Q3 2025 in review: deepfakes, identity abuse, and the new shape of cybercrime

A quarter of convergence

Q3 2025 reinforced a pattern we’ve tracked for the past year: cybercriminals and state-linked actors are no longer separate universes. Their tools, targets, and tradecraft are converging.

This quarter was marked by:

• Ransomware groups blending espionage with extortion.
• Deepfake-enabled scams maturing into real-world fraud.
• OAuth and identity-token abuse undermining traditional access controls.
• Trusted developer tools and supply chains exploited at scale.
• Nation-state actors embedding long-term persistence in critical infrastructure.

1. Ransomware with an espionage edge

LockBit, Play, and remnants of Conti affiliates pivoted to hybrid operations. Several victims reported encryption alongside silent exfiltration of sensitive IP, with data surfacing in channels linked to known nation-state collectors.

This dual-purpose attack style suggests ransomware is now as much about intelligence gathering as about cash flow. For defenders, that means incident response cannot stop at decryptors or backups — forensic investigation must assume data theft.

2. Deepfakes enter the boardroom

Q3 confirmed what many feared: AI-driven impersonation is operational.

• In one high-profile case, attackers used a real-time video deepfake of a CFO to authorize a wire transfer exceeding $20 million.
• Multiple banks in Asia reported voice-cloned calls to customer service desks, used to reset high-value accounts.

These attacks succeed not because they’re perfect, but because they arrive in moments of urgency — end of quarter, board prep, travel. Awareness training helps, but resilience now demands secondary validation channels for high-stakes approvals.

3. OAuth token abuse on the rise

Identity infrastructure continues to be a prime target. Q3 saw multiple incidents where attackers bypassed MFA altogether by compromising OAuth tokens in Microsoft 365 and GitHub Enterprise environments.

Because tokens are often long-lived and poorly monitored, adversaries maintained persistence for weeks without triggering login alerts. For many CISOs, this was a wake-up call: Zero Trust must extend beyond logins to include continuous validation of tokens and session integrity.

4. Supply-chain compromises stay quiet

While SolarWinds and MOVEit grabbed headlines in previous years, Q3 showed that supply-chain compromises don’t always announce themselves.

Researchers documented campaigns in which malicious code was slipped into NPM and PyPI packages, later pulled into CI/CD pipelines by unsuspecting dev teams. In several cases, the payloads lay dormant for weeks, harvesting credentials quietly before activating.

The lesson: developer ecosystems remain a weak link, and software composition analysis and artifact validation should be core security controls, not optional add-ons.

5. Nation-state persistence in critical infrastructure

Multiple intelligence advisories warned that state-backed actors (notably linked to China and Russia) are embedding in Western utilities and telecom environments with a long-term goal: pre-positioning for disruption.

These intrusions were less about immediate impact and more about laying the groundwork for future crises, echoing campaigns like Volt Typhoon.

For critical infrastructure operators, resilience must assume adversaries are already inside — the focus shifts to detection, segmentation, and rapid failover to manual or redundant systems.

Key lessons for defenders

Across Q3 2025, four resilience themes stood out:

• Assume breach – Tokens, supply chains, and trusted tools can all be compromised. Monitoring has to extend beyond the login screen.
• Layer validation – For critical decisions, single-channel verification (a call, a video, an email) is no longer enough.
• Accelerate detection – Many incidents went unnoticed for weeks. Faster anomaly detection and log correlation are essential.
• Coordinate early – Engagement with regulators, law enforcement, and industry peers reduced downtime for those who shared intelligence quickly.

Final word

Q3 2025 demonstrated how blurred the lines have become between cybercrime and statecraft. Criminal groups are stealing playbooks from intelligence services, and governments are not above leveraging ransomware-derived data.

For security leaders, the mandate is clear: build resilience on the assumption that your defenses will be pierced, your identities abused, and your supply chains tested. What matters is how quickly you detect, contain, and continue delivering critical services.