Summaries
CrowdStrike Report: Financial Services Under Siege from eCrime and Nation-State Threats
CrowdStrike's 2026 Financial Services Threat Landscape Report reveals a 43% global increase in hands-on-keyboard intrusions against financial institutions, $2.02 billion in DPRK-linked crypto theft, and intensifying eCrime pressure with 423 named victims on leak sites.
View on Graph
Summary
CrowdStrike’s 2026 Financial Services Threat Landscape Report, covering April 2025 through March 2026, paints a stark picture of a sector under sustained and intensifying pressure from multiple adversary types. Financial services now accounts for 12% of all observed intrusion activity globally, making it the fourth most-targeted sector. The report documents that hands-on-keyboard intrusions against financial institutions jumped 43% globally and 48% in North America over the past two years — a signal that automated attacks are increasingly giving way to active adversary operations.
On the eCrime front, big game hunting (BGH) threat actors named 423 financial services entities on dedicated leak sites during the reporting period, a 27% increase year-over-year. MUTANT SPIDER led as the most active eCrime threat to the sector, likely selling access to ransomware operators. SCATTERED SPIDER resumed aggressive ransomware operations against insurance entities following a significant hiatus. The report also tracks CHATTY SPIDER’s data theft campaigns targeting legal and financial firms, SOLAR SPIDER’s continued operations against European and Asian financial institutions, and PLUMP SPIDER’s sustained targeting of Brazilian financial entities.
Nation-state threats are equally concerning. DPRK-nexus groups stole $2.02 billion in digital assets in 2025 — a 51% increase from 2024 — with PRESSURE CHOLLIMA alone accounting for $1.46 billion through trojanized software distributed via supply chain compromise. FAMOUS CHOLLIMA doubled operational tempo, while STARDUST CHOLLIMA tripled theirs, using recruiter impersonation, malicious coding challenges, and synthetic video conferencing to target fintechs globally. China-nexus adversaries pose the most significant intelligence collection threat, with groups like HOLLOW PANDA, VAULT PANDA, and MURKY PANDA deploying operations across South America, Southeast Asia, and globally against cloud environments and email systems.
Why It Matters
Financial services organizations face a unique convergence of threats: eCrime groups motivated by direct financial gain, DPRK actors treating cryptocurrency theft as a state-funded revenue stream, and China-nexus groups conducting sustained intelligence collection. This triple threat demands defense strategies that address ransomware, supply chain compromise, social engineering, and cloud credential theft simultaneously — priorities that often compete for limited security budgets.
Defender Takeaways
- Implement identity-centric detection and response for cloud environments; China-nexus groups are increasingly targeting M365 and cloud infrastructure in financial organizations.
- Prioritize supply chain risk management, particularly for software dependencies and third-party integrations that could serve as initial access vectors for supply chain compromise.
- Deploy continuous hunting for social engineering campaigns targeting employees — DPRK groups are using sophisticated recruiter impersonation and fake coding challenge lures to gain access.
- Monitor for anomalous DLL search-order hijacking and edge device exploitation, common TTPs across China-nexus operations targeting financial entities.
- Prepare for ransomware response with emphasis on data exfiltration scenarios — leak site naming has become the primary extortion mechanism, with 423 financial entities named in the reporting period.
- Apply zero-trust architecture principles to limit lateral movement, particularly for access paths that connect cloud services, payment systems, and customer data stores.
Source
Title: CrowdStrike 2026 Financial Services Threat Landscape Report — CrowdStrike Counter Adversary Operations
URL: https://www.crowdstrike.com/en-us/blog/crowdstrike-2026-financial-services-threat-landscape-report/
Related
- Supply Chain Attack — detection and response for T1195 techniques
- Cloud Threats — detection and response for T1525, T1552, T1613 techniques
- Cloud Security Fundamentals — detection and response for T1525 techniques
- Ransomware — detection and response for T1486 techniques