Mixed Cybersecurity Roundup: AI-Enabled Crypto Fraud, DDoS Campaigns, and 2026 Risk Predictions
Reporting in this set is not a single coherent incident; it is a mixed roundup dominated by (1) AI-enabled cryptocurrency fraud and (2) DDoS activity and botnet trends, alongside several forward-looking or non-incident items. Chainalysis-linked coverage describes industrialized crypto crime, including an estimate of $17B in 2025 crypto-scam losses and a sharp rise in AI-driven impersonation/deepfake tactics, with links to organized crime networks and forced-labor scam compounds in Cambodia and Myanmar; separate reporting notes a $26.44M theft from the Ethereum-based Truebit protocol, with Truebit urging users to avoid a compromised smart contract while investigations continue. In parallel, threat reporting highlights large-scale DDoS: Cloudflare’s mitigation of a 29.7 Tbps burst attributed to the AISURU botnet-for-hire (plus a 14.1 Bpps event and an estimated 1–4M infected hosts), and a concentrated NoName057(16)/DDoSia campaign against the UK (1,812 attack entries targeting 86 domains/87 IPs, heavily hitting government and some critical infrastructure, with port 443 most targeted). Spamhaus also reports a 24% increase in botnet C2 activity in 2H 2025, with RATs comprising a large share of top botnet-associated malware.
Several items are not incident-driven and should be treated as lower-signal for operational response: SC Media and Security Boulevard pieces largely provide 2026 predictions/opinion on agentic AI, non-human identities (NHIs), and deepfakes as governance/identity risks; Dark Reading and CIO discuss regulatory/compliance and IT leadership challenges; TechTarget lists 2026 conferences; and two Substack posts are general news roundup/essay content (one recounting lessons from Ukraine’s cyber conflict, including the Kyivstar destructive attack narrative). For CISOs, the actionable takeaways across the incident-focused items are: expect continued growth in AI-assisted social engineering and deepfake fraud impacting financial loss and brand trust; maintain smart-contract incident playbooks for rapid user guidance; and harden DDoS readiness (capacity planning, upstream mitigation, and monitoring) given both record-scale botnet bursts and geopolitically motivated DDoS targeting government and critical infrastructure.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Chainalysis published 2025 crypto fraud losses at an estimated $17 billion
On January 13, Chainalysis published research estimating that cryptocurrency scammers stole $17 billion through fraud in 2025. The report highlighted rapid growth in AI-enabled impersonation, deepfakes, phishing-as-a-service, and laundering networks supporting large-scale scams.
Truebit disclosed a $26.44 million cryptocurrency theft
Truebit reported that $26.44 million in cryptocurrency was stolen from its Ethereum-based verification protocol and said an investigation was underway. The company urged users to ignore a compromised smart contract, indicating the theft likely involved smart-contract compromise or abuse.
NoName057(16) concentrated a large DDoS campaign on the United Kingdom
During January 5–11, 2026, SOCRadar recorded 1,812 DDoS attack entries in a coordinated campaign attributed to NoName057(16) and its DDoSia project. The United Kingdom accounted for 85.2% of observed attacks, with UK government, transport, financial, and telecom targets heavily affected.
December 2025 saw multiple major cyber incidents, including a 29.7 Tbps DDoS attack
A roundup of major December 2025 incidents said Cloudflare mitigated a record 29.7 Tbps DDoS burst attributed to the AISURU botnet. The same period also included major data leaks, vendor-related downstream exposures, active exploitation of React2Shell flaws, and notable crypto theft incidents.
Spamhaus observed botnet C&C activity rise 24% in H2 2025
Spamhaus reported that botnet command-and-control activity increased by 24% from July through December 2025. Its update also said RATs accounted for 42% of the top 20 malware families tied to botnets and highlighted a major surge in C&C domains at a Russia-based registrar.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
AI-Powered Crypto Scams Drive Record $17B in Losses in 2025 - TechRepublic
techrepublic.com
Open sourceDecember 2025: Coupang & WIRED Data Leaks, Record DDoS, React2Shell Exploitation
socradar.io
Open sourceUnited Kingdom Under DDoS Siege: Weekly DDoS Threat Intelligence Analysis
socradar.io
Open sourceBotnet Threat Update July to December 2025
securityboulevard.com
Open sourceOver $26M drained from Truebit protocol
scworld.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Predictions and guidance on AI-driven cyber risk and emerging threats in 2026
Commentary from *Dark Reading* and the *Resilient Cyber* newsletter highlights **agentic AI** and broader **AI-enabled social engineering (including deepfakes)** as growing enterprise attack-surface concerns heading into 2026, alongside continued emphasis on fundamentals like vulnerability management. A *Dark Reading* readership poll framed agentic AI as the most likely major security trend for 2026, reflecting expectations that increasingly autonomous systems will become attractive targets and/or tools for cybercrime. A separate *Dark Reading* “Reporters’ Notebook” discussion urged security leaders to prioritize practical steps for 2026, including improving resilience against **phishing/social engineering**, accelerating **patching**, and preparing for **quantum-era cryptography** transitions. The *Resilient Cyber* newsletter echoed the “inflection point” theme for operationalizing AI security, citing model-provider discussions (e.g., OpenAI’s Cyber Preparedness Framework and Anthropic’s reporting on abuse) and arguing that defenders will need to adopt AI capabilities to keep pace with attackers, while acknowledging that guardrails can be bypassed and that AI-driven fraud (e.g., deepfake phishing) is already a near-term risk.
