Historical Timeline of Hacking and Cybersecurity

From the Morris Worm to modern ransomware cartels, this timeline traces the major events, attacks, vulnerabilities, legislation, tool releases, and milestones that have shaped the field of hacking and cybersecurity. Entries are organized by decade with year-by-year detail.

The 1980s — Origins

1983

WarGames released: The film popularizes the concept of hacking and raises public awareness about computer security. The term "hacker" enters mainstream vocabulary.
The 414s arrested: A group of teenage hackers from Milwaukee breaks into 60 computer systems, including Los Alamos National Laboratory and Sloan-Kettering Cancer Center. The case prompts early discussions about computer crime legislation.

1984

2600: The Hacker Quarterly begins publication: Founded by Emmanuel Goldstein (Eric Corley), it becomes the most prominent hacker magazine and a focal point for the hacker community.
Chaos Computer Club (CCC) founded: Germany's largest European hacker collective begins organized operations and conferences.
Computer Fraud and Abuse Act (CFAA) drafted: Initial federal response to computer crime, prompted by the WarGames film and real incidents.

1986

Computer Fraud and Abuse Act (CFAA) enacted: The first major U.S. federal legislation specifically targeting computer crime (18 U.S.C. section 1030). Criminalizes unauthorized access to computer systems.
Electronic Communications Privacy Act (ECPA) enacted: Extends government restrictions on wiretapping to electronic data transmissions.
Cliff Stoll begins tracking the Hanover Hackers: A systems administrator at Lawrence Berkeley National Laboratory discovers a 75-cent accounting discrepancy, leading to the identification of KGB-sponsored hackers. Later documented in The Cuckoo's Egg (1989).

1988

Morris Worm (November 2): Robert Tappan Morris, a Cornell graduate student, releases the first major internet worm. It infects approximately 6,000 machines (10% of the internet) and causes $10-100 million in damage. Morris is the first person convicted under the CFAA (1991).
CERT Coordination Center established: Created at Carnegie Mellon University in direct response to the Morris Worm. Becomes the model for computer emergency response teams worldwide.
Phrack magazine publishes "The Conscience of a Hacker": Written by The Mentor (Loyd Blankenship), also known as "The Hacker Manifesto," it becomes a foundational document of hacker culture.

1989

The Cuckoo's Egg published: Cliff Stoll's account of tracking Markus Hess through networked systems becomes one of the first popular books about cybersecurity and digital forensics.
AIDS Trojan (PC Cyborg): The first known ransomware. Distributed via floppy disks, it encrypts file names on the C: drive and demands $189 payment. Created by Joseph Popp.

The 1990s — The Internet Emerges

1990

Operation Sundevil: U.S. Secret Service raids hacker operations across 14 cities, seizing 42 computers and 23,000 floppy disks. Targets members of the Legion of Doom.
Electronic Frontier Foundation (EFF) founded: Established by John Perry Barlow, Mitch Kapor, and John Gilmore to defend civil liberties in the digital world. Partly motivated by law enforcement overreach during Operation Sundevil.

1991

Pretty Good Privacy (PGP) released: Phil Zimmermann creates PGP for email encryption, making strong cryptography available to the general public. Leads to a federal investigation under arms export regulations.
First website goes online: Tim Berners-Lee launches the World Wide Web at CERN, beginning the era of web-based security challenges.

1993

DEF CON 1 held in Las Vegas: Jeff Moss (The Dark Tangent) organizes the first DEF CON hacker convention. It becomes the world's largest and most influential hacking conference.
First web browser (Mosaic) released: The graphical browser popularizes the web and opens new attack surfaces.

1994

Netscape Navigator released: The first widely adopted commercial web browser, introducing SSL for secure web transactions.
Vladimir Levin hacks Citibank: Russian mathematician gains unauthorized access to Citibank's cash management system and transfers $10 million. One of the first major cybercrime financial cases.
Kevin Mitnick's pursuit intensifies: The FBI's investigation of Mitnick becomes the most famous hacker manhunt of the era.

1995

Kevin Mitnick arrested: After a two-year pursuit, the FBI captures Kevin Mitnick, the most wanted computer criminal in U.S. history at the time. He is charged with wire fraud and computer crimes.
The first Black Hat conference: Originally part of DEF CON, Black Hat Briefings begins as a more corporate-focused security conference (officially branded separately in 1997).
Secure Sockets Layer (SSL) 2.0 released by Netscape: Establishes encrypted web communications (SSL 2.0 later found to have critical vulnerabilities).

