These are the cybersecurity stories we were jealous of in 2025

It’s the extremity of the year. That means it’s clip for america to observe the champion cybersecurity stories we didn’t publish. Since 2023, TechCrunch has looked backmost astatine the champion stories crossed the committee from the twelvemonth successful cybersecurity.

If you’re not familiar, the thought is simple. There are present dozens of journalists who screen cybersecurity successful the English language. There are a batch of stories astir cybersecurity, privacy, and surveillance that are published each week. And a batch of them are great, and you should work them. We’re present to urge the ones we liked the most, truthful support successful caput that it’s a precise subjective and, astatine the extremity of the day, incomplete list. 

Anyway, let’s get into it. — Lorenzo Franceschi-Bicchierai.

Shane Harris described however helium cultivated a elder Iranian hacker arsenic a source, who was past killed

Every erstwhile successful a while, there’s a hacker communicative that arsenic soon arsenic you commencement reading, you deliberation it could beryllium a movie oregon a TV show. This is the lawsuit with Shane Harris’ precise idiosyncratic communicative of his months-long correspondence with a apical Iranian hacker. 

In 2016, The Atlantic’s writer made interaction with a idiosyncratic claiming to enactment arsenic a hacker for Iran’s intelligence, wherever helium claimed to person worked connected large operations, specified arsenic the downing of an American drone and the now-infamous hack against lipid elephantine Saudi Aramco, wherever Iranian hackers wiped the company’s computers. Harris was rightly skeptical, but arsenic helium kept talking to the hacker, who yet revealed his existent sanction to him, Harris started to judge him. When the hacker died, Harris was capable to portion unneurotic the existent story, which someway turned retired to beryllium much unthinkable than the hacker had led Harris to believe. 

The gripping communicative is besides a large behind-the-scenes look astatine the challenges cybersecurity reporters look erstwhile dealing with sources claiming to person large stories to share.

The Washington Post revealed a concealed bid demanding Apple fto U.K. officials spy connected users’ encrypted data

In January, the U.K. authorities secretly issued Apple with a tribunal bid demanding that the institution indispensable physique a backdoor truthful constabulary tin entree iCloud information of immoderate lawsuit successful the world. Due to a worldwide gag order, it was lone due to the fact that The Washington Post broke quality that we learned the bid existed to statesman with. The request was the archetypal of its kind, and — if palmy — would beryllium a large decision for tech giants who person spent the past decennary locking themselves retired of their users’ ain information truthful they can’t beryllium compelled to supply it to governments.

Apple subsequently stopped offering its opt-in end-to-end encrypted unreality storage to its customers successful the U.K. successful effect to the demand. But by breaking the news, the concealed bid was thrust into the nationalist oculus and allowed some Apple and critics to scrutinize U.K. surveillance powers successful a mode that hasn’t been tested successful nationalist before. The communicative sparked a months-long diplomatic enactment betwixt the U.K. and the United States, prompting Downing Street to driblet the petition — lone to try again respective months later.

‘The Trump Administration accidentally texted maine its warfare plans’ by The Atlantic is this year’s champion headline

This communicative was the benignant of fly-on-the-wall entree that immoderate reporters would imagination of, but The Atlantic’s editor-in-chief got to play retired successful real-time aft helium was unwittingly added to a Signal radical of elder U.S. authorities officials by a elder U.S. authorities authoritative discussing warfare plans from their compartment phones. 

‘We are presently cleanable connected OPSEC,” said Secretary of Defense Pete Hegseth. they were not. Image Credit: The Atlantic (Screenshot)

Reading the treatment astir wherever U.S. subject forces should driblet bombs — and past seeing quality reports of missiles hitting the crushed connected the different broadside of the satellite — was confirmation that Jeffrey Goldberg needed to cognize that helium was, arsenic helium suspected, successful a existent chat with existent Trump medication officials, and this was each on-the-record and reportable.

And truthful helium did, paving the mode for a months-long probe (and critique) of the government’s operational information practices, successful what was called the biggest government opsec mistake successful history. The unraveling of the concern yet exposed information lapses involving the usage of a knock-off Signal clone that further jeopardized the government’s ostensibly unafraid communications.

Brian Krebs tracked down a prolific hacker radical admin arsenic a Jordanian teenager

Brian Krebs is 1 of the much seasoned cybersecurity reporters retired there, and for years helium has specialized successful pursuing online breadcrumbs that pb to him revealing the individuality of notorious cybercriminals. In this case, Krebs was capable to find the existent individuality down a hacker’s online grip Rey, who is portion of the notorious advanced persistent teenagers‘ cybercrime radical that calls itself Scattered LAPSUS$ Hunters.

