Breach Roundup: Cyber Insurance Market Set to Double by 2030 (2025)

Cyber Insurance , Cybercrime ,

Every week, Information Security Media Group rounds up cybersecurity incidents and breaches around the world. This week, a prediction that the cyber insurance market will double by 2030, Europe issued burner devices for staff visiting the United States, a BPFDoor backdoor campaign and Spain sought prison for Jos&eacute Luis Huertas, alias "Alcasec." A harassment campaign traced to Thai military, Taiwan charged a Chinese captain with cable sabotage and Sweden said China stonewalled its investigation into a cable-cutting incident in the Baltic Sea. Also, the 4Chan image board is offline following a hacking incident.

See Also: AI-Powered AML with Faster Detection and Stronger Compliance

Reinsurer giant Munich Re projected the global cyber insurance market will reach $16.3 billion in gross premiums by 2025, up from $15.3 billion in 2024. Despite recent growth slowdowns, the market is expected to double by 2030, maintaining an average annual growth rate exceeding 10%.

North America accounted for approximately 69% of global premiums in 2024, with Europe at 21%. Large companies often purchase cyber insurance but small and medium-sized businesses frequently remain uninsured, whether due to steep premiums or limited awareness.

Munich Re estimated the modeled accumulation potential for the global industry, with a return period of up to 200 years, ranges between $20 billion and $46 billion. The global cybercrime costs could range from $1 trillion to $9.5 trillion by 2024 - exact numbers are difficult to come by, leading Munich Re to dub its projection a "guesstimate."

The European Commission has begun issuing burner phones and laptops to staff visiting the United States for official business to protect against potential espionage, reported the Financial Times -a precaution previously reserved for trips to high-risk countries such as China and Russia.

European officials are set to attend the spring meetings of the World Bank and IMF in Washington, where the new guidelines will apply. Sources indicate that the EU is taking steps to prevent unauthorized access to its systems, reflecting deteriorating relations with the U.S. in recent months.

Tensions escalated following U.S. President Donald Trump's aggressive foreign policies, including trade tariffs, threats against European territories and controversial political stances.

Issuing burner phones for diplomats isn't a surprising development, Luuk van Middelaar, director of the Brussels Institute for Geopolitics, told the FT. "Washington is not Beijing or Moscow, but it is an adversary that is prone to use extra-legal methods to further its interests and power," he said.

Cyberespionage actors are using a new controller for the BPFDoor backdoor in a wave of attacks targeting high-value networks in Asia and the Middle East. The previously undocumented controller tied to the hacking targets critical sectors in South Korea, Hong Kong, Myanmar, Malaysia and Egypt, said Trend Micro.

The firm attributed the activity to Red Menshen, also known as Earth Bluecrow, a Chinese state-sponsored advanced persistent threat group with a history of targeting Linux systems for long-term espionage.

The addition of a custom controller suggests the threat actor is scaling its operations, using a stealthier and more adaptable toolkit for lateral movement and remote access, Trend Micro said. The newly discovered controller grants threat actors several capabilities, including opening encrypted reverse shells, redirecting connections and confirming backdoor activity, all while using TCP, UDP, or ICMP protocols.

Trend Micro's telemetry shows that Earth Bluecrow has zeroed in on the telecommunications, finance and retail sectors. In each case, attackers deployed BPFDoor on Linux servers, often hiding it in directories like /tmp/zabbix_agent.log or /bin/vmtoolsdsrv. From there, the malware spreads laterally using the custom controller to reach additional hosts within the network.

BPFDoor is "a perfect tool for long-term espionage," Trend Micro said. Once embedded, BPFDoor provides full remote access without ever listening on a port, allowing attackers to persist without detection.

Spain's National Court Prosecutor is seeking a three-year prison sentence for Jos&eacute Luis Huertas, alias "Alcasec," for hacking the General Council of the Judiciary's website and selling sensitive banking data of over 571,000 citizens. The attack, which used stolen police credentials and a fake CGPJ login portal, reportedly earned Huertas millions through cryptocurrency transactions on his site, uSms (see: Spanish Police Arrest 'Dangerous' Teenage Hacker).

The Prosecutor's Office considers Alcasec's late confession a mitigating factor and has already confiscated 863,000 euros. Co-defendant Daniel Baíllo faces four years and four months in prison for aiding the scheme and creating the spoofed domain, while a third suspect, Juan Carlos O., allegedly bought over 1.2 million records and faces 3 years and 4 months.