1996

"Smashing the Stack for Fun and Profit" published: Aleph One's article in Phrack magazine teaches buffer overflow exploitation to a wide audience. Becomes the foundational text for exploit development.
The Health Insurance Portability and Accountability Act (HIPAA) enacted: Includes security requirements for electronic health information.

1997

Nmap 1.0 released: Gordon "Fyodor" Lyon releases the Network Mapper, which becomes the most widely used network scanning tool in cybersecurity.
AOHell released: One of the first widespread attack tools, used for mass phishing and harassment on America Online.
First Chaos Communication Congress (CCC) major talk: The CCC conference becomes a major European hacker gathering.

1998

L0pht Heavy Industries testifies before Congress: The hacker collective tells the U.S. Senate that they could take down the internet in 30 minutes. The testimony is credited with spurring investment in cybersecurity.
Back Orifice released at DEF CON: The Cult of the Dead Cow releases a remote administration tool (RAT) for Windows, demonstrating the platform's security weaknesses.
The Digital Millennium Copyright Act (DMCA) enacted: Criminalizes circumvention of digital rights management (DRM), with implications for security research.
Google founded: The search engine later becomes both a security research tool (Google dorking) and a major cybersecurity player.

1999

Melissa virus: A macro virus spreads via Microsoft Word documents and email, infecting hundreds of thousands of systems. Creator David L. Smith is arrested and sentenced to 20 months.
Napster launched: The file-sharing platform raises questions about network security, intellectual property, and peer-to-peer protocols that persist to this day.
NASA and DoD teenage hacker: 15-year-old Jonathan James becomes the first juvenile incarcerated for cybercrime in the U.S. after hacking into DTRA and NASA systems.
CAN-SPAM Act predecessor bills introduced: Early attempts at regulating unsolicited email.
Knoppix and early live Linux distributions: Lay groundwork for future bootable security distributions.

The 2000s — Cybercrime Industrializes

2000

ILOVEYOU worm (May): Spreads via email with the subject "ILOVEYOU," infecting an estimated 45 million computers worldwide and causing $10 billion in damage. Originates from the Philippines, where no cybercrime laws exist.
MafiaBoy DDoS attacks: 15-year-old Michael Calce launches DDoS attacks against CNN, Yahoo, eBay, Dell, and Amazon, taking major websites offline.
Council of Europe begins drafting the Budapest Convention: The first international treaty addressing internet and computer crime.

2001

Code Red worm: Exploits a vulnerability in Microsoft IIS, defacing websites and launching DDoS attacks against the White House. Infects 359,000 hosts in under 14 hours.
Nimda worm (September 18): A mass-mailing worm that uses five different infection vectors, spreading days after the 9/11 attacks and initially raising fears of a coordinated cyber-physical attack.
Budapest Convention on Cybercrime adopted: The first international treaty on crimes committed via the internet, providing a framework for international cooperation on cybercrime.
Wikipedia launched: Later becomes a target for social engineering reconnaissance.

2002

Federal Information Security Management Act (FISMA) enacted: Requires U.S. federal agencies to develop information security programs.
Sarbanes-Oxley Act (SOX) enacted: Imposes IT control requirements on publicly traded companies following financial scandals.
Bill Gates' "Trustworthy Computing" memo: Internal Microsoft memo signals a major shift in the company's approach to security.

2003

SQL Slammer worm (January 25): Doubles in size every 8.5 seconds, infecting 75,000 servers in 10 minutes. Exploits a buffer overflow in Microsoft SQL Server 2000.
Blaster worm (August): Exploits an RPC vulnerability in Windows XP/2000, displaying the message "I just want to say LOVE YOU SAN!!"
CAN-SPAM Act enacted: U.S. federal law regulating commercial email, though largely considered ineffective.
Metasploit Framework first released: H.D. Moore releases the first version of what becomes the most widely used exploitation framework.
Anonymous begins forming: The hacktivist collective emerges from 4chan's /b/ board.

