Financial Services Threat Landscape: Intelligence Briefing

Threat Landscape Overview

Financial Sector Attack Statistics

Financial institutions are targeted by every category of cyber threat actor at a frequency that exceeds any other sector. This is a direct consequence of the sector’s unique characteristics: liquid assets that can be stolen with minimal laundering friction, transaction volumes that create opportunities for fraud at scale, personally identifiable financial records whose regulatory sensitivity creates extortion leverage, and critical national infrastructure whose disruption carries systemic economic consequences.

The Financial Services Information Sharing and Analysis Center (FS-ISAC) reported a 300% increase in cyber attacks against financial institutions between 2020 and 2024, with the steepest acceleration in credential theft and ransomware. The IMF’s April 2024 Global Financial Stability Report noted that financial firms account for nearly one-fifth of all reported cyber incidents globally and that “the potential for severe macro-financial impact from cyber incidents has increased significantly” due to technology concentration and operational interconnectedness.

Key Threat Vectors

Credential theft and account takeover remain the most prevalent initial access vector. The infostealer ecosystem—RedLine, Raccoon Stealer, Vidar, Lumma—has industrialized credential harvesting at scale. Dark Angel identified over 2.8 million unique credential pairs targeting financial login portals in the twelve months ending March 2025, a 74% year-over-year increase. These credentials enable direct consumer fraud, but more critically provide initial access footholds into corporate environments when employees reuse credentials or when infostealers on corporate endpoints harvest session tokens and VPN certificates.

Business Email Compromise (BEC) generates the highest aggregate losses of any cybercrime category affecting the sector. The FBI’s IC3 reported $2.9 billion in adjusted BEC losses in 2023, with financial institutions serving as both direct targets and conduits for wire transfer execution. BEC sophistication has escalated with generative AI tools producing flawless impersonation emails and deepfake audio for fraudulent transfer validation.

Insider threats present a qualitatively different risk profile in financial services. The combination of direct access to monetary assets, knowledge of transaction authorization workflows, and high-value proprietary information creates elevated motivation and opportunity. Ponemon Institute found financial services organizations experience insider incidents at 1.6 times the cross-industry average, with costs averaging $16.2 million per incident.

Ransomware has evolved from a peripheral concern to an existential operational risk. Double-extortion tactics—combining encryption with data theft and threatened publication—make financial institutions highly attractive targets. Ransomware groups citing specific GDPR, PCI DSS, and DORA penalty frameworks in extortion communications create compliance-aware pressure that compounds operational disruption.

Banking Trojans and Credential Harvesting

Major Desktop Banking Malware Families

The banking trojan ecosystem has transformed from single-purpose credential stealers into modular attack platforms serving as initial access brokers for ransomware, espionage, and fraud networks simultaneously.

Emotet’s legacy continues to shape the landscape despite its January 2021 disruption. Emotet pioneered the malware-as-a-distribution-service model—a spam-driven initial infection loading secondary payloads for paying customers—that every current banking malware family has adopted. Before takedown, Emotet was the primary delivery mechanism for TrickBot, QakBot, and ultimately Ryuk and Conti ransomware.

QakBot demonstrated remarkable resilience following the FBI’s Operation Duck Hunt in August 2023. Within three months, operators rebuilt infrastructure with updated encryption and communication protocols. Post-takedown variants employ enhanced sandbox detection, aggressive process injection, and a redesigned C2 protocol fragmenting communications across legitimate cloud services. Q1 2025 campaigns demonstrate particular focus on corporate banking portals with web injection configurations tailored to intercept MFA tokens during session establishment.

IcedID has completed its transition from banking trojan to pure initial access platform, its banking module effectively deprecated in late 2023 in favor of a streamlined variant focused on persistent network access and ransomware delivery. This evolution means IcedID infections that previously manifested as fraudulent transactions now function as advance reconnaissance for ransomware deployments.

