Report an IncidentTalk to Sales
Report an IncidentTalk to Sales
Report an IncidentTalk to Sales
20 Major Cyber Attacks in India

20 Recent Cyber Attacks in India [2025]

Author: Jay Thakker
Updated on: July 31, 2025
Reading Time: 16 Min
Published: 
May 24, 2025

20 Major Cyber Attacks in India
In 2025, India has faced a significant surge in cyber attacks, highlighting the growing vulnerabilities in our digital infrastructure. These incidents range from large-scale data breaches to sophisticated malware campaigns, affecting various sectors including government, finance, and healthcare. The increasing frequency and complexity of these cyber attacks in India underscore the urgent need for enhanced cybersecurity measures and awareness. This compilation of 20 recent cyber incidents provides insight into the evolving threat landscape and the challenges faced in safeguarding our digital assets.

1. Massive Cyberattack Campaign Post-Operation Sindoor

Over 1.5 million cyberattacks targeted Indian websites following the Pahalgam terror strike. Seven Advanced Persistent Threat (APT) groups, primarily linked to Pakistan, Bangladesh, Indonesia, and the Middle East, were identified as perpetrators. Although only 150 attacks succeeded, they aimed at critical infrastructure, including government, banking, and healthcare sectors. 

  • Malicious Intent: Targeted retaliation against Indian assets after the Pahalgam attack. 
  • Unauthorized Access: Over 150 successful intrusions recorded. 
  • Digital Target: Government, BFSI, healthcare, and critical infrastructure. 
  • Exploitation of Vulnerabilities: Used known weaknesses in web servers and public-facing apps. 
  • Use of Recognized Attack Vectors: Phishing, DDoS, malware injections. 
  • Impact on the CIA Triad: Disrupted availability and attempted data breaches. 
  • Detection or Alerting: CERT-In flagged real-time indicators; alerts issued to critical sectors. 
  • Indicators of Compromise (IOCs): IPs, malware hashes, spoofed domains linked to APT groups. 
  • Lateral Movement or Privilege Escalation: Attempts seen in failed attacks; no major privilege escalation reported. 
  • Attribution to a Threat Actor: Linked to 7 Pakistan-backed APTs and regional hacktivist groups. 

2.“Dance of the Hillary” Malware Spread

A Pakistan-linked malware campaign named "Dance of the Hillary" was uncovered, disseminated via social media platforms. The malware posed significant risks to data security, prompting warnings from Indian intelligence agencies and the Punjab Police. 

  • Malicious Intent: Spread spyware to steal personal and sensitive data. 
  • Unauthorized Access: Gained access through compromised user devices. 
  • Digital Target: Civilians, officials, and personal devices in India. 
  • Exploitation of Vulnerabilities: Used weak app permissions and unpatched systems. 
  • Use of Recognized Attack Vectors: Shared via social media and phishing links. 
  • Impact on the CIA Triad: Breached confidentiality and data integrity. 
  • Detection or Alerting: Flagged by Punjab Police and central agencies. 
  • Indicators of Compromise (IOCs): Malicious URLs, trojan signatures, abnormal network behavior. 
  • Lateral Movement or Privilege Escalation: Limited movement; focused on data theft. 
  • Attribution to a Threat Actor: Linked to Pakistan-based groups using social engineering. 

3. Star Health Data Breach and Threats

Hacker "xenZen" leaked 7.24 terabytes of sensitive personal and medical data from Star Health, affecting over 31 million customers. The hacker also claimed to have sent death threats and bullets to company executives, citing dissatisfaction with denied medical claims. 

  • Malicious Intent: Data theft followed by extortion and personal threats to executives. 
  • Unauthorized Access: Gained access to internal systems, exfiltrating 7.24 TB of sensitive data. 
  • Digital Target: Star Health's customer databases, including personal and medical records. 
  • Exploitation of Vulnerabilities: Specific vulnerabilities exploited have not been publicly disclosed. 
  • Use of Recognized Attack Vectors: Data dissemination via Telegram chatbots and dedicated websites. 
  • Impact on the CIA Triad: Compromised confidentiality and integrity of customer data. 
  • Detection or Alerting: Initial detection occurred after data was publicly leaked; company initiated a forensic investigation. 
  • Indicators of Compromise (IOCs): Presence of unauthorized Telegram chatbots distributing customer data; specific IOCs not publicly detailed. 
  • Lateral Movement or Privilege Escalation: Details on lateral movement or privilege escalation have not been disclosed. 
  • Attribution to a Threat Actor: Attributed to a hacker known as "xenZen," who claimed responsibility for the breach and subsequent threats. 