2004

Sasser worm (April): Spreads without user interaction by exploiting a Windows LSASS vulnerability. Created by 18-year-old Sven Jaschan.
Phishing enters mainstream: Large-scale phishing attacks target banks and online retailers, establishing phishing as a primary attack vector.
The Honeynet Project publishes "Know Your Enemy": Foundational research on honeypots and attacker behavior.
NIST publishes SP 800-30: Risk assessment methodology for information systems.
DNS cache poisoning techniques refined: Researchers demonstrate practical attacks against DNS infrastructure.

2005

Albert Gonzalez begins TJX Companies breach: The largest credit card theft at the time, ultimately compromising 94 million card numbers from TJX Companies (disclosed in 2007).
Sony BMG rootkit scandal: Sony BMG music CDs install rootkit-like DRM software on users' computers without consent, demonstrating corporate overreach in copy protection.
Samy worm hits MySpace: The fastest-spreading virus of all time at that point, adding over 1 million MySpace friends in 20 hours via a stored XSS worm. Creator Samy Kamkar becomes a noted security researcher.

2006

WikiLeaks founded: Julian Assange establishes the platform for publishing leaked classified information, raising global debates about transparency and security.
TJX data breach disclosed: 94 million credit and debit card numbers stolen, the largest data breach at the time.

2007

Estonia cyberattacks (April-May): Massive DDoS attacks against Estonian government, banks, and media following a political dispute with Russia. Considered the first known cyber-conflict against a nation-state's infrastructure.
Storm Worm botnet peaks: One of the largest botnets in history, estimated at 1-50 million compromised systems.
iPhone released: Introduces mobile security challenges that persist and evolve for two decades.

2008

Conficker worm appears (November): Infects millions of Windows computers worldwide, including military networks. Exploits MS08-067 and becomes one of the largest botnets.
Dan Kaminsky discloses DNS vulnerability: A fundamental flaw in DNS that allows cache poisoning. Coordinated disclosure leads to widespread patching.
Satoshi Nakamoto publishes Bitcoin whitepaper: Cryptocurrency later becomes the preferred payment method for ransomware.
Heartland Payment Systems breach: 130 million credit card numbers stolen. Albert Gonzalez convicted.
Project Chanology: Anonymous launches coordinated attacks against the Church of Scientology, establishing hacktivism as a global phenomenon.

2009

Operation Aurora (December): Sophisticated attack originating from China targets Google, Adobe, and at least 20 other major companies. Google discovers China-based intruders accessing Gmail accounts of human rights activists.
Conficker Working Group formed: Unprecedented industry collaboration to combat the Conficker worm.
Tor Project receives increased funding: The anonymity network grows in importance for both privacy and criminal operations.

The 2010s — Advanced Threats and Mass Breaches

2010

Stuxnet discovered (June): The first known cyberweapon, jointly developed by the U.S. and Israel. It targets Iranian nuclear centrifuges at Natanz, physically destroying roughly 1,000 centrifuges. Stuxnet permanently changes the perception of cyber warfare.
WikiLeaks publishes "Cablegate": Release of 251,000 U.S. diplomatic cables from Chelsea Manning leads to global repercussions and raises debates about digital security and whistleblowing.
Operation Payback: Anonymous launches DDoS attacks against Visa, MasterCard, and PayPal in retaliation for blocking WikiLeaks donations.
Firesheep released: A Firefox extension that demonstrates session hijacking on unencrypted Wi-Fi networks, accelerating adoption of HTTPS across the web.

2011

Sony PlayStation Network breach (April): Personal data of 77 million accounts compromised. PlayStation Network taken offline for 23 days. Cost estimated at $171 million.
RSA SecurID breach (March): Attackers compromise RSA's two-factor authentication tokens through a spear phishing attack, affecting defense contractors including Lockheed Martin.
LulzSec rampage (May-June): The "Lulz Security" group conducts 50 days of high-profile hacks against Sony, PBS, the CIA, FBI affiliates, and others before disbanding.
HBGary Federal hack: Anonymous compromises the security firm after its CEO claims to have identified Anonymous members. Over 60,000 emails leaked.
Duqu malware discovered: Considered a precursor to Stuxnet, targeting industrial systems for intelligence gathering.
DigiNotar compromise: Dutch certificate authority hacked, leading to fraudulent certificates for Google and other major domains. DigiNotar subsequently goes bankrupt.
Lockheed Martin Cyber Kill Chain published: Introduces the seven-phase model for understanding and defending against cyberattacks.

