The Cybersecurity Investigations That Had Us Wishing We'd Broken Them First in 2025

As we close out another year, there’s no better time to shine a spotlight on the investigative cybersecurity work that had editors across the industry wishing they’d had these stories on their front pages. The digital security landscape of 2025 was marked by extraordinary reporting that exposed government surveillance overreach, tracked down prolific cybercriminals, and revealed critical security failures at the highest levels of power. While dozens of talented journalists have been covering cybersecurity, privacy, and surveillance threats this year, certain stories stood out as exceptional examples of what determined reporting can uncover. Here are the investigations that captured our attention most intensely—and yes, left us more than a little jealous we hadn’t uncovered them ourselves.

A Reporter’s Personal Journey Into Iran’s Elite Hacking Operations

Some cybersecurity narratives read like thrillers, and Shane Harris’ account from The Atlantic is precisely that caliber. Harris spent months corresponding with someone claiming to be a hacker working for Iran’s intelligence apparatus. The source described involvement in major cyber operations, including the downing of an American drone and the devastating Saudi Aramco attack where Iranian operatives wiped the company’s systems.

What makes Harris’ reporting remarkable isn’t just the access—it’s his willingness to document the skepticism, the verification process, and ultimately his sources’ tragic death. By piecing together the real story after his contact passed away, Harris revealed a narrative far more complex than what his source had initially disclosed. The piece serves as essential reading for anyone seeking to understand how cybersecurity journalists cultivate sensitive sources and navigate the inherent risks of the craft.

How a Secret U.K. Court Order Nearly Forced Apple to Build an Encryption Backdoor

In January, a watershed moment in the surveillance-versus-encryption debate nearly went unnoticed. The Washington Post’s breakthrough reporting exposed that the U.K. government had secretly issued a court order demanding Apple construct a backdoor to iCloud, granting police access to encrypted data globally. A worldwide gag order meant this demand would have remained hidden indefinitely—until The Post broke the story.

This marked an unprecedented challenge to the encryption-by-design philosophy that major tech companies have spent a decade establishing. Apple’s response was telling: the company promptly discontinued its optional end-to-end encryption service in the U.K. rather than comply. Yet the public exposure triggered months of diplomatic turbulence between the U.K. and United States, ultimately forcing Downing Street to withdraw the request—at least temporarily. The case became a defining test of how surveillance powers operate in the modern era.

When the Trump Administration’s War Room Accidentally Texted Its Plans to a Journalist

The Atlantic’s editorial leadership found themselves inadvertently added to a Signal group containing senior Trump administration officials discussing military operations. What unfolded was an extraordinary real-time window into government decision-making, with Pentagon communications discussing weapon deployment happening simultaneously with actual military strikes overseas.

This wasn’t just a security breach—it was described as the most significant operational security failure in recent government history. The incident revealed not just one lapse but a cascade of them, including reliance on counterfeit Signal clones that further compromised sensitive communications. Jeffrey Goldberg’s investigation into how this happened and what it exposed about government cybersecurity practices sparked a months-long examination of OPSEC fundamentals at the highest levels of power.

Tracking Down a Teenage Cybercriminal Behind One of the Internet’s Most Notorious Hacking Operations

Brian Krebs’ investigative pedigree is built on connecting digital breadcrumbs to real identities, and his 2025 reporting was no exception. Krebs’ pursuit of the hacker known as “Rey”—a central figure in the Scattered LAPSUS$ Hunters cybercrime operation—culminated in identifying the individual as a Jordanian teenager. Through meticulous research and careful source development, Krebs not only uncovered the real person behind the handle but also secured conversations with those close to the hacker, eventually speaking with the cybercriminal himself.

The investigation documented a confession and provided rare insight into how individuals become drawn into organized cybercriminal enterprises—and, equally importantly, how some attempt to exit that life. It’s reporting that demonstrates why certain journalists have earned legendary status in covering the darker corners of the internet.

How Independent Reporters Shut Down a Billion-Record Surveillance Program

404 Media’s impact journalism in 2025 exceeded that of many mainstream outlets with substantially larger resources. Among their most significant wins was exposing the Airlines Reporting Corporation—a data brokerage created and owned by United, American, Delta, Southwest, JetBlue, and other carriers—which had been selling access to five billion flight records to government agencies.

The data included names, financial information, and travel itineraries of ordinary Americans, enabling agencies including ICE, the State Department, and the IRS to track individuals without warrants. 404 Media’s months-long investigation created sufficient public pressure and legislative attention that ARC ultimately agreed to shut down the warrantless program. This case exemplifies how determined reporting can dismantle surveillance infrastructure operating in plain sight.

The Technical Reality Behind ‘Ghost Guns’ and the Legal Gray Zone

The December 2024 killing of UnitedHealthcare CEO Brian Thompson and the subsequent investigation into the use of a 3D-printed firearm—a so-called “ghost gun” with no serial numbers—prompted Wired to conduct its own investigation into manufacturing legality. Leveraging their expertise in 3D printing and weaponry, the outlet documented the process of building such a firearm while navigating the fragmented legal and ethical landscape.

The resulting reporting, accompanied by video documentation, provided essential context on how technology intersects with law enforcement challenges and regulatory gaps. It represented the kind of hands-on investigation that pushes journalism beyond passive observation into active exploration of emerging threats.

A Federal Employee’s Whistleblower Account of Government Data Breaches and Personal Threats

NPR’s investigation into activities surrounding the Department of Government Efficiency revealed not just data security lapses but the personal costs borne by federal whistleblowers. One senior IT employee at the National Labor Relations Board disclosed to Congress that after seeking assistance investigating DOGE’s data access practices, he discovered threatening communications taped to his door—messages containing sensitive personal information and surveillance photographs of his daily activities.

This reporting illuminated the resistance efforts of federal workers attempting to protect government data security while facing intimidation. It transformed abstract discussions about data governance into deeply personal accounts of professional and personal risk.

The Surveillance Dataset Exposing Phone Tracking of World Leaders and Vatican Enemies

Mother Jones’ Gabriel Geiger uncovered an exposed dataset from a mysterious surveillance operation, revealing phone location tracking of thousands of individuals spanning 2007 through 2015. Among those tracked were a former Syrian first lady, a private military contractor executive, a Hollywood actor, and documented enemies of the Vatican.

The dataset demonstrated the capabilities and reach of SS7-based phone surveillance—an obscure but powerful protocol that has long enabled malicious tracking. Geiger’s investigation pulled back the curtain on the shadowy ecosystem of location-based surveillance that operates largely outside public awareness.

The Hacker Who Turned His Skills Toward Catching a Prolific Swatter

Swatting evolved from juvenile prank to genuine threat claiming real lives. Wired’s Andy Greenberg profiled this escalation through the story of “Torswats,” a prolific swatter who harassed school systems and emergency call operators across the country with credible-sounding false reports of imminent violence. Equally compelling was Greenberg’s coverage of the hacker who independently tracked down Torswats, providing a portrait of online vigilantism.

The reporting humanized those affected—call operators bearing the stress of distinguishing real threats from elaborate hoaxes, and school administrators managing genuine security concerns. It demonstrated how cybersecurity threats extend beyond data breaches into the realm of physical safety and operational integrity.