Q1 2025 closed with a sharp and predictable lesson: attackers kept betting on high-impact leverage and, in many cases, won. The quarter’s pattern was clear — prolific ransomware campaigns that hit critical infrastructure, cascading supply-chain compromises that exposed developer and CI/CD secrets, and a single crypto heist that dwarfed every other loss this year. The practical question for defenders is no longer whether you will be targeted; it is how you reduce attack surface and operational exposure when compromise is inevitable.

Big-ticket incidents you need at-a-glance

  • Bybit: On February 21 the cryptocurrency exchange Bybit had roughly 401,000 ETH and related tokens moved out of a cold multisig wallet in what investigators and on-chain analysts treated as the largest single crypto theft to date. The attack exploited the cold-to-warm transfer process and relied on UI/supply-chain manipulation of wallet signing flows. Bybit publicly confirmed the incident and moved to forensic and recovery steps. This one event is already changing assumptions about cold-storage workflows and multisig as a single line of defense.

  • PowerSchool: The education sector kept paying a heavy price. A December 2024 incident that reached public attention in January impacted PowerSchool’s Student Information System support portal and resulted in mass notifications from districts in January and February; multiple districts reported historical student and staff records were accessed, and vendors confirmed the attacker used compromised support/maintenance credentials and a lack of MFA to escalate access. The attack underscores third-party support portals as high-leverage targets.

  • Lee Enterprises (Qilin): Media operations were disrupted in February when Lee Enterprises experienced an outage from a ransomware incident that encrypted critical business systems and prompted claims of substantial data exfiltration by the Qilin ransomware group. Local news production, billing, and vendor payments were affected at dozens of publications. That attack shows how ransomware cascades from IT impact to real-world service disruption.

  • Medusa Ransomware Advisory: In mid-March the FBI, CISA, and MS-ISAC issued a joint advisory warning that Medusa-affiliated actors had impacted hundreds of critical-infrastructure organizations using double-extortion tactics and a mix of initial-access brokers, phishing, and weaponized access tools. The advisory was an operational wake-up call about persistent RaaS affiliate campaigns against healthcare, education, manufacturing, and other essential sectors.

  • GitHub Actions / CI/CD supply-chain compromise: In March attackers modified widely used GitHub Actions and their tags (notably tj-actions/changed-files and related dependencies), retroactively pointing semantic tags at malicious commits. The malicious commits dumped runner memory and exposed CI/CD secrets in workflow logs. The incident had broad reach and demonstrated how mutable tags and insufficient action pinning can transform devops convenience into a global blast radius.

  • Oracle Cloud claim: A high-profile claim surfaced in late March alleging exfiltration of roughly 6 million records from Oracle Cloud SSO/LDAP, accompanied by vendor analysis that suggested possible supply-chain or legacy login endpoint exposure. Oracle publicly disputed the claim at first; the episode illustrates how intelligence vendors, threat actors, and cloud providers can surface conflicting narratives during a rapidly developing event and why cautious validation matters.

  • NTT Communications: In early February NTT disclosed that an internal system used for service order management had been accessed and that information for many corporate customers may have been exposed. The incident was widely noted because it affected a large downstream customer base and reaffirmed the concentration risk posed by large telco and managed-service providers.

What the quarter’s incidents teach us (short practical guidance)

1) Harden signing and transfer workflows for high-value assets. The Bybit drain shows that signing flows and UI integrity are attack vectors. Require multi-channel confirmation for large transfers, instrument signing UIs with attestation checks, and assume the signer’s screen can be spoofed. Scale tests and red-team exercises to include UI deception scenarios.

2) Treat vendor support portals and maintenance accounts as crown jewels. PowerSchool and other incidents repeatedly show that a single compromised maintenance account with weak or no MFA is a rapid path to mass exfiltration. Enforce MFA, jump hosts, ephemeral credentials, strong session logging, and granular least-privilege on all support interfaces.

3) CI/CD is a first-class security boundary. The March GitHub Actions compromise is a reminder: pin actions to immutable commit SHAs, audit transitive dependencies, and block printing of environment variables to public logs. Rotate long-lived secrets and treat any secrets that were used in workflows during the compromise window as suspect. Invest in ephemeral short-lived credentials where possible.

4) Assume double and triple extortion will continue. Defensive playbooks must include offline, immutable backups and tested recovery runbooks. But also build detection that looks for slow exfiltration and credential theft patterns; paying ransoms is operationally and legally fraught and does not solve systemic leakage risks.

5) Validate vendor and cloud claims quickly and independently. When intelligence vendors report alleged cloud breaches like the Oracle claim, treat that as a red flag for broad-based hunt activity across your fleet: rotate credentials for SSO/LDAP integrations, check for exposed key material, and run targeted verification hunts for anomalous authentication traffic. Don’t wait for vendor denials to act.

Operational checklist for teams this quarter

  • Review and enforce MFA and conditional access for all externally exposed support portals and privileged maintenance accounts.
  • Pin GitHub Actions and third-party CI artifacts to SHAs and require provenance. Scan actions for network calls or external gist pulls during CI runs.
  • Run tabletop exercises that simulate UI-level signing deception and large-transfer fraud for crypto custodians and financial ops teams.
  • Assume exfiltration: treat backups as offline and immutable, and rehearse offline restoration.
  • Validate claims about cloud platform breaches with multi-source verification and immediate rotation of exposed secrets, keys, and certificates.

Closing note

Q1 was not unusual in volume, but it was brutal in leverage. Attackers concentrated effort where failure modes cascade into real services or real money. For security leaders that means shifting controls from purely prevention toward detectable resilience: faster detection, assumed compromise playbooks, and recovery rehearsals tied to business outcomes. The technical controls are mostly known. The hard work is operationalizing them across vendors, devops, and executive risk tolerance. Act on that before Q2 gives you another reminder.