4. BSE Cybersecurity Advisory

The Bombay Stock Exchange issued a cybersecurity advisory following warnings from CERT-In about ongoing cyber threats linked to Pakistan, targeting India's Banking, Financial Services, and Insurance (BFSI) sector. 

  • Malicious Intent: Potential disruption of India's financial systems through cyberattacks. 
  • Unauthorized Access: No confirmed breaches; advisory issued as a preventive measure. 
  • Digital Target: Banking, Financial Services, and Insurance (BFSI) sector entities. 
  • Exploitation of Vulnerabilities: Advisory highlights risks from ransomware, supply chain intrusions, DDoS attacks, website defacements, and malware. 
  • Use of Recognized Attack Vectors: Common cyberattack methods include ransomware and DDoS attacks. 
  • Impact on the CIA Triad: Potential threats to confidentiality, integrity, and availability of financial data and services. 
  • Detection or Alerting: CERT-In's alert prompted BSE to issue the advisory; no specific incidents reported. 
  • Indicators of Compromise (IOCs): Not specified in the advisory. 
  • Lateral Movement or Privilege Escalation: No such activities reported; focus remains on preventive measures. 
  • Attribution to a Threat Actor: Threats potentially linked to actors based in Pakistan, as indicated by CERT-In. 

5. Operation Sindoor: Cyber Fraud Gang Exposed in Bihar

A cyber fraud gang operating from Bihar, with links to Pakistan, was exposed. The gang used over 200 bank accounts, each utilized only once to avoid detection, indicating a sophisticated network. 

  • Malicious Intent: Engaged in large-scale financial fraud and potential cross-border cybercrime. 
  • Unauthorized Access: Utilized over 200 bank accounts, each used only once to avoid detection. 
  • Digital Target: Indian financial systems and unsuspecting individuals. 
  • Exploitation of Vulnerabilities: Exploited weaknesses in banking systems and user trust. 
  • Use of Recognized Attack Vectors: Employed fraudulent bank accounts and communication via Pakistani phone numbers. 
  • Impact on the CIA Triad: Compromised confidentiality and integrity of financial data; availability of funds affected. 
  • Detection or Alerting: Uncovered during Operation Sindoor; police investigations revealed the gang's operations. 
  • Indicators of Compromise (IOCs): Use of Pakistani phone numbers and a network of over 200 bank accounts. 
  • Lateral Movement or Privilege Escalation: Operated across regions from Champaran to Seemanchal, indicating a widespread network. 
  • Attribution to a Threat Actor: Connected to individuals communicating with Pakistani numbers; investigations suggest links to international cybercrime networks. 

6. Telangana Cybercrime Network Bust

The Telangana Cyber Security Bureau conducted a 10-day operation in Gujarat, arresting 20 individuals, including a bank manager, for involvement in a cybercrime network. 

  • Malicious Intent: Executed large-scale financial fraud through investment, trading, and job scams. 
  • Unauthorized Access: Operated 27 mule bank accounts to launder illicit funds. 
  • Digital Target: Victims across India; over 60 cases in Telangana and 515 nationwide. 
  • Exploitation of Vulnerabilities: Exploited public trust via fake online offers and insider banking assistance. 
  • Use of Recognized Attack Vectors: Utilized fraudulent bank accounts, fake job postings, and investment schemes. 
  • Impact on the CIA Triad: Compromised financial data integrity and availability; confidentiality breached through unauthorized transactions. 
  • Detection or Alerting: Uncovered by the Telangana Cyber Security Bureau (TGCSB) during a 10-day interstate operation in Surat, Gujarat. 
  • Indicators of Compromise (IOCs): Multiple SIM cards, ATM cards, cheque books, PAN cards, and rubber stamps seized. 
  • Lateral Movement or Privilege Escalation: Involved a bank relationship manager facilitating fraudulent account activities. 
  • Attribution to a Threat Actor: A coordinated cyber fraud syndicate comprising private employees, businessmen, and banking insiders. 

