Logo

Cyberspace in 2025: a year of fraud

Cable faults, service outages and denial-of-service attacks all occurred more often than expected in 2025. Above all, however, the year will be remembered for the record number of scams and the damage they caused.

Cases drawn from reports by the Police and Border Guard Board and RIA could fill an entire book:

  • A 57-year-old man was contacted by a person presenting themselves as an investment adviser. Acting on the adviser’s guidance, he registered on a cryptocurrency trading platform and made an initial deposit of 1,300 euros. Over the next six months, following the fraudsters’ instructions, he transferred funds from his company’s accounts to the fake platform, totalling 504,400 euros.
  • A 54-year-old woman met a stranger on Messenger. After a few days of conversation, the man steered the discussion towards investing and advised her to register on an investment platform. At the scammers’ urging, the victim took out loans over a five-month period and handed over cash and gold so that the scammers could deposit the funds on the platform. She also sold her apartment and gave the proceeds to a courier. The scam resulted in losses of at least €200,000, based on initial estimates.
  • A 71-year-old woman received calls from scammers posing as the police and a bank. Following their instructions, she sold two apartments she owned, withdrew the proceeds in cash and handed the money over to strangers. The estimated loss in this case amounts to 138,000 euros.

Taken together, the losses from just these three cases in Estonia total nearly one million euros, with all fraud-related losses recorded in 2025 amounting to 29 million euros.

Pie chart. 10,185 incidents with impact in 2025: Fraud 4,524 incidents, Phishing 2,809 incidents, Malicious redirection 1,266 incidents, Service disruption 917 incidents, Malware 298 incidents, Account takeover 96 incidents, DDoS attack 95 incidents, Data breach 59 incidents, and 121 other incidents.

An endless avalanche

That sum exceeds the annual budget of the resort town of Haapsalu in western Estonia. It would have been enough to build a new state secondary school or to buy several new trains for the national rail operator Elron. By contrast, the national broadcaster ETV’s annual charity programme Jõulutunnel, raised less than 400,000 euros to support the treatment of children with rare diseases, while scammers took in tens of millions.

Previously, the language barrier offered at least some protection. In 2025, that defence collapsed.

Estonian speakers have been recruited by foreign call centres that run scams. A single scam now often involves two or three fluent Estonian speakers: one posing as, for example, a Health Insurance Fund employee, another as a bank official and a third as a police officer.

The scenarios vary – replacing an electricity meter, an investment scheme promising exceptional returns, an unclaimed benefit or something else entirely – but the outcome is the same. By entering PIN codes during a call, handing over bank card details or transferring money to a fraudulent platform, victims part with their savings. The chances of recovering that money are almost non-existent.

So far, phone scams have been carried out by real people. Given the pace at which artificial intelligence is learning Estonian, however, we will very likely start receiving calls from machines in the coming years. At least initially, AI may not be as persuasive as a human, but quantity can compensate for quality.

AI has already been used for some time to generate phishing emails, messages and websites. The increase in volume has been striking: in 2025, we detected more scam websites than ever before, mostly masquerading as online shops or investment platforms. Once such pages are discovered, we ask hosting providers to remove them, but new ones appear just as quickly.

Although an informed and cautious public remains the most critical line of defence, technical measures can also significantly constrain scammers’ operations. For phone users, the Encrypted DNS application developed by CERT-EE helps block access to known malicious websites where users risk losing money or personal data.

In addition, SK ID Solutions introduced an updated version of its Smart-ID authentication tool, marketed as Smart-ID+. While it is no silver bullet against all scams, it is expected to slow down some phone scams that pressure users to enter PIN codes.

Illustratsioon: väikesed mustad inimkujud lükkavad müürile lähemale ratastel puidust piiramismasinaid, mille rammi otsas on aju kirjaga "AI"

No one should lower their guard. When one opportunity closes, scammers look for the next, and it would be naïve to assume they will not find one.

Why do we write and talk so much about scams? 29 million euros is a large sum, but the issue is not only money. It is also about trust and the public’s general sense of security. How safe people perceive cyberspace to be depends mainly on how freely crime is allowed to operate there.

Even if they have not been affected themselves, almost everyone knows someone who has fallen victim to a scam – by entering PIN codes when they should not have or handing over bank card details or money. All of this affects people’s sense of security and their trust in digital services generally. You can read more about scams from the article ‘A surge in scams costs Estonian people 29 million euros’.

