Now Live: The CrowdStrike 2026 Financial Services Threat Landscape Report

The financial services industry is the fourth most-targeted sector globally, accounting for 12% of all observed activity. eCrime and nation-state adversaries spanning all motivations target these organizations due to their unique convergence of valuable assets, strategic intelligence, and geopolitical significance.

The CrowdStrike 2026 Financial Services Threat Landscape Report presents analysis from the CrowdStrike Intelligence team detailing key themes, trends, and events shaping the financial services threat landscape from April 1, 2025 through March 31, 2026. It delivers information organizations need to anticipate threats and strengthen their defenses as attacks continue to evolve.

As these threats continue to accelerate — hands-on-keyboard intrusions against financial institutions jumped 43% globally and 48% in North America in the past two years — businesses must understand them in order to stop them. Here, we share an overview of the report’s key findings.

Learn more: Download the CrowdStrike 2026 Financial Services Threat Landscape Report

eCrime Pressure on Financial Services Intensifies

eCrime activity targeting the sector shifted in 2025. Big game hunting (BGH) threat actors named 423 financial services entities on dedicated leak sites, a 27% jump from the year prior. 

MUTANT SPIDER was the most active eCrime threat to the industry; the adversary drove the highest volume of intrusions during the reporting period and likely sold access to ransomware operators. CrowdStrike also observed SCATTERED SPIDER resuming aggressive ransomware operations against insurance entities in 2025 following a significant pause. This marked a return to one of its historically common targeting patterns.

Below are a few examples of additional observed eCrime activity during the reporting period:

• CHATTY SPIDER conducted high-tempo data theft and extortion campaigns, mostly targeting legal and financial services firms. The adversary named and leaked data belonging to 41 victims, among them 14 law firms and 10 financial services entities.
• SOLAR SPIDER continued to target financial institutions in Europe, the Middle East, South Asia, and Southeast Asia using financial transaction-themed lures to entice targets into downloading various remote access tools.
• PLUMP SPIDER has consistently targeted Brazilian financial entities since at least September 2023 by attempting to gain access to internal payment systems and conduct fraudulent transactions.

Nation-State Adversaries Scale Theft and Deception

Democratic People’s Republic of Korea (DPRK)-nexus groups sustained operations targeting cryptocurrency and fintech entities. DPRK-nexus groups stole $2.02 billion in digital assets in 2025, a 51% increase from 2024¹; stolen funds directly support the regime’s military programs. PRESSURE CHOLLIMA stole $1.46 billion in cryptocurrency through trojanized software distributed via supply chain compromise — the largest single financial theft ever reported.

DPRK-nexus threat actors increased operational tempo and advanced their social engineering tradecraft against financial entities. FAMOUS CHOLLIMA doubled their operations while continuing to target cryptocurrency exchanges, fintech platforms, and traditional banks. STARDUST CHOLLIMA tripled their operational tempo, using recruiter impersonation, malicious coding challenges, and synthetic video conferencing environments to target fintechs across North America, Europe, and Asia. AI tools could make these tactics more efficient, convincing, and harder to detect.

China-nexus adversaries posed the most significant intelligence collection threat to financial services organizations, especially those in South and Southeast Asia. This focus likely indicates an interest in accessing regional financial systems and economic intelligence across multiple developing markets.

The below operations used consistent China-nexus tactics, techniques, and procedures (TTPs) such as exploiting edge devices, conducting DLL search-order hijacking, using compromised infrastructure for command-and-control communications, and targeting cloud environments. 

• HOLLOW PANDA targeted financial institutions in South America and Southeast Asia
• VAULT PANDA operated across multiple regions, deploying KEYPLUG malware via DLL search-order hijacking and targeting financial institutions and supporting entities.
• GENESIS PANDA targeted a Southeast Asia-based financial entity and North American fintech organization, deploying VShell implants and FScan utilities and using infrastructure linked to prior China-nexus operations.
• MURKY PANDA deployed a unique Chinese operational relay box (ORB) network to access Microsoft 365 email accounts from more than 150 IP addresses in 36 countries. Their activity targeted 340 organizations across more than 30 sectors; financial services was among their most frequently targeted sectors.

The trends outlined in this report create operational risk for financial services businesses. Ransomware pressure on high-availability operations, sustained intelligence collection, and continued digital asset theft often unfold quickly across trusted access paths. As AI models advance, adversaries are likely to increase the sophistication, scale, and speed of their operations. 

Defenders need intelligence-led visibility and continuous hunting, as well as the ability to act quickly with context. CrowdStrike Counter Adversary Operations combines threat intelligence, managed threat hunting, and trillions of telemetry events from the AI-powered CrowdStrike Falcon® platform to detect, disrupt, and stop evasive adversaries. 

Additional Resources

• Download the CrowdStrike 2026 Financial Services Threat Landscape Report.
• Dive deeper into topics like this at Fal.Con 2026 with expert-led sessions, hands-on training, and real-world insights.
• Tune in to the Adversary Universe podcast, where CrowdStrike experts reveal the threat actors behind the latest cyberattacks.

¹ https://www.chainalysis.com/blog/crypto-hacking-stolen-funds-2026/