The financial services industry is the fourth most-targeted sector globally, accounting for 12% of all observed activity. eCrime and nation-state adversaries spanning all motivations target these organizations due to their unique convergence of valuable assets, strategic intelligence, and geopolitical significance.
The CrowdStrike 2026 Financial Services Threat Landscape Report analyzes the key trends shaping the sector from April 1, 2025, through March 31, 2026. The report provides insights organizations need to anticipate threats and strengthen defenses as attacks continue to evolve.
Hands-on-keyboard intrusions against financial institutions increased 43% globally and 48% in North America over the past two years. As these threats accelerate, businesses must understand how adversaries operate in order to stop them.
eCrime pressure on financial services intensifies
eCrime activity targeting financial services escalated in 2025. Big game hunting (BGH) adversaries named 423 financial services entities on dedicated leak sites, a 27% increase year over year.
MUTANT SPIDER drove the highest volume of intrusions during the reporting period and likely sold access to ransomware operators. SCATTERED SPIDER resumed aggressive ransomware operations against insurance entities following a significant pause.
Additional eCrime activity included:
- CHATTY SPIDER conducted high-tempo data theft and extortion campaigns targeting legal and financial services organizations, leaking data from 41 victims.
- SOLAR SPIDER targeted financial institutions across Europe, the Middle East, South Asia, and Southeast Asia using transaction-themed lures to deploy remote access tools.
- PLUMP SPIDER has targeted Brazilian financial entities since at least 2023 in attempts to access payment systems and conduct fraudulent transactions.
Nation-state adversaries scale theft and deception
Democratic People’s Republic of Korea (DPRK)-nexus groups sustained operations targeting cryptocurrency and fintech entities. These adversaries stole $2.02 billion in digital assets in 2025, a 51% increase from 2024. Stolen funds directly support the regime’s military programs. PRESSURE CHOLLIMA stole $1.46 billion in cryptocurrency through trojanized software distributed via supply chain compromise — the largest single financial theft ever reported.
DPRK-nexus threat actors increased operational tempo and advanced their social engineering tradecraft against financial entities. FAMOUS CHOLLIMA doubled their operations, targeting cryptocurrency exchanges, fintech platforms, and traditional banks.
STARDUST CHOLLIMA tripled their operational tempo, using recruiter impersonation, malicious coding challenges, and synthetic video conferencing environments to target fintechs across North America, Europe, and Asia.
China-nexus adversaries posed the most significant intelligence collection threat to financial services organizations, especially in South and Southeast Asia. These operations likely reflect interest in regional financial systems and economic intelligence.
Observed China-nexus tactics, techniques, and procedures (TTPs) include:
- HOLLOW PANDA targeted financial institutions in South America and Southeast Asia.
- VAULT PANDA deployed KEYPLUG malware via DLL search-order hijacking.
- GENESIS PANDA targeted a Southeast Asia-based financial entity and a North American fintech organization using VShell implants and FScan utilities.
- MURKY PANDA deployed a Chinese operational relay box (ORB) network to access Microsoft 365 email accounts from more than 150 IP addresses in 36 countries; they targeted 340 organizations across 30+ sectors, including financial services.
The trends outlined in this report create significant operational risk for financial services businesses. Ransomware pressure, sustained intelligence collection, and continued digital asset theft often move quickly through trusted access paths. As AI capabilities advance, adversaries are likely to increase the sophistication, scale, and speed of their operations.
Defenders need intelligence-led visibility, continuous hunting, and the ability to act quickly with context. CrowdStrike Counter Adversary Operations combines threat intelligence, managed threat hunting, and trillions of telemetry events from the AI-powered CrowdStrike Falcon® platform to detect, disrupt, and stop evasive adversaries.
Learn more: Download the CrowdStrike 2026 Financial Services Threat Landscape Report.
Read More from This Article: New Threat Intelligence: The CrowdStrike 2026 Financial Services Threat Landscape Report
Source: News