2012

Shamoon malware attacks Saudi Aramco (August): Wipes 30,000 workstations at the world's largest oil company. Attributed to Iran.
LinkedIn breach: 6.5 million password hashes stolen and posted online (later revealed to be 117 million accounts in 2016).
Flame malware discovered: A highly sophisticated cyber-espionage platform estimated to have been active since 2010, linked to the same actors behind Stuxnet.
Dropbox breach: 68 million user credentials compromised (disclosed in 2016).
Global Payments breach: 1.5 million card numbers stolen from a major payment processor.
Hack The Box and similar platforms emerge: Online platforms for practicing ethical hacking gain popularity.

2013

Edward Snowden leaks NSA documents (June): Former NSA contractor reveals massive global surveillance programs (PRISM, XKeyscore, MUSCULAR), triggering worldwide debate on privacy, encryption, and government surveillance. The largest intelligence leak in U.S. history.
Target data breach (December): 40 million credit/debit card numbers and 70 million personal records stolen via a compromised HVAC vendor. Demonstrates supply chain attack risk.
Mandiant APT1 report (February): Publicly attributes cyber-espionage operations to a specific Chinese military unit (PLA Unit 61398). A landmark in threat intelligence.
Adobe breach: 153 million user records stolen, including encrypted passwords (using weak 3DES encryption).
CryptoLocker ransomware: One of the first successful ransomware campaigns using strong encryption, demanding Bitcoin payment. Marks the beginning of the modern ransomware era.
MITRE ATT&CK project begins: Development of the adversary tactics and techniques knowledge base, which becomes the industry standard.
Kali Linux 1.0 released (March): Offensive Security releases the successor to BackTrack, consolidating the dominant penetration testing Linux distribution.

2014

Heartbleed vulnerability disclosed (April): CVE-2014-0160 in OpenSSL allows attackers to read server memory, potentially exposing private keys and user data. Affects an estimated 17% of internet-facing servers.
Shellshock vulnerability (September): CVE-2014-6271 in Bash shell allows remote code execution on Unix-like systems via crafted environment variables. Estimated 500 million systems vulnerable.
Sony Pictures hack (November): North Korea's Lazarus Group destroys data and leaks unreleased films, emails, and personal information in retaliation for The Interview movie. Causes estimated $35 million in damage.
JP Morgan Chase breach: 76 million household and 7 million business records compromised.
Home Depot breach: 56 million credit card numbers stolen using a variant of the BlackPOS malware.
eBay breach: 145 million user records compromised through compromised employee credentials.
Phineas Fisher hacks Gamma Group: Hacktivist leaks internal data from the surveillance software company, revealing sales of FinFisher to repressive regimes.
iCloud celebrity photo leak ("Fappening"): Targeted phishing and password guessing against Apple iCloud accounts. Raises awareness of cloud security.
Regin malware discovered: A highly sophisticated espionage platform attributed to Five Eyes intelligence agencies.

2015

OPM data breach (June): U.S. Office of Personnel Management breach exposes 21.5 million personnel records including security clearance data, fingerprints, and background investigations. Attributed to China. One of the most damaging government breaches.
Ashley Madison breach (July): Impact Team steals and releases data from 37 million users of the infidelity dating site. Results in suicides, extortion, and lawsuits.
Anthem health insurance breach: 78.8 million records stolen, the largest healthcare breach at the time.
TalkTalk breach: UK telecom breach compromises 157,000 customer records. CEO Dido Harding faces public criticism.
Hacking Team breach: Italian surveillance company hacked by Phineas Fisher, exposing sales of spyware to authoritarian governments and multiple zero-day exploits.
VTech breach: 6.4 million children's profiles exposed from toy manufacturer, highlighting IoT security risks.
Let's Encrypt launches: Free SSL/TLS certificate authority begins operation, accelerating HTTPS adoption.
Juniper Networks backdoor discovered: Unauthorized code in ScreenOS VPN software enables decryption of VPN traffic. Attributed to a nation-state actor.