Geopolitical echoes in Estonia’s cyberspace

Russia’s full-scale war against Ukraine, launched in 2022, led to a sharp increase in denial-of-service attacks against Estonia. This is no longer news – we have covered it in the past three annual reports. Nor was 2025 an exception. In 2025, the number of denial-of-service attacks reached yet another record, but attackers enjoyed little success: for the second year in a row, the number and share of attacks that had any impact at all – usually a brief disruption to a website or service – declined.

There were, however, some surprises. While Estonia had previously been a favoured target of pro-Kremlin hacktivists angered by our support for Ukraine, last year also brought attacks by pro-Palestinian groups from the Middle East, North Africa and Southeast Asia.

Their most notable campaigns took place in April and May. These attack waves were large in scale and more complex than average, with attackers continuously adjusting their tactics in an attempt to circumvent defensive measures.

You can read more about denial-of-service attacks, their impact and the reasons Estonia became a target for pro-Palestinian groups from the article ‘DDoS attacks: new groups target Estonia’.

Not every incident is an attack

While denial-of-service attacks caused disruptions or outages in 95 cases, incidents arising from other causes were almost ten times more numerous. In most instances, these were not the result of malicious intent or deliberate planning but stemmed from human error, configuration issues, or software and hardware faults.

Last year did not bring service outages that shook society as a whole, but more minor inconveniences were frequent. In May, telecommunications provider Elisa experienced disruptions to its voice services. In June, some Telia customers in Lääne-Viru County were affected. Estonian Health Insurance Fund services, such as digital prescriptions and insurance status checks, experienced repeated disruptions, and on several occasions, the automated border control gates (ABC gates) stopped working. There were also faults affecting internet banking, Mobile-ID and Smart-ID. On multiple occasions, passengers were unable to purchase train tickets on Elron’s website due to issues with Ridango’s systems, which manage the ticketing platform.

Number of incidents with an impact doubled. 2,672 incidents in 2022, 3,314 incidents in 2023, 6,515 incidents in 2024, and 10,185 incidents in 2025.

The most visible incidents, however, were two service outages whose causes lay outside Estonia, in the United States. On 18 November, a failure at Cloudflare – a global internet infrastructure and security company whose services are widely used in Estonia – led to widespread disruption. For several hours, major news portals (Delfi, Eesti Ekspress and Õhtuleht) were unavailable, while the websites of long-distance coach operator Lux Express and rail operator Elron were also affected, preventing ticket purchases.

An outage of this scale at a company on which a large share of the world’s internet depends is rare. Even more unusual was the fact that a similar incident occurred less than three weeks later. This time, many public-sector websites in Estonia were affected, including those of the parliament, the government and the police. Bolt’s website and app were unavailable, and disruptions to the national authentication service TARA lasted about 20 minutes.

In the first case, the outage was caused by an error during a database update. In the second, a firewall change did not proceed as intended.

The year ended with further reports of problems affecting undersea cables.

On 28 December, faults occurred in the Citic Telecom data cable between Estonia and Sweden. On 30 December, problems affected Telia’s cable connecting the island of Hiiumaa with mainland Estonia, as well as Arelion’s cable between Hiiumaa and Sweden. On the final day of the year, damage was reported to two cables connecting Estonia and Finland, one operated by Elisa and the other by Arelion. Investigations are ongoing, but the incidents did not result in major service disruptions, as data traffic was rerouted through alternative connections.

This is how all services – and our cyber defence – should work. If one connection or data centre goes offline due to a fault or an attack, service provision should quickly switch to a backup solution.

Cybersecurity should be layered, like a mille-feuille.

If the first layer fails to stop an attacker and a phishing email recipient clicks on a link, the second layer – background software – should block the connection to the phishing site before the user has a chance to enter their details. Layered defence and services with robust backup solutions are essential.

2025 in cyberspace

  • January

    • Denial-of-service attacks target a bank operating in Estonia, causing brief disruptions to its online services.
    • Phishing emails and messages circulate in the name of the Estonian Tax and Customs Board, claiming that recipients are entitled to a tax refund. Users are prompted to scan a QR code that leads to a phishing website.
    • The automated border control (ABC) gates stop working due to an expired certificate. 

