Full Report
From a flurry of attacks targeting UK retailers to campaigns corralling end-of-life routers into botnets, it's a wrap on another month filled with impactful cybersecurity news
Analysis Summary
# Industry News: May 2025 Spotlight on Retail Attacks, BEC Dominance, and Router Botnets
## Summary
May 2025 saw significant cybersecurity activity focused on retail sector attacks, notably involving the Scattered Spider group moving from the UK to target US companies. Key trends highlighted by industry reports show Business Email Compromise (BEC) and fund transfer fraud accounting for 60% of cyber insurance claims, while major incidents like the Coinbase breach signal substantial financial exposure. Regulatory and manufacturer attention is also being drawn to widespread malware targeting end-of-life routers for botnet creation.
## Key Details
- Date: Throughout May 2025 (Reporting period)
- Companies Involved: ESET, Google, Scattered Spider, Marks & Spencer (M&S), Coalition, FBI, Coinbase.
- Category: Threat Landscape Analysis / Major Incident Reporting
## The Story
ESET Chief Security Evangelist Tony Anscombe highlighted several critical security events from May 2025. A major focus was the activity of the hacking group Scattered Spider, which transitioned from targeting UK retailers—leading to data theft at Marks & Spencer and temporary cessation of online operations—to targeting US organizations, as warned by Google. Concurrently, cyber-insurance data from Coalition indicated that BEC and Fund Transfer Fraud (FTF) were the dominant claim types (60% of claims last year), though ransomware remained the most disruptive. Furthermore, the FBI issued a warning regarding malware aggressively enlisting end-of-life routers into botnets. Finally, Coinbase reported a cyberattack that could cost the company up to $400 million in damages due to stolen account data.
## Business Impact
### For the Companies Involved
- **Marks & Spencer (M&S):** Suffered customer data theft and significant operational disruption (stopping online orders), requiring immediate remediation and rebuilding customer trust.
- **Coinbase:** Facing substantial financial loss (up to $400M) due to the breach, impacting investor confidence and likely triggering significant security investment post-incident.
- **Coalition (and similar insurers):** Their data confirms escalating risks associated with socio-technical attacks like BEC, which will inform future underwriting strategies and premium adjustments.
### For Competitors
- Competitors of M&S may see a temporary boost in Q2 sales if customer confidence shifts away from the breached retailer.
- Competitors of Coinbase will face increased scrutiny from their customers and investors regarding their own security maturity, potentially leading to competitive pressure to demonstrate resilience.
- Cybersecurity vendors specializing in endpoint protection and network-level defense (especially routing security) stand to gain as companies re-evaluate protection against botnets and perimeter compromises.
### For Customers
- Retail customers face continued risks of data exposure, emphasizing the need for strong password hygiene and account monitoring, particularly as attackers shift focus geographically (UK to US).
- Coinbase customers need to be vigilant, given the scale of the reported data theft.
### For the Market
- The dominance of BEC in insurance claims signals that non-technical social engineering remains the most effective and frequently exploited vector for immediate financial gain across the corporate landscape.
- Increased focus on end-of-life hardware highlights a major supply chain and patching vulnerability that ISPs and enterprises must address, potentially driving demand for network monitoring and hardware lifecycle management services.
## Technical Implications
The report touches on two key technical threats:
1. **Sophisticated Lateral Movement/Extortion:** Implied by the success of Scattered Spider against major retailers.
2. **IoT/Network Device Hijacking:** The focus on end-of-life routers demonstrates attackers exploiting known CVEs on unmaintained devices to build resilient, large-scale botnets for future distributed attacks.
## Strategic Analysis
- Market Positioning: The data reconfirms the polarized landscape: ransomware remains the highest impact threat, but volume and frequency are driven by financial crimes like BEC, requiring security strategies to balance defense against large-scale destruction versus targeted financial theft.
- Competitive Advantage: Companies that successfully harden their payment processing layers (reducing BEC/FTF impact) and aggressively manage the lifecycle of network edge devices will gain a significant competitive advantage in customer and partner trust during 2025.
- Challenges: Organizations face the dual challenge of defending against highly sophisticated, human-driven social engineering groups (like Scattered Spider) and managing large fleets of legacy, unpatchable hardware.
## Industry Reactions
- Analyst consensus will likely focus on the geopolitical shift in retailer targeting (UK to US) by established threat actors, viewing this as an escalation of campaign reach.
- Security experts will emphasize that the Coalition data solidifies the ROI case for advanced email security gateways and robust employee training programs aimed at countering BEC.
## Future Outlook
- We can expect heightened vigilance from US retailers as Scattered Spider activity increases, possibly leading to increased spending on third-party penetration testing focused on supply chain partners and remote access points.
- Expect regulatory bodies to issue clearer guidance or mandates regarding the secure decommissioning or mandatory patching of internet-facing, end-of-life networking equipment.
## For Security Professionals
Security teams must immediately review incident response plans for retail environments, prioritizing multi-factor authentication (MFA) across all payment and customer service portals. Professionals managing network infrastructure must conduct immediate audits of all internet-facing routers to isolate or update any end-of-life devices identified in the FBI warnings.