Dridex and the Evil Corp ecosystem illustrate the convergence between banking fraud and ransomware. Following US Treasury OFAC sanctions against Evil Corp principals in December 2019, the group pivoted from an estimated $100 million in banking fraud to ransomware delivery (BitPaymer, WastedLocker, Hades, Macaw Locker), adopting rapid rebranding to obscure attribution and avoid sanctions-related payment restrictions on victims.

Mobile Banking Trojans

With 73% of Eurozone retail banking interactions now occurring via mobile (ECB data), mobile banking trojans have intensified dramatically.

Xenomorph v3 targets over 400 banking applications across 14 countries with overlay injection, automated transfer system (ATS) capabilities executing complete fraudulent transactions without operator interaction, and cookie-stealing that captures session tokens from mobile browser sessions. The ATS engine can complete transactions—including navigating MFA challenges—faster than conventional fraud detection can evaluate them.

Godfather targets over 400 banking applications and 110 cryptocurrency exchanges, repeatedly found embedded in Google Play Store applications using staged payload delivery that bypasses Play Protect scanning. Q4 2024 campaigns demonstrated targeting of PSD2 strong customer authentication flows.

SharkBot exploits Android accessibility services to interact directly with legitimate banking applications, auto-filling transfer forms with attacker-controlled details—a technique that bypasses anti-overlay defenses and makes fraudulent transactions indistinguishable from legitimate user-initiated transfers at the application layer.

Credential Harvesting from Stealer Logs

The industrialization of infostealer distribution has fundamentally changed credential threat economics. Dark Angel’s analysis of infostealer log marketplaces—Russian Market, Genesis Market successor platforms, Telegram channels—identified 2.8 million credential pairs targeting financial institution login portals in the year ending March 2025. The most significant risk arises from harvested employee credentials and session tokens providing authenticated access to internal banking systems, VPN concentrators, and privileged access management platforms.

Payment System and SWIFT Targeting

SWIFT Network Attack History

The SWIFT network—facilitating over 46 million financial messages daily across 11,000 institutions in 200 countries—has been the target of some of the most consequential cyber attacks in financial crime history. The Bangladesh Bank heist (February 2016), attributed by the FBI to North Korea’s Lazarus Group, saw attackers compromise Bangladesh Bank’s SWIFT terminal environment through spear-phishing that established persistent access approximately one year prior to the attack. On February 4–5, 2016, the attackers submitted 35 fraudulent SWIFT MT103 messages requesting the Federal Reserve Bank of New York to transfer $951 million. Five transfers totaling $101 million were processed; $20 million was recovered from Sri Lanka due to a spelling error, but $81 million routed to RCBC in Manila was laundered through the Philippine casino system. The attackers deployed custom malware that patched SWIFT Alliance Access in memory to suppress confirmation messages and modified the database to remove transaction traces.

Subsequent attacks against institutions in Vietnam (Tien Phong Bank, $1.1 million attempted), Ecuador (Banco del Austro, $12 million stolen), and multiple banks across Southeast Asia confirmed a sustained North Korean campaign to generate foreign currency revenue circumventing international sanctions. SWIFT responded with its Customer Security Programme, but the fundamental lesson—that a nation-state actor can penetrate the operational layer of global financial messaging infrastructure—remains critically relevant.

Real-Time Payment System Risks

The global shift toward real-time payments—the UK’s Faster Payments, the Eurozone’s TIPS, SEPA Instant, India’s UPI, and US FedNow—has fundamentally altered fraud dynamics. Legacy batch-processed systems provided natural detection windows; real-time systems compress this to seconds, creating an environment where fraud detection must operate at transaction speed or accept that fund recovery will be functionally impossible. The ECB’s mandate requiring all Eurozone banks to offer SEPA Instant by October 2025 will make real-time payments the default across the single market, with irrevocable settlement, sub-10-second processing, and 24/7 availability creating a fundamentally more favorable operational environment for threat actors.

