A Measured Victory in France’s Cyber War

The numbers tell a story of cautious optimism. According to the French National Cybersecurity Agency (ANSSI), 2025 saw 128 reported ransomware attacks on French organizations. That’s a noticeable dip from the 141 incidents recorded the previous year.

This decline isn’t accidental. Vincent Strubel, ANSSI’s director general, and his team point directly to the impact of coordinated law enforcement actions and more effective defensive measures. It’s a sign that sustained pressure on cybercriminal networks can yield tangible results.

Who Was Hit and What Was Used?

While the overall trend is positive, the threat landscape remains complex and dangerous. Small and medium-sized businesses (SMBs) continued to bear the brunt of these attacks, representing the most frequent targets. However, the most significant year-over-year increases in targeting were seen in the healthcare and education sectors.

This shift suggests attackers are adapting their focus to where they perceive maximum pressure can be applied or where data is most sensitive. The tools of the trade also evolved. The Qilin ransomware strain was the most observed in 2025, accounting for 21% of incidents, followed by Akira (9%) and LockBit 3.0 (5%).

ANSSI also noted the emergence of over a dozen new strains, including Nova, Warlock, and Sinobi, appearing in at least one incident each. The criminal toolkit is never static.

The Impact of Global Law Enforcement

Why the drop? ANSSI’s analysis credits successful preventive work by cyber defenders and, crucially, large-scale international police operations. One operation stands out: Operation Endgame.

This coordinated action, involving multiple countries, is cited as having disrupted a significant portion of the ransomware infrastructure. More than just taking down servers, such operations sow distrust within the criminal ecosystem itself. When criminals can’t rely on their tools or their partners, their operations become riskier and less efficient.

A Broader Look at the Cyber Threat Landscape

Ransomware is just one piece of the puzzle. ANSSI’s annual report provides a wider lens on the cyber threats facing France. In 2025, the agency handled 3,586 cyber alerts requiring its support—an 18% decrease from 2024.

It’s important to contextualize that drop. 2024 was the year of the Paris Olympic and Paralympic Games, a period that naturally saw a heightened state of alert and a spike in reported signals. Of those thousands of alerts, ANSSI confirmed 1,366 as genuine cyber incidents involving a malicious actor, a number virtually identical to the 1,361 confirmed in 2024.

Two other trends stood out. The agency reported a significant increase in incidents related to data exfiltration claims. Yet they offer a critical warning: treat such claims with skepticism. Out of 460 events flagged as potential data leaks in 2025, only 42% were linked to actual, new compromises. The rest were false claims or the ‘recycling’ of old stolen data—a common intimidation tactic.

On a brighter note, ANSSI observed a substantial decrease in distributed denial-of-service (DDoS) attacks targeting French entities in 2025.

The Blurring Lines of Cyber Conflict

Perhaps the most concerning long-term trend identified in the report is the growing ‘fog’ of cyber operations. The lines between nation-state actors and cybercriminals are becoming deliberately blurred.

Groups from both spheres are increasingly sharing capabilities, tools, and techniques. They adopt each other’s practices, creating a murky environment where attribution—figuring out exactly who is behind an attack—becomes immensely difficult. This ‘division of labor’ among specialized actors makes attacks more sophisticated and resilient.

Strubel pointed to the series of cyber-attacks against Polish electrical infrastructure at the end of 2025 as a stark warning. It “raises the specter of the feared scenario for which France is preparing,” he stated. The scenario? By 2030, France could face a massive increase in hybrid attacks where cyber operations have concrete, potentially destructive effects on critical national infrastructure.

His final message, however, was one of resolve. “Yes, France has the means to counter, deter, or at least significantly complicate the work of attackers.” The 2025 ransomware dip is a battle won, but the cyber war is a long-term campaign.

Infosecurity Europe 2026 Keynote Speakers: Cybersecurity Leaders, Elite Athletes & Special Forces

The stage is set for a landmark event. Infosecurity Europe has revealed its keynote speaker lineup for the 2026 conference, scheduled for 2–4 June at London’s ExCeL. This isn’t your typical tech gathering. The program deliberately bridges worlds, pulling insights from the front lines of cybersecurity, elite military units, world-class sport, and global intelligence. The goal is clear: to equip security professionals with a broader, more resilient mindset for an increasingly complex threat landscape.

Tuesday’s Powerhouse: Innovation and Criminal Insights

Day one promises a formidable one-two punch. Shlomo Kramer, a genuine architect of the modern cybersecurity industry, takes the stage. As the founder and investor behind giants like Check Point and Palo Alto Networks, his perspective is invaluable. He won’t just rehash old news. Kramer will dissect the technology trends, investment flows, and innovation cycles that will define the next chapter of digital defense. Attendees can expect a forward-looking analysis that separates hype from genuine evolution.

Sharing the spotlight is Cynthia Kaiser, who brings a rare view from the other side of the firewall. As the former Deputy Assistant Director of the FBI’s Cyber Division, she hunted cybercriminals. Now leading ransomware research at Halcyon, she understands their business model. Her keynote will pull back the curtain on the cybercriminal economy. How do threat actors operate? What can intelligence from the dark web tell us about the next ransomware campaign? Kaiser’s session is a masterclass in proactive threat anticipation.

