can be considered beyond suspicion.

Ransomware negotiator turns threat actor

The rise of ransomware has led to a unique new job in the field of cybersecurity. Ransomware negotiators speak directly with ransomware attackers in the aftermath of a successful encryption. Their job is to try to reduce the overall ransom payment and if necessary obtain technical support to ensure smooth decryption and recovery of files.

Threat groups are strongly incentivized to work closely with negotiators. If they gain a reputation for being easy to do business with, then it’s more likely that their targets will pay a ransom. But what happens when a ransomware negotiator decides to work for the other side?

A recently unsealed grand jury indictment reveals that an incident response manager and a ransomware negotiator have been accused of using a malware strain known as ALPHV/BlackCat to target and extort victims. In one case, the collaborators successfully extorted a $1.3 million payment from a medical device manufacturer.

Although there’s no evidence that the negotiator used resources from his company to carry out attacks, the implication is troubling. The incident response manager in this case was inspired to commit ransomware attacks in order to get out of debt. What steps are being taken to prevent cybersecurity professionals from being lured to the dark side by big paychecks?

€300 million fraud ring taken down by international cooperation

In more hopeful news, a joint international operation recently took down a multinational credit card fraud ring that operated between 2016 and 2021. The group operated by setting up fake credit card subscriptions, each individually below €50 per month, eventually targeting 19 million customers in nearly every country on Earth.

The less hopeful news is that at least five of the 18 arrested suspects were employees and executives at major payment providers. These individuals exploited their knowledge of the systems they had access to so they could conceal fraudulent transactions, launder money and distribute their earnings via a series of shell companies.

It’s interesting to note the use of so-called “crime as a service” companies as part of the illegal operation. Although many of these organizations are set up to provide ransomware or denial-of-service attacks, the ones used in this scheme created difficult-to-trace financial networks as part of a turnkey operation. Setting up networks of shell companies made it nearly impossible for individual consumers to find out exactly where their money was going.

Was 2025 the year of the insider threat?

You may have noticed a throughline in the last three examples. In this year’s most prominent cyber takedowns, experienced information security professionals and payment industry experts collaborated with bad actors to make millions. 

• Intelligence industry veterans conspired with Russian exploit brokers
• Ransomware negotiators conspired with ransomware-as-a-service operators 
• Payment industry executives made use of professional money launderers

Why are so many security profesionals suddenly switching sides? The answer is beyond the scope of this article (but I have an idea). Meanwhile, it speaks to the fact that even the most-trusted insider cannot be placed above suspicion. Now more than ever, companies need to implement access control and monitoring solutions that can flag the suspicious activity that marks insider threats.

With Barracuda, you can help monitor your network for the kind of behavior that marks an insider turning rogue. Whether their account has been compromised or they’ve been lured by a bribe, Barracuda Managed XDR can help flag unexpected file transfers and deletions that can indicate the theft of critical IP or an attempt to cover a fraudulent transaction. Schedule a conversation with our experts and learn how you can avoid the next insider breach.