7. Hacktivist DDoS Attacks on Indian Organizations

In 2025, Indian organizations across sectors faced a surge in DDoS attacks launched by hacktivist groups. These attacks aimed to disrupt services and draw attention to political grievances. While no data was stolen, the large-scale service outages highlighted vulnerabilities in infrastructure and the growing threat from politically motivated cyber actors. 

  • Malicious Intent: Disruption of services and protest against Indian policies. 
  • Unauthorized Access: No direct access; focused on service disruption. 
  • Digital Target: Over 100 Indian organizations across various sectors. 
  • Exploitation of Vulnerabilities: Exploited inadequate DDoS protection measures. 
  • Use of Recognized Attack Vectors: Distributed Denial of Service (DDoS) attacks. 
  • Impact on the CIA Triad: Affected availability of online services. 
  • Detection or Alerting: Organizations reported service outages and disruptions. 
  • Indicators of Compromise (IOCs): Traffic analysis showing abnormal spikes. 
  • Lateral Movement or Privilege Escalation: Not applicable due to nature of attack. 
  • Attribution to a Threat Actor: Various hacktivist groups, primarily from Southeast Asia. 

8. Ulhasnagar Municipal Corporation Website Hacked

The official website of Ulhasnagar Municipal Corporation in Maharashtra was hacked, disrupting municipal services and raising concerns about the cybersecurity of local government bodies. 

  • Malicious Intent: Website defaced with religious content likely meant to provoke. 
  • Unauthorized Access: Attackers took control of the homepage. 
  • Digital Target: Official UMC website 
  • Exploitation of Vulnerabilities: Method unknown, under investigation. 
  • Attack Vectors: Likely web defacement techniques used. 
  • CIA Impact: No data breach; integrity compromised; site temporarily offline. 
  • Detection: Suspicious activity noticed on May 10; IT team responded. 
  • IOCs: Defaced homepage and logged server activity. 
  • Lateral Movement: No signs of further system breach. 
  • Attribution: Attackers not yet identified; probe ongoing. 

9. Nippon Life India Asset Management Cyberattack

Nippon Life India Asset Management reported a cyberattack affecting its operations, emphasizing the vulnerability of financial institutions to cyber threats. 

  • Malicious Intent: Aimed to disrupt financial services and digital operations. 
  • Unauthorized Access: Attackers infiltrated NAM India’s IT systems. 
  • Digital Target: Website and mobile app of Nippon AMC. 
  • Exploitation of Vulnerabilities: Specific weaknesses not yet disclosed. 
  • Attack Vectors: Method under investigation; not publicly shared. 
  • CIA Impact: No data breach or tampering; platform availability was disrupted. 
  • Detection: Detected on April 9; systems were isolated immediately. 
  • IOCs: Undisclosed; internal forensic probe underway. 
  • Lateral Movement: No signs of deeper compromise so far. 
  • Attribution: Threat actor unknown; investigation ongoing. 

10. Indian Cyber Force's Offensive Operations

The Indian Cyber Force (ICF) claimed responsibility for multiple cyberattacks on Pakistani entities, including Habib Bank Limited, Euro Oil, and the Federal Board of Revenue, as retaliatory measures following the Pahalgam attack. 

  • Malicious Intent: Aimed to retaliate against Pakistan through cyber disruption. 
  • Unauthorized Access: Breached banks, universities, and government systems. 
  • Digital Target: Pakistani digital infrastructure including surveillance networks. 
  • Exploitation of Vulnerabilities: Used weak credentials and unpatched systems. 
  • Attack Vectors: DDoS, defacements, and data breaches. 
  • CIA Impact: Breached confidentiality, altered content, and disrupted services. 
  • Detection: Publicly claimed; detection by targets not detailed. 
  • IOCs: Defaced sites, leaked data, compromised footage. 
  • Lateral Movement: Likely moved within networks to extract data. 
  • Attribution: Attributed to Indian Cyber Force hacktivist group. 