Celebrating a Decade of Women in Cybersecurity

Wednesday afternoon marks a special anniversary: the 10th edition of the Women in Cybersecurity event. It opens with a keynote from an unexpected but profoundly relevant voice: Maggie Alphonsi, an England Rugby World Cup winner. What can scrums and try lines teach us about security operations centers? Alphonsi will translate the lessons of elite sport—leadership under pressure, building high-performance cultures, cultivating mental resilience—into a language cybersecurity teams can use. It’s about developing a winning mindset when the stakes are data breaches, not points on a scoreboard.

Cynthia Kaiser returns to contribute to a panel discussion, adding her expertise on leadership and the evolving role of women across the security industry. This session is more than a celebration; it’s a strategic conversation about shaping the future of the profession.

Thursday’s Headliner: Special Forces Resilience

How do you make critical decisions when fatigue sets in and the situation is chaotic? For the final keynote, the conference turns to Jason Fox, a former Special Boat Service (SBS) Sergeant and star of SAS: Who Dares Wins. His talk isn’t about combat; it’s about psychology and process. Fox will break down the principles that allow elite military teams to function under extreme pressure. How can these models be applied to cyber incident response, team trust, and maintaining strategic focus during a major breach? Security leaders will leave with practical mental frameworks, not just war stories.

Deep Technical Sessions: AI Clouds and Quantum Countdowns

Beyond the keynotes, a series of focused sessions will tackle the granular technical challenges. On Tuesday, Ron Leizrowice, an AI Researcher at Wiz, will present “The Infosec Big Fat Cloud Update of the Year.” The session cuts through the noise around AI, examining how its rapid adoption is actively reshaping—and often expanding—the cloud attack surface. He’ll offer concrete techniques for securing automated workflows and identities in this new environment.

On Wednesday, security veteran Rik Ferguson of Forescout tackles a threat that feels distant but requires immediate action. His session, “Quantum is still far off, we can wait – can’t we?” is a wake-up call. Ferguson will detail why postponing post-quantum cryptography preparation is a dangerous gamble, highlighting risks in today’s “crypto-fragile” components and outlining a practical roadmap for mitigation.

Registration for Infosecurity Europe 2026 is now open. Entry is free until 5 May, after which a £49 fee grants access to the entire exhibition and all theatre sessions. This lineup suggests that ticket will be a sound investment for any professional serious about the future of security.

Global Law Enforcement Shuts Down Major Data Marketplace

A sprawling online bazaar for stolen personal information has been erased from the web. In a coordinated international strike, law enforcement agencies led by Europol seized the domains of LeakBase, one of the world’s largest public forums for trading hacked data.

The site operated openly on the surface web, not the dark web, acting as a bustling marketplace. Its primary commodity was ‘stealer logs’—vast archives of usernames, passwords, and other credentials siphoned from victims’ computers by infostealer malware.

By the time of its takedown, the forum had grown to a massive community. Europol’s investigation revealed over 142,000 registered users, who had exchanged more than 215,000 private messages. The platform facilitated thousands of illegal transactions.

Operation Leak: Arrests, Searches, and a Clear Message

The action, codenamed ‘Operation Leak,’ culminated on March 3. Police across eight countries—including the US, UK, Australia, and several European nations—executed arrests, conducted house searches, and held interviews with suspects.

Authorities specifically targeted the platform’s most active members. Europol confirmed that 37 high-profile users were in their crosshairs, with dozens more under investigation. A day later, the final blow landed: the seizure of LeakBase’s domains.

Visitors to the site now find a law enforcement banner in its place. Crucially, investigators also captured the forum’s entire customer database, a treasure trove of evidence for identifying users who believed they were anonymous.

“This operation shows that no corner of the internet is beyond the reach of international law enforcement,” stated Edvardas Šileris, head of Europol’s European Cybercrime Centre. “What began as a shadowy forum for stolen data has now been dismantled.”

The message to cybercriminals was unequivocal. Trafficking in stolen information will lead to consequences. The anonymity of these platforms is an illusion.

The Endless Game of Whack-a-Mole

The takedown of LeakBase is the latest chapter in an ongoing battle against data trading forums. Its predecessors, like RaidForums and BreachForums, met similar fates in recent years.

Yet the problem persists, driven by an explosion in infostealer malware. One report indicated a staggering 800% increase in stolen credentials in the first half of 2025 compared to the previous six months, totaling 1.8 billion records.

This creates a ‘whack-a-mole’ dynamic. As soon as one forum is shuttered, another often pops up. The FBI and French police, for instance, had to shutter a new BreachForums domain again in 2025, just a year after its initial takedown.

The fight is expanding on multiple fronts. In a related move, a separate operation involving Microsoft and Europol recently disrupted ‘Tycoon2FA,’ a phishing-as-a-service site that helped criminals bypass multi-factor authentication (MFA) protections.

While each victory is significant, the sheer volume of stolen data and the profitability of the trade ensure that law enforcement’s work is never done. Operations like this one, however, prove that the moles can be hit hard.