CyberSecStats #20 - Ransomware threat intelligence, TOAD campaigns, and LLM phishing
Hello!
Laura from CyberSecStats here.
“Hey ChatGPT, how do I log into Slack/Jira/my corporate email server again?”
What happens to your org when people start asking LLMs for basic tech support?
In one of the reports featured below, 34% of the time, the response from an LLM to a query asking how or where to log into a branded app (i.e., “Slack”) sends users to a domain completely uncontrolled by the brand in question.
Scarily, these results can be consistently wrong. The same hallucinated domains keep popping up, creating a new attack vector for spoofers who find, register, and compromise these hallucinated domain names before you do - can we call this “LLMdomainsquatting”?
Elsewhere in this week's CyberSecStats, we feature data on rising ransomware victim numbers, the latest information on API threats, shifting consumer attitudes towards AI tools, the current state of staffing in GRC roles (not ideal), and more.
Here’s a dive into those trends with all the data below published in the last 7 days or recently submitted to us.
BTW, if you have information your company would like to share with our audience of over 300 cybersecurity practitioners, researchers, founders, and marketers, please contact us.
General cybersecurity trend reports
2% of Large Firms at Highest Scattered Spider Risk (CyberCube)
CyberCube’s threat intelligence research into Scattered Spider.
- Over 36 months, 21 major publicly disclosed cyber incidents have been attributed to the group.
- Since April 2025, the group has been moving swiftly across industries. Through 7/2/2025: four retail, four insurance, and three aviation firms attacked.
- Total financial losses for victims have ranged from tens to hundreds of millions of dollars.
Read the full report here.
Ransomware
Ransomware and Cyber Extortion in Q2 2025 (ReliaQuest)
Ransomware threat intelligence from Q2 2025.
- Q2 2025 saw a 31% decrease in named ransomware victims compared to the previous quarter, marking a return to more typical levels.
- Qilin emerged as the top ransomware threat in Q2 2025.
- The US remained the most targeted country by ransomware, accounting for 67% of the total organizations named on ransomware data-leak sites in Q2.
Read the full report here.
Cryptocurrency
Hack3d: The Web3 Security Quarterly Report - Q2 + H1 2025 (Certik)
The most comprehensive record of statistics and analysis of on-chain security incidents.
- A total of $2,472,777,618 was lost across 344 on-chain security incidents in H1 2025.
- Wallet compromise was the most costly attack vector, with $1,706,937,700 stolen across 34 on-chain security incidents in H1 2025.
- Phishing was the second most costly, with $410,747,038 stolen across 132 on-chain security incidents in H1 2025.
Read the full report here.
Cloud
2025 Cloud Security Study (Thales)
Perspectives on cloud security challenges from nearly 3,200 respondents in 20 countries across a variety of seniority levels.
Key stats:
- 64% of respondents ranked cloud security among their top five security priorities.
- Enterprises use an average of 85 SaaS applications.
- 52% of respondents are prioritising AI security investments over other security needs.
Read the full report here.
Phishing
PDFs: Portable documents, or perfect deliveries for phish? (Talos)
Insight into telephone-oriented attack delivery (TOAD) campaigns.
Key stats:
- A significant portion of email threats with PDF payloads persuade victims to call adversary-controlled phone numbers, employing Telephone-Oriented Attack Delivery (TOAD) or callback phishing.
- Most phone numbers found in email threats leveraging the TOAD social engineering technique are Voice over Internet Protocol (VoIP) numbers.
- Microsoft and Docusign were among the most frequently impersonated brands in phishing emails with PDF attachments.
Read the full report here.
AI
Large Language Models (LLMs) Are Falling for Phishing Scams: What Happens When AI Gives You the Wrong URL? (Netcraft)
What happens when you ask a large language model where to log into various well-known platforms? The results are surprisingly dangerous, found Netcraft researchers.
Key stats:
- Out of 131 hostnames provided by the LLM in response to natural language queries for 50 brands, a significant 34% were not controlled by the brands at all.
- 29% of the suggested incorrect domains given by an LLM in return to a query were unregistered, parked, or had no active content, leaving them vulnerable to takeover by malicious actors
- In a sophisticated campaign to poison AI coding assistants, Netcraft uncovered an effort where an attacker promoted a fake API. At least five victims were found to have copied this malicious code into their own public projects, some of which showed signs of being built using AI coding tools.
Read the full report here.
The State of AI & API Security (FireTail)
Insight into the rising threats, real-world breaches, and regulatory changes shaping how businesses must secure the APIs that power their AI investments.
Key stats:
- The FireTail API Data Breach Tracker shows a rise in API security incidents, increasing from 22 in 2023 to 26 in 2024.
- Cumulatively, over 1.6 billion records have been exposed since 2017 due to API breaches.
- In the last three years, there have been 79 documented API breaches, significantly more than the 22 cloud-related breaches in the same period, indicating APIs are a growing focal point for attackers.
Read the full report here.
Third-party risk management
2025 Annual Third-Party Risk Management Study (Mitratech)
Insights into the third-party risk landscape.
Key stats:
- Nearly 70% of Third-Party Risk Management (TPRM) teams report being understaffed.
- As a result of TPRM teams being understaffed, organisations are only managing about 40% of their vendor population.
- The presence of compliance teams in TPRM jumped from 42% in 2023 to 88% in 2025.
Read the full report here.
Consumer
Report: The State of Digital Trust in 2025 (Usercentrics)
Insights from 10,000 frequent internet users across Europe and the United States into digital trust.
Key stats:
- 59% of consumers are uncomfortable with their data being used to train AI systems.
- 62% feel like they have "become the product".
- 46% say they accept cookies less often than three years ago.
Read the full report here.