11. Financial Sector Cyber attacks

India's financial sector faced multiple cyberattacks, prompting the Reserve Bank of India to caution lenders and introduce secure domain names to prevent digital frauds. 

  • Malicious Intent: Aimed to disrupt India's financial infrastructure and erode public trust . 
  • Unauthorized Access: Hackers infiltrated banking systems, stock exchanges, and financial service platforms . 
  • Digital Target: Banks, NBFCs, stock exchanges (NSE, BSE), and payment gateways . 
  • Exploitation of Vulnerabilities: Exploited weak API security, outdated systems, and unpatched software . 
  • Use of Recognized Attack Vectors: Employed DDoS attacks, phishing campaigns, and malware injections . 
  • Impact on the CIA Triad: Compromised availability through service disruptions; confidentiality and integrity risks remain under assessment. 
  • Detection or Alerting: Detected through real-time monitoring systems and alerts from CERT-In and RBI. 
  • Indicators of Compromise (IOCs): Unusual network traffic, unauthorized access logs, and defaced web pages. 
  • Lateral Movement or Privilege Escalation: Evidence of attackers moving within networks to access sensitive data. 
  • Attribution to a Threat Actor: Attributed to Pakistan-based hacker groups such as APT36 and Team Insane PK. 

12. APT36 Espionage Threat

APT36, a Pakistan-linked group, leveraged emotionally charged lures post-Pahalgam attack to deliver Crimson RAT malware, targeting Indian defense networks. 

  • Malicious Intent: Carried out cyber espionage against Indian defense and government sectors. 
  • Unauthorized Access: Infiltrated systems through phishing emails and malicious attachments. 
  • Digital Target: Military personnel, defense contractors, and government networks. 
  • Exploitation of Vulnerabilities: Exploited weak email security and user trust. 
  • Use of Recognized Attack Vectors: Used spear-phishing with Crimson RAT malware. 
  • Impact on the CIA Triad: Breached confidentiality and potentially affected data integrity. 
  • Detection or Alerting: Detected by threat intelligence teams after malware activity was observed. 
  • Indicators of Compromise (IOCs): Malicious email headers, RAT command-and-control domains, and infected documents. 
  • Lateral Movement or Privilege Escalation: Likely moved within internal networks to extract more data. 
  • Attribution to a Threat Actor: Attributed to APT36, a Pakistan-based state-sponsored group. 

13. ICICI Bank Vendor Portal Malware Implant

A malware was discovered implanted via a third-party vendor portal. The attack aimed at accessing internal processes via credential harvesting. 

  • Malicious Intent: To harvest credentials and gain unauthorized access to internal systems. 
  • Unauthorized Access: Malware planted through a compromised third-party vendor account. 
  • Digital Target: ICICI Bank’s vendor management portal and backend services. 
  • Exploitation of Vulnerabilities: Exploited insecure integrations and weak endpoint protections. 
  • Use of Recognized Attack Vectors: Delivered malware via phishing and infected vendor software. 
  • Impact on the CIA Triad: Threatened confidentiality of credentials and internal data integrity. 
  • Detection or Alerting: Detected through anomaly behavior analytics in internal SIEM. 
  • Indicators of Compromise (IOCs): Suspicious login patterns, malware signatures, and C2 callbacks. 
  • Lateral Movement or Privilege Escalation: Attempts to access privileged accounts were logged but contained. 
  • Attribution to a Threat Actor: Suspected to be a financially motivated APT; attribution under investigation. 

14. UIDAI Services Targeted in DDoS Attack

A DDoS attack briefly affected Aadhaar authentication services, which were launched by regional hacktivists. No breach but availability compromised. 