Cryptocurrency Exchange Targeting

The Lazarus Group alone is assessed to have stolen over $3 billion in cryptocurrency assets between 2017 and 2024. The February 2025 Bybit exchange compromise—approximately $1.5 billion in Ethereum, the largest single cryptocurrency theft in history—demonstrated that even well-resourced exchanges remain vulnerable to sophisticated supply chain attacks targeting multi-signature wallet infrastructure.

ATM Jackpotting and Payment Terminal Compromise

ATM jackpotting has evolved from the pioneering Ploutus and Tyupkin malware into sophisticated attacks targeting the XFS middleware layer common to most ATM manufacturers. Europol’s 2023 arrest of a Cobalt Group-linked ATM jackpotting network that caused over €25 million in losses across 14 European countries demonstrated the operational scale achievable. POS terminal compromise persists in environments where magnetic stripe fallback remains enabled and in e-commerce via Magecart-style JavaScript skimming attacks on payment pages.

Ransomware Impact on Financial Services

Double Extortion with Regulatory Leverage

Modern ransomware groups have developed keen understanding of the regulatory environment surrounding financial institutions. Extortion communications from LockBit, ALPHV/BlackCat, and Cl0p increasingly reference specific regulatory frameworks: threatening GDPR complaints to supervisory authorities, direct notification of affected data subjects, or timing releases to coincide with reporting deadlines. A ransomware attack against a bank triggers concurrent obligations under GDPR (72-hour notification), DORA (major ICT incident reporting), PSD2 (major operational incident notification), and potentially sector-specific regulations across multiple jurisdictions. The implicit calculus presented to victims is straightforward: paying the ransom is cheaper than the aggregate regulatory penalties, litigation costs, and reputational damage that data publication triggers.

Recent Incidents

ION Group (LockBit, January 2023) demonstrated ransomware’s systemic disruption potential. ION Trading Technologies, whose Cleared Derivatives platform processes approximately 80% of US cleared derivatives trades, was compromised on January 31, 2023. Major brokerages including ABN AMRO and Intesa Sanpaolo were forced to resort to manual trade processing for over five days. The incident crystallized the risk of concentration in financial technology supply chains—a single vendor’s compromise disrupting market operations across multiple exchanges and clearinghouses simultaneously.

ICBC Financial Services (LockBit, November 2023) escalated ransomware to the world’s largest bank. The US broker-dealer subsidiary of ICBC ($5.7 trillion in assets) was hit on November 8, 2023, disrupting its ability to clear US Treasury trades—the world’s most important fixed-income market. The firm was temporarily forced to send settlement data to counterparties via USB drives by courier. The incident prompted the SEC and Treasury Department to accelerate cybersecurity requirement reviews for Treasury market participants.

Financial Sector Ransom Dynamics

Analysis of 47 confirmed ransom negotiations involving financial sector victims between January 2023 and December 2024 reveals that initial demands averaged 2.3 times those for comparably sized organizations in other sectors, and time-to-payment was 40% shorter—reflecting ransomware operators’ assessment that financial institutions face uniquely compressed recovery time objectives and elevated regulatory exposure.

Insider Threats and Social Engineering

BEC Targeting Financial Transactions

BEC represents the single most costly cybercrime category by aggregate loss. Sophisticated actors—groups tracked as Scattered Canary, Silent Starling, Cosmic Lynx—conduct multi-week reconnaissance, compromising email accounts of intermediaries (law firms, real estate agents, corporate accountants) to insert themselves into legitimate transaction chains at the precise moment large transfers are expected. The financial sector faces acute BEC risk because its transactions are inherently high-value and time-sensitive: a single modified PDF attachment redirecting a commercial real estate closing wire can divert millions through money mule networks before non-receipt is reported days later.

Insider Threat Indicators

The sector’s risk profile is elevated by employee proximity to liquid assets, the complexity of systems creating opportunities to disguise unauthorized transactions within legitimate activity, the value of proprietary trading algorithms and pre-public information, and high turnover rates creating populations of departing employees with detailed system knowledge. Key behavioral indicators identified across Dark Angel’s financial sector engagements include: anomalous after-hours access to customer databases by employees whose roles do not require it; bulk downloads targeting customer financial records; access from unauthorized devices or unusual locations; communications with competitor or threat-actor-affiliated infrastructure; and access patterns correlating with subsequent unauthorized transactions.

