The past two years have produced the most devastating wave of cyberattacks in history. State-sponsored hackers, ransomware gangs, and AI-powered threat actors have hit hospitals, banks, government agencies, and companies that touch every aspect of daily life. These aren't abstract security incidents — they affect your health records, your bank account, your ability to fill a prescription, and your personal data floating on dark web marketplaces. Here are the 10 biggest cyberattacks of 2025-2026, what happened, and what they mean for you.
1. Change Healthcare Ransomware Attack (February 2024 — Ongoing Impact)
The ALPHV/BlackCat ransomware group's attack on Change Healthcare may be the most consequential cyberattack ever to hit the US healthcare system. Change Healthcare processes approximately 15 billion healthcare transactions annually — roughly one-third of all US patient records flow through its systems. When the attack hit, pharmacies couldn't process prescriptions. Hospitals couldn't verify insurance. Doctors couldn't submit claims. The disruption lasted weeks and its financial aftershocks continued well into 2025.
UnitedHealth Group, Change Healthcare's parent company, paid a $22 million ransom — and then was extorted again when an ALPHV affiliate claimed the data hadn't been deleted. The total cost has exceeded $2.5 billion in direct damages, making it the most expensive ransomware incident in history. Personal health data for over 100 million Americans was compromised. If you have health insurance in the United States, your data was almost certainly affected.
2. Salt Typhoon Telecom Infiltration (2024-2025)
Chinese state-sponsored hackers from the group known as Salt Typhoon penetrated at least nine major US telecommunications providers, including AT&T, Verizon, and T-Mobile. The breach gave Chinese intelligence access to call metadata — who called whom, when, and for how long — for millions of Americans, including senior government officials and presidential campaign staff. In some cases, the hackers accessed actual call audio and text messages.
The scope of the breach was staggering. FBI Director Christopher Wray called it the "most significant cyber espionage campaign in history" targeting US telecommunications. The attackers exploited vulnerabilities in Cisco network equipment and maintained persistent access for over a year before detection. The breach exposed a fundamental vulnerability: the US communications infrastructure that every American depends on was compromised at the deepest level by a foreign adversary.
3. MOVEit Transfer Supply Chain Attack (2023 — Ripple Effects Through 2025)
The Cl0p ransomware gang exploited a zero-day vulnerability in MOVEit Transfer, a file transfer tool used by thousands of organizations worldwide. The attack compromised over 2,700 organizations and exposed data belonging to more than 93 million individuals. Victims included the BBC, British Airways, Shell, the US Department of Energy, and hundreds of universities, hospitals, and government agencies.
What made MOVEit uniquely dangerous was its supply chain nature. Organizations that had never heard of MOVEit were breached because a vendor or partner used it. The attack demonstrated that your security is only as strong as the weakest link in your supply chain — a lesson that corporate security teams are still absorbing two years later.
4. MGM Resorts & Caesars Entertainment (September 2023 — Lasting Impact)
The Scattered Spider hacking group — notably composed primarily of young, English-speaking hackers from the US and UK — brought Las Vegas to its knees. MGM Resorts' entire operation went dark: slot machines froze, digital room keys stopped working, the website crashed, and guests waited hours to check in using paper systems. The attack cost MGM an estimated $100 million. Caesars Entertainment was hit simultaneously and quietly paid a $15 million ransom to avoid similar disruption.
The initial access method was remarkably simple: a phone call. An attacker called MGM's IT help desk, impersonated an employee found on LinkedIn, and convinced the help desk to reset the employee's credentials. From that single social engineering call, the attackers escalated to domain administrator access within hours. It was a $100 million reminder that human beings remain the weakest link in any security architecture.
5. Bybit Cryptocurrency Exchange Hack (February 2025)
North Korea's Lazarus Group executed the largest cryptocurrency theft in history — approximately $1.5 billion stolen from the Bybit exchange by compromising its cold wallet infrastructure. The attackers gained access through a supply chain compromise of a third-party wallet management tool, then waited for a scheduled transfer to intercept and redirect funds. The stolen Ethereum was laundered through over 50 wallets within hours using AI-assisted obfuscation techniques.
The Bybit hack marked a new era in state-sponsored cryptocurrency theft: the scale, sophistication, and speed of the laundering operation showed that Lazarus Group has continued to evolve faster than the industry's defenses. Multiple chain analysis firms tracked the funds in real-time but were unable to freeze them fast enough.
6. Volt Typhoon Critical Infrastructure Campaign (2023-2026)
Unlike traditional cyber espionage, China's Volt Typhoon campaign wasn't about stealing data — it was about pre-positioning for sabotage. The group embedded itself in US water treatment facilities, power grids, transportation systems, and communications networks across the country. They used "living off the land" techniques — leveraging legitimate system administration tools already present on target networks — making detection extraordinarily difficult.
The strategic implication is chilling: in the event of a US-China military confrontation over Taiwan, these pre-positioned accesses could be activated to disrupt American critical infrastructure, complicating military mobilization and creating domestic chaos. FBI Director Wray testified that Volt Typhoon represents "the defining threat of our generation" to US infrastructure security.
7. XZ Utils Backdoor (March 2024)
A sophisticated, multi-year social engineering operation nearly compromised the entire internet. An attacker using the pseudonym "Jia Tan" spent two years building trust as a contributor to XZ Utils, a compression library embedded in virtually every Linux system. The attacker gradually introduced a backdoor that would have given them remote access to any SSH server running on affected Linux distributions — potentially millions of servers worldwide.
The backdoor was discovered by accident when a Microsoft engineer noticed a 500-millisecond delay in SSH connections and investigated. If it had gone undetected for even a few more weeks, it would have been incorporated into stable releases of Debian, Ubuntu, Red Hat, and every major Linux distribution. Security researchers called it the most sophisticated supply chain attack ever attempted. The likely culprit: a state intelligence agency with the patience to invest years in a single operation.
8. Snowflake Customer Data Breaches (May-June 2024)
A single threat actor used stolen credentials to access Snowflake cloud data accounts belonging to at least 165 organizations, including Ticketmaster (560 million records), Santander Bank (30 million records), AT&T (110 million call records), and Advance Auto Parts. The attackers exploited accounts that lacked multi-factor authentication — a basic security measure that most of these organizations had failed to enforce on their cloud data warehouses.
The Snowflake campaign demonstrated the cascading risk of credential reuse and lax cloud security. Most of the compromised credentials came from previous data breaches, and the absence of MFA meant stolen passwords were sufficient for access. Total exposed records exceeded 900 million, making it one of the largest data exposure events in history.
9. NHS Synnovis Pathology Attack (June 2024)
Russian ransomware group Qilin attacked Synnovis, a pathology services provider for National Health Service hospitals in London. The attack forced cancellation of over 10,000 acute outpatient appointments and 1,700 elective procedures. Blood transfusion services were critically impacted — hospitals couldn't match blood types electronically and had to resort to universal donor blood, rapidly depleting reserves. Multiple patients experienced medically significant delays in cancer diagnoses.
The attackers published nearly 400 gigabytes of stolen data, including patient names, dates of birth, NHS numbers, and blood test results. The Synnovis attack represented a particularly vicious evolution of ransomware: deliberately targeting healthcare infrastructure where delayed service directly translates to human suffering and death.
10. AI-Powered Phishing Campaigns (2025-2026 — Ongoing)
The tenth entry isn't a single attack but a category that has fundamentally changed the threat landscape. Throughout 2025 and into 2026, cybersecurity firms have documented an explosion in AI-generated phishing emails, voice phishing (vishing) calls, and social engineering attacks. These are not the grammatically broken Nigerian prince emails of the past — they are contextually aware, personalized, and linguistically flawless communications generated by large language models.
IBM's X-Force reported a 1,265% increase in AI-generated phishing emails between Q1 2024 and Q1 2026. The emails reference real events, real colleagues, and real business context scraped from LinkedIn, company websites, and previous data breaches. Success rates for AI-crafted phishing emails are three to five times higher than traditional templates. The era of "just look for spelling errors" as a phishing defense is over.
Protect Your Digital Life: NordVPN
Eight of the ten attacks on this list could have been partially mitigated at the individual level with basic security measures. A VPN encrypts your connection, preventing man-in-the-middle attacks and traffic surveillance. Combined with unique passwords, hardware MFA tokens, and healthy suspicion of unsolicited messages, you can dramatically reduce your exposure to the attacks that define this era.
Patterns and Protection: What These Attacks Mean for You
Supply chain attacks are the new normal: You can have perfect security and still be breached through a vendor you've never heard of. Demand to know what third-party tools and services handle your data. Prefer providers that demonstrate strong security practices and conduct regular third-party audits.
Healthcare is the new prime target: Hospitals pay ransoms because lives are at stake. Your health data is worth 10-50x more than financial data on dark web marketplaces because it enables insurance fraud, prescription fraud, and identity theft that's extremely difficult to detect. Request copies of your medical records and monitor for unauthorized activity.
AI is accelerating both offense and defense: Attackers use AI to generate convincing phishing, automate vulnerability discovery, and evade detection. Defenders use AI to identify anomalous behavior, correlate threat intelligence, and respond faster. The net effect: attacks are more frequent, more sophisticated, and more personalized than ever before.
Your action items: Enable multi-factor authentication on every account (hardware keys, not SMS). Use a password manager with unique passwords for every service. Encrypt your internet traffic with a VPN. Freeze your credit with all three bureaus. Assume your data has already been breached and act accordingly — monitor your accounts, check HaveIBeenPwned.com regularly, and maintain offline backups of irreplaceable data.