2016

Bangladesh Bank heist (February): Hackers (Lazarus Group) steal $81 million from Bangladesh Bank's account at the Federal Reserve Bank of New York via SWIFT messaging manipulation. Attempted theft was $951 million.
DNC hack and election interference: Russian intelligence (GRU/APT28/APT29) hacks the Democratic National Committee, leaking emails through WikiLeaks. Marks a new era of cyber-enabled election interference.
Yahoo breach disclosure: Yahoo reveals two massive breaches affecting 500 million (2014 breach) and 3 billion accounts (2013 breach), the largest data breach ever disclosed.
Dyn DDoS attack (October): Mirai botnet launches massive DDoS against DNS provider Dyn, taking down Twitter, Netflix, Reddit, and other major services. Demonstrates the power of IoT-based botnets.
Mirai botnet source code released: After the Dyn attack, the Mirai IoT botnet source code is published, spawning numerous variants.
SWIFT banking attacks expand: Multiple banks targeted using SWIFT exploitation techniques pioneered in the Bangladesh Bank heist.
Shadow Brokers appear: A group begins leaking alleged NSA hacking tools, including EternalBlue.
LinkedIn full breach revealed: The 2012 breach actually affected 117 million accounts.
Panama Papers: 2.6 TB leak from law firm Mossack Fonseca exposes global financial secrecy. Demonstrates the scale of possible data exfiltration.
EU General Data Protection Regulation (GDPR) adopted: Enters law with a two-year implementation period.

2017

WannaCry ransomware (May 12): Exploiting the NSA's EternalBlue exploit (leaked by Shadow Brokers), WannaCry spreads globally in hours, infecting 200,000+ systems across 150 countries. The UK's NHS is severely impacted. Attributed to North Korea's Lazarus Group.
NotPetya attack (June): Disguised as ransomware but actually a destructive wiper, NotPetya spreads through a Ukrainian tax software update (MeDoc). Causes estimated $10 billion in global damage. Attributed to Russian GRU. The most expensive cyberattack in history.
Equifax breach (September): Personal data of 147 million Americans exposed, including Social Security numbers, through an unpatched Apache Struts vulnerability. CEO Richard Smith resigns.
Shadow Brokers release NSA tools (April): The full release includes EternalBlue (MS17-010), enabling WannaCry and NotPetya.
KRACK attack on WPA2: Key Reinstallation Attacks demonstrate fundamental vulnerabilities in the WPA2 wireless protocol.
Bad Rabbit ransomware (October): Targets organizations in Russia and Ukraine through fake Adobe Flash updates.
Uber breach cover-up revealed: Uber discloses that a 2016 breach affecting 57 million users was concealed, and the company paid $100,000 to the hackers. CSO Joe Sullivan later convicted.
Marcus Hutchins arrested: The security researcher who stopped WannaCry is arrested at DEF CON for creating the Kronos banking trojan years earlier.
Triton/TRISIS malware discovered: Targets Schneider Electric safety systems in Saudi Arabian petrochemical plant, potentially designed to cause physical destruction.
CCleaner supply chain attack: Compromised updates for the popular system utility affect 2.27 million users.

2018

Cambridge Analytica scandal: Revealed that personal data of up to 87 million Facebook users was harvested without consent for political advertising. Triggers global privacy debate.
Facebook breach: 50 million user accounts exposed through a vulnerability in the "View As" feature.
Marriott/Starwood breach: 500 million guest records compromised. The breach began in 2014 in the Starwood network and was not discovered until 2018.
Under Armour/MyFitnessPal breach: 150 million user accounts compromised.
British Airways breach: 380,000 payment card details stolen through a sophisticated Magecart-style web skimming attack. ICO fines BA 20 million pounds.
GDPR enforcement begins (May 25): The EU General Data Protection Regulation goes into effect, establishing data breach notification requirements and significant fines.
CFAA reform discussions intensify: Cases like Aaron Swartz (2013) and ongoing security researcher concerns drive debate about CFAA modernization.
VPNFilter malware: Infects 500,000 routers worldwide. Attributed to Russian APT28/Fancy Bear.
CPU side-channel attacks: Spectre and Meltdown vulnerabilities disclosed, affecting virtually all modern processors.
GitHub hit with largest DDoS (1.3 Tbps): Memcached amplification attack breaks records.
Emotet evolves: The banking trojan transforms into a major malware delivery platform.
MITRE ATT&CK gains widespread adoption: The framework becomes the de facto standard for describing adversary behavior.