  • Malicious Intent: To disrupt Aadhaar-based authentication and service availability. 
  • Unauthorized Access: No internal breach; attack limited to service disruption. 
  • Digital Target: UIDAI’s public-facing authentication and verification endpoints. 
  • Exploitation of Vulnerabilities: Exploited lack of rate-limiting and load balancing weaknesses. 
  • Use of Recognized Attack Vectors: Large-scale Distributed Denial of Service (DDoS) traffic. 
  • Impact on the CIA Triad: Affected availability; confidentiality and integrity remained intact. 
  • Detection or Alerting: Detected by UIDAI monitoring systems; mitigated with CERT-In coordination. 
  • Indicators of Compromise (IOCs): Surge in traffic from botnets, abnormal request patterns. 
  • Lateral Movement or Privilege Escalation: No evidence of deeper intrusion or privilege misuse. 
  • Attribution to a Threat Actor: Attributed to regional hacktivist groups targeting Indian digital infrastructure. 

15. DigiLocker API Exploitation Incident 

Exploited open APIs and flawed token validation to access limited user data. Although patched quickly, it was a valid system-level cyberattack. 

  • Malicious Intent: To access user documents and metadata via token abuse. 
  • Unauthorized Access: Exploited open APIs without proper token validation. 
  • Digital Target: DigiLocker’s document retrieval and identity verification APIs. 
  • Exploitation of Vulnerabilities: Weak session control and improper authorization checks. 
  • Use of Recognized Attack Vectors: Automated API queries using replayed or shared tokens. 
  • Impact on the CIA Triad: Breached confidentiality; integrity and availability remained unaffected. 
  • Detection or Alerting: Detected by MeitY’s CERT during routine audit and traffic analysis. 
  • Indicators of Compromise (IOCs): Reused tokens, excessive API calls, unauthorized data requests. 
  • Lateral Movement or Privilege Escalation: No system-wide privilege escalation observed. 
  • Attribution to a Threat Actor: Actor remains unidentified; suspected low-level exploiters or script kiddies. 

16. Defence Research and Development Organisation (DRDO) Spear-Phishing Campaign

A Pakistan-backed group sent malware-infected PDFs to DRDO researchers in January 2025. Data exfiltration attempts were detected and blocked. 

  • Malicious Intent: To steal sensitive defense research data through targeted espionage. 
  • Unauthorized Access: Gained via phishing links embedded in malicious PDF attachments. 
  • Digital Target: DRDO scientists, researchers, and classified internal systems. 
  • Exploitation of Vulnerabilities: Exploited human error and unverified document handling. 
  • Use of Recognized Attack Vectors: Spear-phishing emails with weaponized documents. 
  • Impact on the CIA Triad: Threatened confidentiality; integrity and availability not impacted. 
  • Detection or Alerting: Flagged by internal SOC tools and cross-agency intel feeds. 
  • Indicators of Compromise (IOCs): Malicious file hashes, C2 domain logs, and user session anomalies. 
  • Lateral Movement or Privilege Escalation: Attempts observed but contained through segmentation. 
  • Attribution to a Threat Actor: Attributed to Pakistan-based APT actors targeting defense entities. 

17. Central Bank of India Phishing Infrastructure Compromise

Attackers cloned the bank's domain and infrastructure to steal login credentials from users and attempted server access via session replay attacks. 

  • Malicious Intent: To steal user credentials and impersonate banking services. 
  • Unauthorized Access: Cloned domains used to harvest login information. 
  • Digital Target: Central Bank’s customers and public-facing authentication systems. 
  • Exploitation of Vulnerabilities: Exploited DNS misconfigurations and session replay flaws. 
  • Use of Recognized Attack Vectors: Phishing websites and credential capture scripts. 
  • Impact on the CIA Triad: Breached confidentiality; no internal system damage. 
  • Detection or Alerting: Detected through RBI threat intelligence and takedown coordination. 
  • Indicators of Compromise (IOCs): Spoofed domains, phishing URLs, and session token reuse. 
  • Lateral Movement or Privilege Escalation: No lateral movement within bank’s core systems. 
  • Attribution to a Threat Actor: Suspected cybercriminal group operating from Southeast Asia. 

18. AIIMS Delhi Ransomware Recurrence Attempt

Follow-up intrusion attempt on AIIMS servers post-2022 breach; blocked early, but confirmed cyberattack targeting hospital's IT infrastructure. 