Krebs’ quest was truthful palmy that helium was capable to speech to a idiosyncratic precise adjacent to the hacker — we won’t spoil the full nonfiction present — and past the hacker himself, who confessed to his crimes and claimed helium was trying to flight the cybercriminal life. 

Independent media outlet 404 Media has accomplished much interaction journalism this twelvemonth than astir mainstream outlets with vastly much resources. One of its biggest wins was exposing and efficaciously shuttering a monolithic aerial question surveillance strategy tapped by national agencies and operating successful plain sight.

404 Media reported that a little-known information broker acceptable up by the hose manufacture called the Airlines Reporting Corporation was selling entree to 5 cardinal level tickets and question itineraries, including names and fiscal details of mean Americans, allowing authorities agencies similar ICE, the State Department, and the IRS to way radical without a warrant.

ARC, owned by United, American, Delta, Southwest, JetBlue, and different airlines, said it would unopen down the warrantless information programme pursuing 404 Media’s months-long reporting and aggravated unit from lawmakers.

Wired made the 3D-printed weapon that Luigi Mangione allegedly utilized to termination a healthcare enforcement to trial the legalities of ‘ghost guns’

The sidesplitting of UnitedHealthcare CEO Brian Thompson successful December 2024 was 1 of the biggest stories of the year. Luigi Mangione, the main fishy successful the killing, was soon aft arrested and indicted connected charges of utilizing a “ghost gun,” a 3D-printed firearm that had nary serial numbers and built successful backstage without a inheritance cheque — efficaciously a weapon that the authorities has nary thought exists.

Wired, utilizing its past reporting acquisition connected 3D-printed weaponry, sought to trial however casual it would beryllium to physique a 3D-printed gun, portion navigating the patchwork ineligible (and ethical) landscape. The reporting process was exquisitally told, and the video that goes on with the communicative is some fantabulous and chilling.

NPR elaborate a national whistleblower’s relationship of however DOGE took delicate authorities data, and the threats helium faced

DOGE, oregon the Department of Government Efficiency, was 1 of the biggest moving stories of the year, arsenic the pack of Elon Musk’s lackeys ripped done the national government, tearing down information protocols and reddish tape, arsenic portion of the mass-grab of citizens’ data. NPR had immoderate of the champion investigative reporting uncovering the absorption question of national workers trying to forestall the pilfering of the government’s astir delicate data.

In 1 communicative detailing a whistleblower’s authoritative disclosure arsenic shared with members of Congress, a elder IT worker successful the National Labor Relations Board told lawmakers that arsenic helium was seeking assistance investigating DOGE’s activity, helium “found a printed missive successful an envelope taped to his door, which included threatening language, delicate idiosyncratic accusation and overhead pictures of him walking his dog, according to the screen missive attached to his authoritative disclosure.”

Mother Jones recovered an exposed dataset of tracked surveillance victims, including satellite leaders, a Vatican enemy, and possibly you

Any communicative that starts with a writer saying they recovered thing that made them “feel similar shitting my pants,” you cognize it’s going to beryllium a amusive read. Gabriel Geiger recovered a dataset from a mysterious surveillance institution called First Wap, which contained records connected thousands of radical from astir the satellite whose telephone locations had been tracked. 

The dataset, spanning 2007 done 2015, allowed Geiger to place dozens of precocious illustration radical whose phones were tracked, including a erstwhile Syrian archetypal lady, the caput of a backstage subject contractor, a Hollywood actor, and an force of the Vatican. This communicative explored the shadowy satellite of telephone surveillance by exploiting Signalling System No. 7, oregon SS7, an obscurely named protocol agelong known to let malicious tracking.

Wired reported connected the probe down a drawstring of ‘swatting’ attacks connected hundreds of schools nationwide

Swatting has been a occupation for years. What started arsenic a atrocious gag has go a existent threat, which has resulted successful at slightest 1 death. Swatting is simply a benignant of hoax wherever idiosyncratic — often a hacker — calls the exigency services and tricks the authorities into sending an equipped SWAT squad to the location of the hoaxer’s target, often pretending to beryllium the people themselves, and pretending they are astir to perpetrate a convulsive crime. 

In this feature, Wired’s Andy Greenberg enactment a look connected the galore characters who are portion of these stories specified arsenic the telephone operators who person to woody with this problem. And helium besides profiled a prolific swatter, known arsenic Torswats, who for months tormented the operators and schools each implicit the state with fake — but highly believable — threats of violence, arsenic good arsenic a hacker who took it upon himself to way Torswats down.