2019

Capital One breach (July): Former AWS employee Paige Thompson exploits an SSRF vulnerability to steal data on 106 million credit card applicants from Capital One's AWS infrastructure.
BlueKeep vulnerability (CVE-2019-0708) disclosed (May): Critical unauthenticated RCE in Windows Remote Desktop Protocol. Described as "wormable" and compared to EternalBlue. Microsoft issues patches for unsupported Windows XP.
Baltimore ransomware attack (May): RobbinHood ransomware cripples city government for weeks, costing an estimated $18 million.
Norsk Hydro ransomware: LockerGoga ransomware forces the Norwegian aluminum manufacturer to switch to manual operations, costing $75 million.
First American Financial data leak: 885 million records exposed through an IDOR vulnerability.
Citrix breach: 6 TB of internal data stolen by an Iranian-linked group.
New Orleans declares state of emergency: Ransomware attack on city government.
Ghidra released by NSA (March): NSA open-sources its reverse engineering framework, providing a free alternative to IDA Pro.
Chrome zero-day exploitation in the wild increases: Marks a trend of browser-targeted attacks.
WPA3 vulnerabilities ("Dragonblood") disclosed: Flaws found in the new WPA3 protocol shortly after release.
DeepFake technology raises concerns: Increased sophistication of AI-generated media creates new social engineering threats.

The 2020s — Ransomware, Supply Chains, and AI

2020

SolarWinds supply chain attack (December, disclosed): Russian intelligence (SVR/Cozy Bear) compromises SolarWinds Orion software updates, gaining access to 18,000 organizations including U.S. government agencies (Treasury, Commerce, DHS). One of the most significant supply chain attacks in history.
COVID-19 pandemic reshapes cybersecurity: Remote work creates massive expansion of attack surfaces. VPN vulnerabilities, unsecured home networks, and pandemic-themed phishing surge. Healthcare organizations targeted during the crisis.
Twitter internal tool compromise (July): Social engineering of Twitter employees leads to account takeover of Barack Obama, Elon Musk, Jeff Bezos, and others for a Bitcoin scam. 17-year-old Graham Ivan Clark arrested.
FireEye breach disclosed (December): FireEye reveals it was breached by a nation-state actor (linked to SolarWinds), and its red team tools were stolen.
Garmin ransomware (WastedLocker): Fitness company pays $10 million ransom, its services offline for days.
Magellan Health breach: Healthcare company breach affects 365,000 patients.
Zoom security issues: The rapid adoption of Zoom videoconferencing reveals multiple security issues, including "Zoombombing" and encryption concerns.
Sopra Steria ransomware: French IT services giant hit by Ryuk ransomware, costing 50 million euros.
Log4j vulnerability context: The Apache Log4j library is widely deployed (vulnerability discovered in late 2021).
CISA established as standalone agency: The Cybersecurity and Infrastructure Security Agency increases U.S. federal cybersecurity coordination.
TrickBot botnet disrupted: Microsoft and partners execute a coordinated takedown of the TrickBot infrastructure.

2021

Colonial Pipeline ransomware (May): DarkSide ransomware group shuts down the largest U.S. fuel pipeline, causing gas shortages across the eastern seaboard. Colonial pays $4.4 million ransom (DOJ later recovers $2.3 million). A watershed moment for critical infrastructure security.
JBS Foods ransomware (May-June): REvil group attacks the world's largest meat processor, paying $11 million ransom.
Microsoft Exchange Server zero-days (March): Hafnium group exploits ProxyLogon vulnerabilities (CVE-2021-26855 and related) affecting an estimated 250,000 servers worldwide.
Kaseya VSA supply chain attack (July): REvil ransomware group exploits Kaseya's IT management software, impacting up to 1,500 businesses. Demands $70 million ransom.
Log4Shell vulnerability (December): CVE-2021-44228 in Apache Log4j 2 allows trivial remote code execution. Affects millions of applications. Called "the most critical vulnerability of the decade."
PrintNightmare (CVE-2021-34527): Windows Print Spooler vulnerability enables remote code execution and privilege escalation.
Pegasus Project revelations (July): Consortium of journalists reveals NSO Group's Pegasus spyware was used to target journalists, activists, and politicians across 50 countries.
T-Mobile breach: 54 million customer records stolen and sold on dark web.
Twitch data breach: 125 GB of source code and internal data leaked.
Facebook outage (October): A BGP misconfiguration takes Facebook, Instagram, and WhatsApp offline for 6 hours, highlighting internet infrastructure fragility.
OWASP Top 10 updated: New edition reflects changes in the web application threat landscape, adding Insecure Design and SSRF.
Biden Executive Order on Cybersecurity: Executive Order 14028 mandates zero trust adoption and software supply chain security for federal agencies.
REvil ransomware group operations disrupted: International law enforcement action targets the prolific ransomware group.