Deepfake Fraud

The most consequential deepfake fraud incident occurred in January 2024 in Hong Kong, where an Arup finance department employee was deceived into transferring $25.6 million (HK$200 million) via a video call in which every other participant was a deepfake. The employee joined a video conference where the CFO and several colleagues appeared to confirm the transaction—all were real-time deepfakes generated from publicly available video. Multi-person video call authentication, a control many treasury departments rely upon, can no longer be considered reliable against sophisticated adversaries. Dark Angel assesses with high confidence that deepfake-enabled financial fraud will increase substantially through 2025–2026, driven by declining generation costs, abundant executive video from earnings calls and conferences, and the difficulty of deploying detection at authorization endpoints.

DORA Compliance and Regulatory Expectations

ICT Risk Management Requirements

DORA, applicable from January 17, 2025, establishes a comprehensive ICT risk management framework under Chapter II (Articles 5–16). Article 13 explicitly requires financial entities to “gather information on vulnerabilities and cyber threats, ICT-related incidents” and assess their impact on digital operational resilience—effectively mandating operational threat intelligence capabilities as a regulatory obligation. The Regulatory Technical Standards specify that financial entities must implement processes for identifying and classifying ICT-related threats based on criticality and likelihood, incorporating external threat intelligence sources, and updating assessments with frequency proportionate to the entity’s risk profile.

Third-Party ICT Service Provider Oversight

DORA Chapter V (Articles 28–44) establishes the most comprehensive third-party ICT risk management framework globally. Financial entities must maintain a register of all ICT provider arrangements, conduct ongoing risk assessments of critical providers, and include contractual provisions addressing security, audit rights, and exit strategies. The European Supervisory Authorities will directly oversee critical ICT third-party service providers (CTPPs)—expected to include major cloud providers, core banking vendors (Temenos, Finastra, FIS), and market data providers. Threat intelligence plays a critical role: entities must monitor the threat landscape affecting their providers, not merely the providers’ security posture. The ION Group incident illustrates precisely why—financial institutions without visibility into threat activity targeting their critical ICT provider were unable to anticipate or prepare for the disruption.

Threat-Led Penetration Testing (TIBER-EU)

DORA Article 26 mandates TLPT for significant financial entities under the TIBER-EU framework. TLPT requires an independent TI provider to produce a targeted threat intelligence report identifying relevant threat actors, their TTPs, and realistic attack scenarios. This report informs red team scope and scenario design, ensuring testing reflects genuine adversary capabilities. The TI provider must cover strategic intelligence (geopolitical context, sector assessment), operational intelligence (actor profiling, campaign tracking), and tactical intelligence (IOCs, detection rules)—creating structured demand for high-quality, sector-specific TI that exceeds generic threat feeds.

How Threat Intelligence Enables DORA Compliance

Across DORA’s five pillars—ICT risk management, incident reporting, resilience testing, third-party risk management, and information sharing—threat intelligence provides the contextual foundation transforming compliance from checkbox exercises into operational capability. ICT risk management without TI is risk management in the dark: an entity can catalogue assets and assess vulnerabilities but cannot evaluate which threats will exploit them, which adversaries are active, or which vectors are being deployed against peers. DORA’s explicit TI requirements reflect regulatory consensus that effective digital operational resilience requires continuous, sector-specific threat awareness.