  • Malicious Intent: Attempt to encrypt critical medical data and demand ransom. 
  • Unauthorized Access: Blocked intrusion attempt before system-level execution. 
  • Digital Target: AIIMS Delhi’s hospital management and patient record systems. 
  • Exploitation of Vulnerabilities: Targeted unpatched internal services and legacy software. 
  • Use of Recognized Attack Vectors: Suspicious payloads via remote access malware. 
  • Impact on the CIA Triad: No impact; attempt failed before affecting systems. 
  • Detection or Alerting: Flagged by internal SOC and CERT-In incident response. 
  • Indicators of Compromise (IOCs): Suspicious IP traffic, failed login attempts, payload signatures. 
  • Lateral Movement or Privilege Escalation: Attempted but contained at perimeter level. 
  • Attribution to a Threat Actor: Possibly linked to same actor behind 2022 breach; under investigation. 

19. CERT-In Alert on Operation Bunyān al-Marsūs

A targeted APT campaign allegedly from Pakistan targeting India's critical infrastructure, including SCADA systems and OT networks, using malware and intrusion techniques. 

  • Malicious Intent: Disrupt critical Indian infrastructure and conduct surveillance. 
  • Unauthorized Access: Multiple intrusions into SCADA and OT systems reported. 
  • Digital Target: Energy grids, transport systems, and government IT infrastructure. 
  • Exploitation of Vulnerabilities: Used unpatched OT protocols and default credentials. 
  • Use of Recognized Attack Vectors: Remote access tools, ICS malware, and phishing. 
  • Impact on the CIA Triad: Threatened integrity and availability of operational systems. 
  • Detection or Alerting: Alert issued by CERT-In based on threat intelligence inputs. 
  • Indicators of Compromise (IOCs): Malware signatures, suspicious remote sessions, OT command anomalies. 
  • Lateral Movement or Privilege Escalation: Attempts to pivot across network layers were observed. 
  • Attribution to a Threat Actor: Linked to Pakistan-based APT groups exploiting critical infrastructure. 

20. WazirX Cryptocurrency Exchange Hack

WazirX, a major Indian cryptocurrency exchange, suffered a cyberattack targeting its wallet infrastructure. Hackers exploited smart contract flaws to manipulate wallet permissions and execute unauthorized withdrawals. Trading was briefly halted. The breach was later attributed to the Lazarus Group, a North Korea-linked state-sponsored threat actor. 

  • Malicious Intent: Steal crypto assets and disrupt platform operations. 
  • Unauthorized Access: Gained control over wallet permissions and transactions. 
  • Digital Target: WazirX’s hot and cold wallets. 
  • Exploitation of Vulnerabilities: Exploited smart contract flaws and poor wallet configuration. 
  • Use of Recognized Attack Vectors: Manipulated multisig wallet protocols and blockchain logic. 
  • Impact on the CIA Triad: Breached confidentiality, altered integrity, and halted availability of services. 
  • Detection or Alerting: Detected after suspicious withdrawals triggered internal alerts. 
  • Indicators of Compromise (IOCs): Unauthorized transfers, smart contract anomalies, wallet log changes. 
  • Lateral Movement or Privilege Escalation: Gained elevated access within wallet management layers. 
  • Attribution to a Threat Actor: Linked to Lazarus Group, a North Korean state-sponsored actor. 

Conclusion 

The scale and frequency of cyberattacks in India during 2025 highlight the country’s growing exposure to digital threats across critical sectors. From targeted espionage and ransomware attempts to infrastructure disruptions and financial system intrusions, these incidents reveal systemic vulnerabilities that cannot be ignored. Strengthening cyber resilience, enforcing secure development practices, and enhancing national coordination through agencies like CERT-In are no longer optional but essential. As India continues its digital expansion, proactive defense, threat intelligence sharing, and zero-trust architecture must form the backbone of a secure digital future. 

Jay Thakker
7 + years in application security with having extensive experience in implementing effective breach and attack simulation strategies to protect against cyber threat. Skilled in Threat Hunting techniques to proactively identify and neutralize emerging threats.

Report an Incident

Report an Incident - Blog

free consultation

Our team of expert is available 24x7 to help any organization experiencing an active breach.

More Topics

crossmenuchevron-down
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram