Death, torture, and amputation: How cybercrime shook the world in 2025

December 28, 2025 TH Author

The knock-on, and often unintentional, impacts of a cyberattack are so rarely discussed. As an industry, the focus is almost always placed on the economic damage: the ransom payment; the cost of business downtime; and goodness, don’t forget those poor shareholders.

But, in recent years, the toll on human life has become increasingly apparent.

We know the poor sods working in the security operations center give up their weekends every time a phish slips through the net, and we know how hard corporate spin doctors have to work on controlling post-attack narratives. However, there is a sense that the real harms affecting real people, most of whom don’t realize how their lives could change because of a cybercriminal’s thirst for chaos, or cash, are increasingly central to the telling of a modern cybercrime story.

Attacks over the past year were not the first to affect human life, but the sheer volume of them makes 2025 worth a revisit, starting with the most tragic of all.

Synnovis: The first confirmed ransomware-related death

Yes, Qilin’s ransomware attack on Synnovis, a pathology services provider to major London hospitals, took place in 2024. And yes, The Register exclusively reported on the devastating human cost of the attack at the time, too.

But, earlier this year, King’s College Hospital NHS Trust – one of the hospitals affected by the blood shortages – confirmed that a patient died during the period of service disruption caused by the cyberattack.

It is still believed to be the first confirmed case of a ransomware-related death.

Others have been discussed in previous years, including a 2020 attack on a Düsseldorf hospital, and claims from the University of Minnesota’s School of Public Health, which estimated between 42 and 67 US Medicare patients may have died as a result of ransomware.

The attack on Synnovis, however, is the only confirmed direct link between cybercrime and death, which is why it makes this list. Despite occurring in 2024, the link was officially established this year, so it makes the cut.

Kido International: Pre-schoolers’ personal data weaponized

In recent years, we’ve seen ransomware crooks leak cancer patients’ medical imagery, and hit institutions from charities to children’s hospitals, but this year’s attack on Kido International reached lows never seen before.

Radiant Group posted the images of 10 schoolchildren online, complete with their home addresses, parents’ names, and guardians’ contact details.

In verifying the leaked data was genuine, The Register spoke to some of the affected children’s parents, all of whom told of their fury over the attack and what the criminals did with the data.

Dray Agha, senior manager of security operations at Huntress, told us at the time: “This represents a reprehensible erosion of any remaining boundaries in the cybercriminal ecosystem. By weaponizing the personal data of infants and toddlers, this group has sunk to a depth that even other threat actors may condemn.”

He went on to say that the decision to publish the children’s images and data was counterproductive; from a PR perspective, the way Radiant handled the disclosure would prevent victims from productively engaging with it.

Even for a ransomware gang, this was bad… so bad that rival operation Nova publicly shamed Radiant on the Russian cybercrime forum RAMP, peer pressuring it to remove the data.

JLR: A landmark loan and a workforce living in fear

The massively disruptive attack on Jaguar Land Rover is one of the worst to ever hit the UK, from an economic perspective.

The cost of its five-week shutdown, the associated recovery, and the missed payments to its huge supply chain, was pegged at more than £2 billion ($2.68 billion). It led to the UK government stepping in with a novel financial support package, and dented the UK’s GDP growth at the back end of the year.

Companies across JLR’s supply chain were affected too, as its factories were in no position to order parts due to the production shutdown. Reliant on their contracts with the major automaker, the Unite workers’ union said it was aware of layoffs across JLR’s suppliers, which were struggling to stay afloat while the company restored its systems.

JLR itself made no redundancies throughout the ordeal, although its workers, most of whom were told to stay at home throughout the cleanup, and their families, lived in fear for their livelihoods.

The wife of one worker at JLR’s Halewood facility said she feared the family not being able to afford food or presents at Christmas, while the parents of a young staffer in Solihull were concerned for their son’s ability to afford rent after recently moving into his own property.

Amputations for compensation: Violence and cybercrime coalesce

As cryptocurrency valuations grow ever loftier, so too do the ambitions of cybercriminals who will seemingly stop at very little to get their hands on it.

Security shop and infamous Falcon update fudger CrowdStrike said last month that it observed a “dramatic” increase in violence as a service activity across Europe.

Its report zeroed in on violent cryptocurrency thefts, which according to data it cited, have increased compared to 2024.

Violence as a service, as a genre of cybercrime, is not unique to 2025, nor is it solely tied to crypto thefts, although that specific intersection is the most common.

Avid Reg readers may remember our coverage of a high-profile case in the US from 2024 involving Remy Ra St Felix, head thug behind a spate of violent home invasions targeting crypto-wealthy Americans.

However, the upward trend of violent cybercrime has bled into 2025 and racked up a torrent of cases, ranging from extortion to full-on amputations.

Regarding the latter, arguably the most infamous example came in January when Ledger co-founder David Balland and his wife, Amandine, were kidnapped by a 10-strong gang who then demanded a ransom (no -ware) from other Ledger execs.

Jameson Lopp, co-founder of crypto security biz Casa, publicly tracks violent crypto thefts, recording 67 for 2025 in total.

A warning to readers: You can peruse the stories Lopp tracks via his GitHub page, but some of the details are really not for the faint of heart.

Elsewhere, security researchers report ransomware crews are upping the ante with their attacks, increasingly resorting to threats of physical violence during the negotiation period.

A Semperis study from July found that around 40 percent of ransomware victims had received such threats, which Jeff Wichman, Semperis’ director of breach preparedness and response, said would likely increase over the coming year.

“The threats of physical harm are pretty scary,” he told The Register. “I am afraid of what’s next.”

“It was threats against their family members: what their [internet] surfing traffic was, what they did at home,” Wichman said. “The attackers know where the executives live, they know where their families are, they know where their kids go to school.”

Most recently, Europol announced as part of its Operational Taskforce GRIMM that ot arrested 193 suspects linked to crimes related to contract killings, intimidation, and torture. These typically involved grooming or coercing kids and teens to carry out the acts for cash.

Virtual kidnappings: An AI-powered evolution

The FBI recently warned about how emergency scams are evolving, with criminals now leveraging advanced deepfake technology to carry out virtual kidnappings.

Lowlifes take images from social media, run them through AI programs to depict the subject as if they are in danger, and send them to family members in the hope of receiving a ransom payment.

This is the typical model, although the feds warned that some criminals are even seeking out real missing person information posted online, and using that to craft their insidious campaigns.

While the FBI did not respond to our questions about the total number of cases it has observed in the past year, according to its figures, hundreds of emergency scams [PDF] were reported last year, in total costing victims around $2.7 million.

The proof-of-life images these criminals send to families can seem highly convincing at first glance, especially to those already in distress, but close inspection of these AI-doctored materials often reveals inaccuracies.

They will be told not to by the scammers, but victims should contact their local police forces if they receive these kinds of images. They have trained professionals equipped to handle these situations, who can discern a real from a fake.

Families should also avoid sharing information with strangers while travelling, the FBI said, and set a code word so that if any friend or loved one is genuinely kidnapped, they can reliably provide proof-of-life.

Code red: Emergency alert systems downed

Death, torture, and amputations aside, when we think about cyberattacks, among the more concerning potential consequences is the impact they can have on critical infrastructure, such as emergency services.

Luckily, such events are rare. UK telcos BT and Three suffered an outage in July caused by a software issue, which prevented customers from calling emergency services, but cyberattacks almost never impact these services.

However, last month’s attack on Crisis24, which provides the CodeRED emergency alert system to various US municipalities, resulted in citizens’ data being stolen and access to the alerts app temporarily revoked.

The OnSolve CodeRED platform provides users with rapid alerts for emergencies such as weather warnings, terror threats, and more. Authorities in the affected areas resorted to sharing the same notifications via their social media pages while they waited for CodeRED to come back online.

No crises took place during the period of downtime, fortunately, although the attack demonstrates how a ransomware gang could have unintentionally caused intense chaos across various communities. ®