  • February

    • At the beginning of the month, Mobile-ID experiences disruptions in Elisa’s network, and at the end of the month, in Telia’s network.
    • Disturbances in the emergency alert system cause longer-than-usual wait times for some 112 calls.
    • The Eesti.ee application is unavailable for more than 24 hours.

  • March

    • Denial-of-service attacks targeting a bank’s name servers disrupt its online banking, mobile app, and instant payment services.
    • Login disruptions affect systems within the Ministry of the Interior’s area of government, including those of the Police and Border Guard Board and the Emergency Response Centre.
    • Smart-ID experiences service disruptions.

  • April

    • At the beginning of the month, Estonia faces a large wave of denial-of-service attacks. The attacks are more technically complex than usual, resulting in brief outages on some websites.
    • Scam phone calls spread in which fraudsters pose as Health Insurance Fund employees and persuade victims to enter their Smart-ID PIN codes.

  • May

    • During maintenance work on East Tallinn Central Hospital's IT systems, a fault occurs that prevents servers from accessing necessary data. A crisis situation is declared: surgeries are postponed, and patients arriving at the emergency department are redirected to other hospitals. Network services are restored after 2.5 hours.

  • June

    • During maintenance work, the external connections of the Health and Welfare Information Systems Centre (TEHIK) are interrupted, affecting dependent services: the health information system, Health Insurance Fund services (digital prescriptions, insurance status checks and incapacity benefits), the health portal, and TEHIK’s website.
    • A fault in an administrative system disrupts many systems in the Ministry of the Interior’s area of government. As a result, waiting times for emergency calls and queues at border crossing points are longer than usual. Document issuance at Police and Border Guard Board offices and Selver stores is interrupted.

  • July

    • The emergency call handling information system malfunctions again. Emergency response centres revert to pen and paper, slowing work and causing call queues.
    • Mobile-ID experiences several disruptions. In at least two cases, the cause is a denial-of-service attack.
    • In the Eesti.ee application, queries related to identity documents and other services fail. A sudden surge in users reveals a configuration error that did not appear under a lighter load.

  • August

    • The engineering company Hekotek’s loss of more than 1 million euros to scammers becomes public. The chain of events began with a scam call to the company’s chief financial officer, in which fraudsters pose as Health Insurance Fund employees.
    • Phishing emails circulate in the name of Elisa and Telia. Emails sent in Elisa’s name claim that customers have overpaid and request payment details for a refund. Emails sent in Telia’s name claim an outstanding bill and direct recipients to a fraudulent payment link.

  • September

    • Train ticket sales on Elron’s website are interrupted twice. In both cases, the cause is an error in Ridango’s systems, which operate the ticketing platform.
    • Disruptions affect the services of Swedbank (online banking, app and card payments), Luminor (card payments) and SEB (website).
    • Phishing messages circulate in Omniva’s name, and scam emails circulate in Telia’s name.

  • October

    • Local government council elections pass with relatively few incidents. Denial-of-service attacks target election-related websites, but these have no impact.
    • The population register services malfunction, disrupting dependent services, such as emergency call handling and identity document services.
    • Various phone and online scams resurface. A large share of scam calls are made in the name of Elektrilevi and the Health Insurance Fund, offering to replace electricity meters or reimburse healthcare costs.

  • November

    • A Cloudflare outage causes disruptions in many countries, including Estonia. For several hours, the news portals Delfi, Eesti Ekspress and Õhtuleht, as well as etv.ee and vikerraadio.ee, are unavailable. The websites of Lux Express and Elron are also disrupted, preventing ticket purchases, and Enefit’s website is affected as well.
    • Denial-of-service attacks target the websites of Tallinn and Tartu, causing brief outages and slowdowns.

  • December

    • Cloudflare systems malfunction again. Many public-sector websites are unavailable, including those of the parliament, the government and the police. The national authentication service TARA and Bolt’s applications are also disrupted. In Estonia, the outage lasts about 20 minutes.
    • A family medical centre reports that it has been hit by a ransomware attack. Data on two servers, as well as backups, are encrypted. The affected servers contain patient data, medical records and appointment schedules, paralysing the centre’s operations.
    • Train ticket sales on Elron’s website are interrupted once again.

The other articles of ‘Cyber Security in Estonia 2026’

Cyber Security Situation in the cyberspace Yearbook

Last updated: 11.02.2026

open graph imagesearch block image