Semi-Annual Report 2025/1

In this semi-annual report, the National Cyber Security Centre (NCSC) presents the relevant incidents and developments in the context of cyberthreats against Switzerland and internationally. In the first half of 2025, the NCSC received 35,727 cyberincident reports, confirming that the volume of reports has stabilised at a high level. Of these reports, 58 % were related to fraud. The main cyberthreats facing Switzerland remained the same, although attackers continued to innovate in their methods.

Ransomware and associated data extortion continue to pose a significant threat to organisations of all types in Switzerland. In the first half of 2025, the NCSC received 57 reports of ransomware incidents, mostly from companies and organisations. This represents a slight increase compared with the 44 incidents reported during the same period the previous year. Where the ransomware strain was identified, the majority of reports cited "Akira", with "LockBit" the next most common. One of the key challenges facing organisations is cyberattacks within the supply chain, as an attack on an IT company can also have a negative impact on its business customers.

A key issue in the distribution of real-time phishing, malware, and fraudulent investment products is the growing exploitation of paid advertising on search engines and social media. Online investment fraud in particular involves victims being tempted to make ill-considered investments by such adverts. Recovery fraud – where victims of online investment scams are approached again with false promises of getting their money back – has now also taken hold in Switzerland.

In the first half of 2025, several real-time phishing campaigns and two-stage phishing attacks specifically targeted Swiss bank customers. Victims were lured to fake e-banking pages via paid advertisements that appeared in search engine results ahead of the genuine login sites. Criminals also spread phishing pages via online classified ads to steal credit card details, Twint account and e-banking logins. Two-stage phishing attacks were increasingly reported. In this type of attack, customers are first asked to provide less sensitive details, such as their phone number, on a phishing page. In a second step, the scammers then use this information to call their victims, pretending to warn them about fraudulent transactions. This is how they obtain access to their victims' e-banking credentials.

Switzerland was affected by distributed denial-of-service (DDoS) attacks again in this reporting period. In addition to pro-Palestinian groups, pro-Russian hacktivist groups also relied on DDoS attacks, temporarily disrupting publicly accessible services such as websites. Notably, targeted prevention and defence measures successfully averted significant impact during the Annual Meeting of the World Economic Forum (WEF) and the Eurovision Song Contest (ESC). DDoS attacks do not involve breaking into systems, but rather overwhelming services with traffic, which leads to temporary outages. For hacktivists, DDoS attacks remain attractive during high-profile events with international attention, as they generate media coverage for their cause and unsettle the public.

Due to its strong international ties and reliance on widely used software products, vulnerabilities that are relevant globally also affect Switzerland's IT landscape. Attackers exploit these vulnerabilities to gain access to companies' IT systems, which can result in data leaks. State actors may also exploit vulnerabilities for espionage or sabotage purposes. Despite the increasingly challenging nature of navigating an international environment marked by geopolitical tension and conflict, Switzerland's cyberthreat situation has so far remained relatively stable.

We would like to know your opinion on the content of the current semi-annual report, so that we can better adapt such products to your needs in the future. Therefore, we would be grateful if you could reply to the following questions (about 2 minutes). You can then send us the form by clicking on the "Submit" button.

The questionnaire is anonymous and personal information such as your age or profession are only aimed to understand the needs of each target audience. But you can leave your email address should you have any questions or comments which you would like us to follow up upon. We are looking forward to reading your thoughts and comments.