Mar 21, 2026
AI-driven shifts in cybersecurity: agentic AI risks, AI-assisted offensive tradecraft, and evolving cybercriminal ecosystems
Security reporting and research highlighted how **AI and automation are reshaping both attacker tradecraft and defender operations**, while introducing new enterprise risk. ZDNET described research findings that **agentic AI implementations** from *ServiceNow* and *Microsoft* can be **exploitable**, warning that broadly permissioned agents could enable **lateral movement and privilege escalation** across systems of record if an attacker compromises an agent or chains between agents with different access levels; a **least-privilege** posture for agents was emphasized. Dark Reading separately reported that **AI agents are increasingly augmenting—and in some cases supplanting—human penetration testing** for “low-hanging” vulnerabilities, but that **false positives and the need for human oversight** remain material constraints as agentic testing matures. Threat-intelligence coverage also underscored the **industrialization of cybercrime** and the ecosystems enabling it. CloudSEK detailed the evolution of the English-speaking cybercriminal milieu known as **“The COM,”** tracing its roots in OG-handle trading communities and forum migrations into a service-oriented underground linked to groups such as **Lapsus$**, **ShinyHunters**, **Scattered Spider (UNC3944)**, and **Silent Ransom Group**, and associated activity spanning breaches, extortion, SIM swapping, ransomware, and crypto fraud. SC Media’s commentary similarly described a cyber underground where criminals can readily buy capabilities (credentials, tooling, automation), calling out techniques including **carding** and **ClickFix** social engineering that tricks users into running copied commands to install infostealers. Separately, Dark Reading reported allegations that the **Chronus Group** posted **2.3TB** of purported Mexican government data affecting up to **36 million** people, while Mexico’s **ATDT** disputed it as largely **repackaged data from prior breaches** and said no new sensitive accounts were identified and that impacted systems were primarily **obsolete, third-party-administered** state-level platforms.
Mar 21, 2026
Annual threat reports highlight faster intrusions and expanding cloud-focused attacker activity
CrowdStrike’s 2025 global threat reporting says financially motivated intrusions are accelerating, with **average breakout time** (lateral movement after initial access) dropping to **29 minutes** and the fastest observed breakout time at **27 seconds**; the report also describes attackers increasingly using **social engineering**, **living-off-the-land** techniques, and abuse of **trusted systems** to move across *cloud, identity, enterprise,* and unmanaged device boundaries, alongside a reported **37% year-over-year increase** in cloud-focused attacks and a growing set of tracked adversaries (281 named groups plus additional activity clusters). Check Point Research’s 2025 retrospective similarly emphasizes that many 2025 operations relied on **familiar techniques combined in new ways**, highlighting themes such as early **ToolShell** exploitation assessed as Chinese-nexus activity against North American government targets and **identity-centric** intrusions (including **AiTM** credential theft) against US think-tank researchers. Several other items in the set are not about these annual threat-report findings and instead cover separate topics: Romania’s cyber chief warning that ransomware incidents against critical infrastructure may align with **Russian hybrid objectives**; sector-level reporting that **manufacturing** remains heavily targeted by ransomware due to IT/OT interconnectivity and downtime pressure; and US law-enforcement/FBI reporting on a surge in **ATM jackpotting** losses and related indictments. Additional entries are primarily **generic commentary, newsletters, or professional/educational content** (e.g., quantum-preparedness opinion, Enigma/RSAC history piece, a weekly video briefing, a malware-newsletter link roundup, a recon how-to article, and a governance/career feature page) and do not substantively corroborate the specific annual threat-report story.
Mar 24, 2026