September 2025 brought another round of concerning cybersecurity developments, though also some good news showing some government agencies and even a few technology enterprises demonstrating their ability to fight back against hackers. This included major takedowns and penalties against serious cybercrime networks and their affiliates, though also signs of renewed activity some of the more infamous malicious actors even in the face of increased legal scrutiny. This month’s recap by SWK Technologies covers some of the top headlines among these stories:
Microsoft and Cloudflare Help Take Down Phishing Sites
In a coordinated effort with law enforcement, security investigators from Microsoft and Cloudflare managed to seize over 300 domains used by infamous cybercriminal group, RacoonO365, for their phishing-as-a-service (PhaaS) toolkit. Between September 2 and September 8, the teams from both companies worked to remove access from the accounts managing the fraudulent websites and quarantine them to prevent any further victims being ensnared, which also included killing a Cloudflare script on each page that helped allow them to appear legitimate, among other things. The PhaaS operation was advertised to other hackers as a sophisticated method for entrapping Microsoft 365 users, offering a subscription model charging about $11 a day for 30-to-90-day periods. Microsoft claims that it was able to track down RacoonO365 through an “operational security lapse” that exposed the cryptocurrency wallet of the group’s accused leader.
FBI Warns Salesforce Users Under Attack Again
The FBI’s Cyber Division released an emergency announcement on September 12, 2025, warning Salesforce customers of two new campaigns that were uncovered targeting customers of the CRM software, both directly and by exploiting an integration with Salesloft Drift. This comes after another campaign earlier in the year that saw the ShinyHunters group also successfully breach the Salesforce environments of multiple victims in August, including those of several major enterprises – it is thought that those same perpetrators were one of many groups involved in this latest effort. This last point reflects a growing trend among the various cybercriminal collectives, where different affiliates pool resources and information, and coordinate on attacks, effectively forming hacker “supergroups” to boost their effectiveness.
U.S. Treasury Sanctions Members of Major Cyber Scam Network
On September 8, 2025, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced it would sanction 19 entities and individuals across Southeast Asia for operating cyber scam networks that cost Americans over $10 billion in 2024. The sanctions target larger-scale scam centers clustered in Burma, Cambodia and other nations within the region that used methods including forced labor and violence to compel their victims into conducting romance and investment scams to defraud people across the U.S., China and Europe. Per the Treasury’s release, several of the organizations and individuals being sanctioned have ties to broader criminal groups and even national institutions across Asia, and are involved in widescale money laundering operations for various organized crime networks, paramilitary organizations and government officials in North Korean, Cambodia and Burma.
Google Hack May Have Exposed FBI eCheck System
After members of the supposedly defunct LAPSUS$ hacker collective claimed to have breached the Law Enforcement Request System (LERS) platform run by Google, Alphabet confirmed that they had indeed discovered a fraudulent account within the LERS portal, though they claimed that “no data was accessed” in response to inquiries by Bleeping Computer. Though the account was quickly removed upon discovery, the group posted screenshots proving the extent of their access and demonstrating their ability to leverage the surveillance tools and data hosted on the portal for their own ends. The platform is used by multiple law enforcement agencies and includes access to the FBI’s eCheck system, which also contains significant personal information in addition to allowing accounts to interact with data from multiple past and ongoing legal cases.
Two Arrested from Resurgent Hacker Group Targeting Finance, Retail & Others
Scattered Spider, one of many groups part of a cybercrime collective that had previously claimed they were “going dark” due to increased scrutiny from law enforcement, was found by cybersecurity researchers to still be actively targeting an American bank alongside other businesses across different industries. These attacks seem to be part of the same overlapping campaigns that were responsible for the Salesforce and Google breaches mentioned earlier in this article, and seem to still be ongoing in some capacity despite the “retirement” claims. However, both U.S. and UK authorities have officially charged two alleged members of the group for past cyber extortion crimes as part of a wider effort to bring the larger organization to justice, which may be tied to the gang’s attempts to go “silent” amidst the legal pressure.
Hacker Forum Owner Resentenced to 3 Years
Conor Fitzpatrick, founder of the BreachForums cybercrime marketplace, was resentenced to three years in prison after an appeals court vacated his original sentence of time served and 20 years of supervisor release. The resentencing came after prosecutors successfully argued the scope and damage of Fitzpatrick’s crimes warranted a longer sentence, in addition to violating the previous terms of his parole. BreachForums served as a major hub for cybercriminal activity, including facilitating the exchange of stolen data, malware and explicit media of minors, before law enforcement arrested Fitzpatrick and took control of over 100 domains he used to run the illicit marketplace. The collective that includes Shiny Hunbters, Scattered Spiders and the remnants of Lapsus$ are believed to have taken over running BreachForums and its successors, though in the midst of their supposed retirement, it is unclear if their group is still operating the marketplace behind the scenes or have allowed others to fill in the vacuum.
Learn More About the Latest Cybersecurity Topics with SWK
The rapidly changing threat landscape means your business needs to stay informed on the latest attack methods, regulatory shifts and security vulnerabilities to ensure your cyber defense strategy remains up to date. SWK Technologies will help your team keep track of these developments and provide solutions for improving your cybersecurity posture that address the biggest cyber threats today.
Contact SWK here to discuss how recent cybersecurity developments may affect your business, and learn about security solutions designed to protect your business from today’s most pressing digital threats.