Sector-Specific Defensive Recommendations

1. Deploy infostealer log monitoring targeting institutional credential exposure. Establish continuous monitoring of stealer log marketplaces for credentials associated with institutional domains, VPN endpoints, treasury platforms, and privileged access systems. Correlate identified compromises with authentication logs to detect exploitation and trigger immediate credential rotation and session invalidation.
2. Implement transaction-speed fraud detection for real-time payment systems. Deploy ML-based transaction monitoring capable of evaluating fraud risk within the sub-second processing windows of SEPA Instant and equivalent schemes. Legacy rule-based systems cannot operate at irrevocable real-time settlement speed.
3. Establish deepfake-resistant transaction authorization protocols. Implement multi-channel, multi-factor verification that does not rely solely on voice or video authentication. Combine video confirmation with out-of-band verification via hardware tokens, cryptographic challenge-response, or code words established through in-person enrollment.
4. Conduct SWIFT infrastructure security assessments aligned with CSP requirements. Implement all mandatory and advisory SWIFT CSP controls, with particular attention to local environment security, operator access restriction, and real-time monitoring of messaging activity for anomalous transfer patterns.
5. Build DORA-compliant threat intelligence capabilities. Establish TI functions satisfying DORA’s requirements for continuous ICT threat identification across strategic, operational, and tactical layers. Prepare for TLPT by engaging TI providers capable of TIBER-EU-compliant targeted intelligence reports.
6. Implement ransomware-specific resilience with regulatory coordination. Develop playbooks addressing concurrent DORA, GDPR, and PSD2 notification obligations. Pre-establish supervisory authority communication channels. Ensure backup systems are architecturally isolated using immutable storage resistant to compromised domain administrator credentials.
7. Address mobile banking trojan risks through application-layer defense. Implement RASP and mobile application shielding to detect overlay attacks, accessibility service abuse, and ATS operation. Deploy device attestation verifying OS integrity and detecting known banking trojan families before permitting sensitive transactions.
8. Enhance third-party ICT risk monitoring for critical financial technology providers. Establish continuous monitoring of critical ICT providers’ security posture and threat exposure. Monitor dark web forums and DLS for provider compromise indicators. Develop and regularly test exit strategies for scenarios involving sudden loss of critical third-party services.

Methodology

This sector assessment is produced by Dark Angel’s financial services threat intelligence practice, synthesizing multiple intelligence collection streams.

Incident Data: Analysis of 112 confirmed ransomware incidents and 47 additional cyber incidents affecting financial services organizations between January 2023 and March 2025, sourced from Dark Angel incident response engagements (34 cases), data leak site monitoring (53 active DLS), public disclosures, and regulatory filings.

Credential Intelligence: Continuous monitoring of infostealer log marketplaces including Russian Market, Telegram channels, and Genesis Market successor platforms. The analyzed dataset comprises 2.8 million unique credential pairs targeting financial institution portals in the 12-month period ending March 2025.

Threat Actor Tracking: Continuous monitoring of Lazarus Group, APT38, FIN7, FIN12, Scattered Spider, Cobalt Group, and Silence Group, plus all major RaaS programs with specific analysis of financial sector targeting patterns and ransom dynamics.

Regulatory Analysis: Review of DORA legislative texts and RTS/ITS, ECB TIBER-EU framework, SWIFT CSP requirements, PSD2 SCA technical standards, and supervisory guidance across 18 EU member states and the United Kingdom.

Industry Engagement: Structured intelligence sharing with 42 financial institutions, 8 payment processors, 5 central counterparties, and 12 financial technology vendors. Sources evaluated using the Admiralty Code (A–F reliability, 1–6 credibility). Attribution assessments follow ICD 203 analytic standards with explicit confidence levels.

Related Reports

• DORA ICT Risk Management: A Threat Intelligence Approach — Comprehensive practitioner’s guide to DORA compliance through threat intelligence, covering all five pillars with detailed mapping of TI capabilities to regulatory requirements.
• European Cyber Threat Landscape 2025 — Strategic analysis of the European threat environment with detailed coverage of state-sponsored operations, ransomware trends, and regulatory developments affecting EU financial entities.
• Infostealer Credential Theft & Supply Chain Intelligence — Deep-dive assessment of the infostealer malware ecosystem, credential marketplace economics, and supply chain risks arising from compromised credentials targeting financial and corporate infrastructure.