2022

Russia-Ukraine cyberwar begins (February): Russian cyber operations target Ukrainian infrastructure alongside the physical invasion, including Viasat satellite modem wiping (AcidRain), destructive wiper malware (HermeticWiper, WhisperGate, CaddyWiper), and attacks on government websites.
Okta breach (March): Lapsus$ group compromises an Okta contractor, potentially affecting 366 customer tenants of the identity management provider.
Lapsus$ group rampages: Teenage-led extortion group breaches Microsoft, Samsung, Nvidia, T-Mobile, and Uber through social engineering and SIM swapping. Members arrested in the UK.
LastPass breach (August-November): Password manager LastPass breached twice, with attackers stealing encrypted password vaults. Raises fundamental questions about password manager security.
Uber breach (September): An 18-year-old hacker compromises Uber's internal systems through social engineering of an employee's MFA, gaining access to Slack, HackerOne reports, and cloud infrastructure.
Twitter data for 5.4 million users leaked: Exploiting an API vulnerability to link phone numbers and emails to accounts.
Medibank breach: 9.7 million records stolen from Australia's largest health insurer.
Costa Rica national emergency: Conti ransomware group cripples Costa Rica's government, leading to a national state of emergency — the first for a ransomware attack.
Ronin Network crypto theft: $620 million stolen from the Axie Infinity blockchain bridge. Attributed to Lazarus Group.
DirtyPipe vulnerability (CVE-2022-0847): Linux kernel vulnerability allows arbitrary file overwrite and privilege escalation.
NIST Post-Quantum Cryptography standards announced: Selection of CRYSTALS-Kyber and other algorithms for post-quantum encryption.
U.S. DOJ updates CFAA charging policy: Guidance states that good-faith security research should not be prosecuted, a significant development for ethical hackers.
Van Buren v. United States impact: The 2021 Supreme Court decision narrowing CFAA scope continues to influence security research legal landscape.

2023

MOVEit Transfer exploitation (May-June): Clop ransomware group exploits a zero-day SQL injection vulnerability in Progress Software's MOVEit Transfer. Over 2,600 organizations and 77 million individuals affected. One of the largest mass exploitation events.
Barracuda ESG zero-day: CVE-2023-2868 exploited since October 2022. Barracuda recommends full appliance replacement rather than patching.
MGM Resorts and Caesars Entertainment ransomware (September): ALPHV/BlackCat and Scattered Spider social-engineer IT help desks, causing $100 million in losses at MGM and a $15 million ransom payment from Caesars.
23andMe breach: Genetic data of 6.9 million users stolen through credential stuffing.
Citrix Bleed (CVE-2023-4966): Critical vulnerability in Citrix NetScaler ADC/Gateway exploited by ransomware groups including LockBit.
Royal Mail ransomware (January): LockBit attack disrupts UK's Royal Mail international service for weeks.
ChatGPT and AI security implications: The rapid adoption of AI chatbots creates new attack vectors (prompt injection, training data poisoning) and new defensive capabilities.
Hive ransomware takedown (January): FBI and international partners seize Hive ransomware infrastructure after a months-long covert operation.
ALPHV/BlackCat files SEC complaint: Ransomware group files an SEC complaint against its own victim (MeridianLink) for failing to disclose the breach, demonstrating evolving extortion tactics.
Ransomware payments exceed $1 billion: Chainalysis reports record ransomware payments, driven by big-game hunting.
SEC adopts cybersecurity disclosure rules: New rules require public companies to disclose material cybersecurity incidents within four business days.
NIST Cybersecurity Framework 2.0 draft: Updated framework adds a Govern function.
Google Project Zero and Apple zero-days: Multiple zero-click exploits discovered targeting iPhones through iMessage.
GitHub mandatory 2FA: GitHub begins requiring two-factor authentication for all contributors.

