The 2025 St. Paul cyberattack was a cyberattack that started on July 25, 2025, which lead to the deployment of the National Guard in Minnesota due to, what officials stated, the magnitude and complexity of the attack. [1]
On July 29, 2025, the City of St. Paul faced a significant cyberattack that led to the activation of the Minnesota National Guard and a declaration of a state of emergency. The attack, which began on July 25, 2025, disrupted core city systems, including internal networks, online payment portals, and public Wi-Fi. [2] The attack was detected as suspicious activity on July 25, 2025, which was the first signs of the attack. [3] The attack was identified as a "deliberate, coordinated digital attack" by a sophisticated external actor targeting critical city infrastructure. [4]
The incident persisted through the weekend from July 25 to July 27, disrupting service operations. [5] To prevent escalation, city officials shut down all information systems on July 27, 2025 as a defensive measure. [6] On July 28, 2025, A full shutdown of systems began, impacting Wi-Fi at City Hall and public libraries, disabling online payment tools, and suspending network access for internal department applications. [7] Though essential emergency services, including 911 dispatch, were still completely operational. [8]
On early July 29, 2025, Mayor of St. Paul Melvin Carter publicly confirmed it was not a glitch, but a criminal cyberattack. He declared a local state of emergency empowering rapid mobilization. [9] The city of St. Paul engaged with the Federal Bureau of Investigation to assist in containment and investigation. [10] By late July 29, 2025, Governor of Minnesota Tim Walz issued an executive order activating the Minnesota National Guard’s cyber protection assets, stating the attack exceeded the city's response capabilities. [11] The deployment was intended to bolster response efforts and mitigate further impacts. [12]
On July 30, the city confirmed that despite payment systems being down and a state of emergency being in effect due to the cyber attack, workers would still receive pay checks and their wages. [13]
On August 10, 2025, the leaders of St. Paul stated that there's no more threat against security and started an initiative called "Operation Secure St. Paul" in order to restore government and local systems in St. Paul as well as securing the information of ~3,500 employees. [14] This was done through a mass password reset for their employees which around 80 computers were set up in the basement of the Roy Wilkins Auditorium at the RiverCentre in downtown St. Paul to process the password resets. [15] The mayor of St. Paul, Melvin Carter, held a discussion relating to the cyberattack confirming that it was a ransomware attack against city and government infrastructure. [16]
On August 11, 2025, after the city discovered it was a ransomware attack, the city decided to not pay the ransom that was asked and shut down all networks to isolate the incident. [17] The mayor in St. Paul confirmed that a group called "Interlock" had claimed credit for the attack, which the mayor considers a "sophisticated" and profit-driven ransomware-as-a-service organization. [18] After the city stated they wouldn't pay the ransom, the organization Interlock posted 43 gigabytes of data from the data it stole from St. Paul publicly. [19]