The breach began in 2021 when Alcasec used a stolen police certificate to access state systems and infiltrate the CGPJ through a compromised court account. He and Baíllo harvested login data through a fake website and conducted nearly half a million unauthorized requests to Spain's Tax Agency.

Thailand's military and police are behind a years-long doxxing and harassment campaign targeting pro-democracy activists on social media, reports the University of Toronto's Citizen Lab. The digital forensics group traced the campaign - dubbed "Juicyjam" - to the Royal Thai Armed Forces and Royal Thai Police, citing recently leaked internal documents.

The operation, active since at least 2020, used fake personas on X and Facebook to harass dissidents, share sensitive personal data such as ID photos and family business details and encourage followers to report them to authorities. The scale and type of private data posted pointed to state-level access, Citizen Lab said.

Amnesty International also called for an investigation into the same leaked documents last week, warning of a state-backed cybercampaign involving phishing, disinformation and social media manipulation aimed at silencing critics.

Citizen Lab said Juicyjam has achieved unusually high engagement, making it a rare example of an effective state-sponsored influence operation. The campaign reinforces broader state efforts to suppress dissent through legal and online means.

The report also linked Juicyjam tactics to the recent arrest of American academic Paul Chambers, accused of violating Thailand's strict Computer Crimes Act over a webinar description allegedly critical of the monarchy.

Taiwan charged the Chinese captain of a Togo-flagged cargo ship, Hong Tai 58, with damaging a key undersea cable linking the island to the Penghu Islands, reported Reuters. It marks the first formal charge following nearly a dozen similar incidents in recent years.

The Taiwanese coast guard seized the vessel in February after it allegedly dragged its anchor, severing the cable. At the time, officials warned the incident could be part of a broader Chinese sabotage effort amid growing fears of Beijing's "hybrid warfare" tactics.

Taiwan prosecutors announced the captain, identified only by his surname "Wang," would plead not guilty but showed a "bad attitude" and refused to reveal the ship's ownership. The seven other Chinese crew members will be returned to China without charges.

The case has drawn comparisons to recent Baltic Sea cable disruptions. Taiwan, which has governed itself since 1949 despite sovereignty claims by Beijing, remains on high alert due to frequent Chinese military drills and cyberattacks.

Sweden's Accident Investigation Authority said it cannot confirm whether a subsea cable break in the Baltic Sea last year was accidental or sabotage, citing limited access to key evidence aboard the Chinese vessel involved.

The Chinese bulk carrier Yi Peng 3 damaged the C-Lion 1 cable on Nov. 18, 2024. Though China allowed Swedish and other investigators aboard, it blocked normal procedures - denying access to surveillance footage, the ship's Voyage Data Recorder and limiting crew interviews, which were conducted under official Chinese oversight.

The report outlined two scenarios: deliberate anchor deployment to damage seabed infrastructure, or an unsecured anchor dragging unintentionally. But due to Chinese-imposed restrictions, neither theory could be ruled out. The Swedish authority said that dragging the anchor for 1.5 days without detection casts doubt on the accidental explanation.

Infamous image board 4Chan went offline on April 14 after a breach, with intermittent access and Cloudflare errors continuing throughout the day. As of publication, 4Chan's website remains inaccessible, with users on social media reporting intermittent outages lasting several hours.

Members of rival image board Soyjak.party, also known as "The Party," claimed responsibility, dubbing the attack "Operation Soyclipse."

A user named "Chud" posted on Soyjak.party that a hacker had been inside 4Chan's systems for over a year before executing the operation. The attack allegedly exposed personal data of 4Chan's staff - including emails of admins, moderators and janitors - and reopened the long-closed Question & Answer board. Screenshots shared by the attackers showed access to 4Chan's internal admin tools, which can reveal user IPs, manage databases and control board infrastructure, reported Wired.

The attackers said the breach may have exploited a severely outdated PHP version from 2016 still used by 4Chan. Later in the day, 4Chan's PHP source code appeared on Kiwi Farms, another controversial forum.

4Chan admins reportedly shut down all servers in response, though some sources claim the systems were fully compromised. Founded in 2003 by Christopher "moot" Poole, 4Chan has long been a hub for controversial and often illegal content.

Other Stories From Last Week

• The Unbearable Drama of a PCI DSS Standard Rollout
• UK Fines Law Firm 60,000 Pounds for Ransomware Data Breach
• Chinese Hackers Deploy Stealthy Fileless VShell RAT
• European Companies Infected With New Chinese-Nexus Backdoor
• Faulty Nvidia Bug Patch Puts AI Containers at Risk

With reporting from Information Security Media Group's Prajeet Nair in Bengaluru, India.