TRACE Cyber Intelligence Pulse - 5 December 2025
Cyber threats do not wait for you to catch up. Stay ahead with CyXcel’s weekly threat intelligence foresight, grounded in real-world incident response and powered by our fusion of legal, technical and strategic expertise.
Edited by: Samuel Kudláč, Senior Analyst, and Danny Howett, Technical Director – Digital Forensics and Incident Response.
In Focus
Holiday Season Cyber Threats
With the holiday season approaching, authorities across the EU, UK and US report a surge in cybercriminal activity as online shopping ramps up ahead of Christmas. Threat actors are using artificial intelligence (AI) tools, social media advertising and text messaging to harvest payment data and personally identifiable information (PII) at scale.
Cybercriminal campaigns now routinely combine deep-fake video or influencer-style content with cloned storefronts that closely mimic legitimate brands. Threat actors use fake celebrity endorsements to lure victims to spoofed checkout pages, often built using AI-generated code, facilitating the theft of financial and personal data and payment redirection.
Security researchers also highlight aggressive brand spoofing against global retailers such as Amazon, Apple, Netflix, Macy’s, Walmart and others, with templated phishing emails and online ads offering Black Friday-style discounts that lead to card-skimming and credential harvesting sites.
In parallel, SMS campaigns impersonate logistics providers, including USPS, FedEx and UPS using “missed delivery” alerts that direct recipients to websites hosting malware or data-capture forms. These operations contributed to an estimated USD 470 million in text-scam losses in 2024, with package-delivery lures being the most common theme.
Key Takeaways
Seasonal cybercrime is driving higher fraud losses, chargebacks and regulatory exposure for retailers, other businesses and financial institutions as threat actors use automated and highly personalized low-cost, high-volume campaigns across email, text and social media.
Businesses face elevated risk of cyber-enabled consumer fraud and should enforce tighter customer authentication, strengthen fraud analytics on promotions and refunds, and rapidly identify and take down spoofed domains, accounts and ads. These measures should be supported by clear public guidance that explains how the organization will and will not contact customers, including official channels and expected security practices.
Threat actors are also highly likely to exploit reduced staffing levels and vigilance during the holiday period, as security teams, contact centers and branch operations often run with skeleton crews. Lower capacity for monitoring, slower incident response and higher workload on active staff increase the likelihood that malicious activity, social engineering attempts or spoofed communications go undetected or receive insufficient review.
Individuals should treat unsolicited emails and text messages as high-risk by default and independently verify the legitimacy of any website, message or offer before clicking links or entering sensitive data. Wherever possible, users should enable multi-factor authentication, use card controls and spending limits and regularly review statements to reduce the impact of any potential compromise of financial or personal information.
Around the Globe
Worldwide: Breach of South Korean Retailer Coupang Exposes 33.7 Million People
South Korean online retailer Coupang disclosed a data breach affecting 33.7 million customers that exposed personally identifiable information (PII) including names, email addresses, phone numbers, shipping addresses and delivery metadata. No credentials or financial data was exposed as part of this breach.
The incident is suspected to be insider-driven, involving a mismanaged authentication key belonging to a former employee and anonymous emails threatening to leak the stolen data. Here is how CyXcel can help strengthen your joiners-movers-leavers processes.
Currently, there is no evidence of active misuse of the exposed data. However, affected individuals should remain cautious and monitor for suspicious or unsolicited communications.
Worldwide: Cloudflare Reports Record-Breaking Hyper-Volumetric DDoS Attack
Cloudflare reported a record-breaking hyper-volumetric Distributed Denial-of-Service (DDoS) campaign, including a 29.7 Tbps UDP carpet-bombing attack and a 14.1 Bpps burst, attributed to the Aisuru botnet-for-hire, targeting telecommunications, gaming, hosting providers and financial services.
The campaign’s traffic volume caused collateral disruption to parts of the US internet, showing how even novice threat actors can rent low-cost, high-volume capabilities to disrupt critical services at national scale.
US: Ransomware Breach of Marquis Impacts 74 US Financial Firms
Marquis Software Solutions disclosed that an August 2025 ransomware breach, likely linked to SonicWall vulnerability CVE-2024-40766, exposed PII and financial data of over 400,000 customers across at least 74 US banks and credit unions.
At the time of writing there is no evidence of data misuse. A deleted filing indicates the organization paid a ransom to prevent data leakage. The incident is the latest in a series of breaches in the financial sector showcasing the need for robust patching and hardening of perimeter devices.
We Can Help
Expand your threat intelligence monitoring capabilities beyond the dark web with support from CyXcel’s TRACE team. Contact our experts today to find out more.
Photo by Solen Feyissa on Unsplash.