2024

Change Healthcare ransomware (February): ALPHV/BlackCat attack on UnitedHealth's Change Healthcare subsidiary disrupts healthcare payment processing across the U.S. for weeks. Affects one-third of all Americans. UnitedHealth pays $22 million ransom. Total cost estimated at $1.6 billion.
XZ Utils backdoor discovered (March): CVE-2024-3094 reveals a sophisticated supply chain attack on xz compression library, nearly compromising SSH on most Linux distributions. A multi-year social engineering operation by a pseudonymous contributor. Discovered by accident by a Microsoft developer investigating SSH slowness.
AT&T breach: 73 million customer records, including Social Security numbers, posted on the dark web.
Snowflake customer data breaches: Attackers use stolen credentials (no MFA) to access data from Snowflake cloud customers including Ticketmaster (560 million records), Santander Bank, and AT&T.
CrowdStrike outage (July): A defective content update causes 8.5 million Windows systems to crash worldwide, disrupting airlines, banks, hospitals, and government services. Not a cyberattack, but highlights the fragility of monoculture security infrastructure.
National Public Data breach: 2.7 billion records leaked, including Social Security numbers for most Americans.
Palo Alto PAN-OS zero-days: Multiple critical zero-day exploits in Palo Alto Networks firewalls.
Ivanti VPN zero-days: Multiple critical vulnerabilities exploited in Ivanti Connect Secure VPN appliances.
LockBit takedown (February): Operation Cronos — international law enforcement operation seizes LockBit infrastructure, identifies key operators. LockBit attempts to reconstitute but is significantly weakened.
NIST Cybersecurity Framework 2.0 released: Adds the Govern function to the framework.
AI-powered attacks observed: Increasing use of AI for phishing, deepfake voice fraud, and automated vulnerability discovery.
EU AI Act enters into force: First comprehensive AI regulation with cybersecurity implications.
Midnight Blizzard targets Microsoft (January): Russian intelligence group compromises Microsoft executive email accounts through password spraying against a test account without MFA.
Internet Archive breach: 31 million user accounts compromised.
CISA "Secure by Design" initiative: Push for vendors to build security into products from the start.
U.S. election cybersecurity concerns: Heightened monitoring and preparation for cyber-enabled election interference.

2025

Ransomware continues to evolve: Ransomware-as-a-Service models become more sophisticated, with affiliate programs, customer support, and competitive pricing.
Post-quantum cryptography migration begins: Organizations start transitioning to quantum-resistant algorithms following NIST standardization.
AI in offensive and defensive security: AI tools are increasingly integrated into both attack toolchains and security operations, raising new ethical and technical challenges.
Supply chain security frameworks mature: SBOM (Software Bill of Materials) requirements expand across government and industry.
Zero trust architecture adoption accelerates: Federal mandate and industry adoption drive zero trust implementation.
Critical infrastructure regulation expands: New regulations across sectors mandate cybersecurity standards for critical infrastructure operators.
Bug bounty programs expand: Major organizations increase scope and payouts for vulnerability disclosure programs.
Cloud security incidents continue: Misconfigured cloud services and stolen credentials remain primary vectors for large-scale breaches.

Key Themes Across the Timeline

Increasing scale: Attacks have grown from individual system compromises to billion-record breaches and nation-state infrastructure attacks.
Professionalization of cybercrime: From solo hackers to organized criminal enterprises with customer support, SLAs, and affiliate programs.
Supply chain as attack vector: From individual software exploits to targeting the software supply chain itself (SolarWinds, Kaseya, XZ Utils, MOVEit).
Regulatory evolution: From the CFAA (1986) to GDPR (2018) to NIS2 and SEC rules (2023-2024), regulation continues to expand.
Convergence of cyber and physical: From Stuxnet to Colonial Pipeline, the impact of cyber operations on physical infrastructure has become undeniable.
The human factor persists: Despite decades of technical advancement, social engineering, weak passwords, and misconfigurations remain the most common attack enablers.

This timeline reflects publicly reported events and may not include classified operations or undisclosed incidents. Dates refer to either the incident occurrence or public disclosure, as noted. Entries through early 2025 are included.