Threat actors often try to appear disciplined and highly skilled. Some operate ransomware-as-a-business, while others are organized cybercrime groups or state-sponsored teams. They invest time in tools, infrastructure, and evasion.
Public reporting shows that this image does not always match reality.
In several recent cases, attackers made basic operational security (OPSEC) mistakes. These mistakes exposed their infrastructure, their tools, and their behavior. Instead of staying invisible, attackers created visibility for defenders.
Below are three OPSEC failures reported by researchers in December 2025.
Devman: Procedural OPSEC failures in ransomware operations
In a previous article, I covered the technical details of the Devman ransomware, including how it worked and what it reused from existing ransomware code.
After the launch, Devman drew public criticism on X for what researchers described as “poor OPSEC.” Multiple analysts pointed out that the group exposed its own infrastructure and internal systems while rolling out its ransomware-as-a-service (RaaS) offering.
Reported issues included:
- Exposed internal infrastructure during launch — Systems used to manage the operation, including internal services, were accessible from the internet.
- Weak protection of management and communication systems — Researchers were able to observe how parts of the operation were coordinated.
- A rushed public launch — The RaaS platform went live before internal systems were properly isolated or secured.
- Reuse of tooling without sufficient hardening — The operation relied on existing components that had not been adequately tested from an OPSEC perspective.
The result was a public perception that the operation was immature and poorly controlled, especially for a group trying to attract affiliates.
Scattered Lapsu$ Hunters: Behavioral OPSEC failures in target verification
Actors associated with SLSH publicly claimed they had breached a cybersecurity company. They released screenshots and stated that sensitive data had been stolen.
Follow‑up reporting showed that the accessed systems were not production environments. The attackers had interacted with a honeypot containing synthetic data designed to look realistic.
Researchers highlighted several OPSEC failures:
- Failure to validate the target environment — Accessible systems were assumed to be real without confirming whether they were isolated or monitored.
- Trust in synthetic data — Data that appeared legitimate was accepted as proof of compromise without deeper verification.
- Premature public claims — The breach was announced before it had been confirmed.
- Automation issues exposing technical details — Repeated scraping and access attempts caused proxy failures that leaked technical information useful for tracking.
The group’s credibility suffered once the claim was shown to be false.
State‑sponsored APT: Technical OPSEC failures in system isolation
Researchers found that a system used by a North Korean threat actor had been infected with LummaC2, a widely used information‑stealing malware. The infected machine belonged to a developer involved in North Korea’s cyber operations.
Log analysis revealed credentials and tools tied to the system. Further investigation linked the machine to infrastructure associated with the $1.4 billion Bybit cryptocurrency theft, attributed to North Korean actors including the Lazarus Group.
The reported OPSEC failures included:
- Poor endpoint hygiene — An attacker‑controlled system was compromised by a common infostealer.
- Credential reuse — Email accounts and credentials stored on the device were linked to known malicious infrastructure.
- Lack of isolation — Tools, phishing domains, and operational assets were present on a single system.
- Incomplete anonymization — VPN usage failed to fully mask browser configuration, language settings, and usage patterns.
This was not an isolated incident. In May 2025, developers behind the DanaBot malware accidentally infected their own machines, and the recovered credential data was later used by investigators.
Both cases show how attackers can fall victim to the same threats they deploy.
Why OPSEC mistakes matter for defenders
These incidents highlight a simple truth: Threat actors are still human, and even skilled teams make human mistakes.
When those mistakes happen, they create signals defenders can observe:
- How attackers behave after gaining access
- Which tools and infrastructure they reuse
- How they test, validate, and announce success
- Where isolation and anonymization break down
Deception environments, synthetic data, and behavior‑based monitoring don’t eliminate attacks—they surface attacker behavior when assumptions fail.
Attackers are increasingly adopting AI‑driven tooling. Automation and AI can accelerate reconnaissance, targeting, and exploitation, but they don’t remove human judgment from the loop. They can also introduce new mistakes:
- Over‑trusting automated outputs
- Scaling false assumptions faster
- Repeating mistakes at machine speed
The technology changes. The people don't.
And that’s where defenders still gain visibility.