SparTech Software

Many high-profile cybercriminals have been arrested and convicted, but several notorious figures remain fugitives, wanted by law enforcement agencies worldwide. Here are ten cybercriminals currently on the run, according to the latest FBI “Most Wanted” lists and other credible sources:

A critical security flaw, dubbed “EchoLeak” (CVE-2025-32711), was discovered in Microsoft 365 Copilot, the AI assistant integrated into Office apps like Word, Excel, Outlook, and Teams. This vulnerability allowed attackers to exfiltrate sensitive organizational data through a “zero-click” attack—meaning the victim did not need to interact with any malicious content for the exploit to succeed.

On June 5, 2025, GreyNoise observed a significant and coordinated surge in brute-force and login attempts targeting Apache Tomcat Manager interfaces exposed to the internet. This activity marked a sharp deviation from typical background noise, with two GreyNoise tags—Tomcat Manager Brute Force Attempt and Tomcat Manager Login Attempt—registering volumes well above their usual baselines.

United Natural Foods Inc. (UNFI), the primary distributor for Whole Foods and a major supplier to over 30,000 retailers across North America, experienced a significant cybersecurity incident beginning on June 5, 2025. The attack led to widespread disruptions in its operations, particularly affecting its ability to fulfill and distribute customer orders, including those to Whole Foods.

Bitsight, a cybersecurity ratings company, has issued a stark warning after its TRACE research team discovered over 40,000 internet-connected security cameras streaming live footage openly on the internet, with no passwords or meaningful security protections in place. These cameras, intended for use in homes, businesses, factories, hospitals, and even public transportation, are inadvertently providing public access to sensitive locations and information.

Microsoft’s June 2025 Patch Tuesday addressed a total of 66–67 vulnerabilities across its product suite, including Windows, Microsoft Office, and related components. The update is notable for patching a critical zero-day vulnerability in the Web Distributed Authoring and Versioning (WEBDAV) protocol that was actively exploited in the wild.

On Wednesday, INTERPOL announced the successful dismantling of more than 20,000 malicious IP addresses and domains linked to 69 different information-stealing malware variants. This operation, codenamed Operation Secure, was conducted between January and April 2025 and involved law enforcement agencies from 26 countries across the Asia-Pacific region.

FIN6 (aka Camouflage Tempest, Gold Franklin, or Skeleton Spider) is a financially motivated cybercrime group active since 2012, initially targeting point-of-sale systems to steal payment card data. Recently, they’ve adopted a novel attack vector using AWS-hosted fake resumes on LinkedIn to deliver More_eggs malware, specifically targeting corporate recruiters.

The database consisted of numerous collections, ranging from half a million to over 800 million records gathered from various sources. One research team believes the dataset was meticulously compiled and maintained to build comprehensive behavioral, economic, and social profiles of nearly any Chinese citizen. The exposed instance was quickly taken down, preventing the team from disclosing the identity of the database’s owners.