Now Live: The CrowdStrike 2026 Financial Services Threat Landscape Report

___ BLOG Featured Recent Video Category Start Free Trial Now Live: The CrowdStrike 2026 Financial Services Threat Landscape Report Financial services organizations face a threat landscape defined by stealthy access, exploitation of vulnerable devices, and intrusions targeting theft, extortion, and intelligence collection. May 14, 2026 | Counter Adversary Operations | Threat Hunting & Intel The financial services industry is the fourth most-targeted sector globally, accounting for 12% of all observed activity. eCrime and nation-state adversaries spanning all motivations target these organizations due to their unique convergence of valuable assets, strategic intelligence, and geopolitical significance. The CrowdStrike 2026 Financial Services Threat Landscape Report presents analysis from the CrowdStrike Intelligence team detailing key themes, trends, and events shaping the financial services threat landscape from April 1, 2025 through March 31, 2026. It delivers information organizations need to anticipate threats and strengthen their defenses as attacks continue to evolve. As these threats continue to accelerate — hands-on-keyboard intrusions against financial institutions jumped 43% globally and 48% in North America in the past two years — businesses must understand them in order to stop them. Here, we share an overview of the report’s key findings. Learn more: Download the CrowdStrike 2026 Financial Services Threat Landscape Report eCrime Pressure on Financial Services Intensifies eCrime activity targeting the sector shifted in 2025. Big game hunting (BGH) threat actors named 423 financial services entities on dedicated leak sites, a 27% jump from the year prior.  MUTANT SPIDER was the most active eCrime threat to the industry; the adversary drove the highest volume of intrusions during the reporting period and likely sold access to ransomware operators. CrowdStrike also observed SCATTERED SPIDER resuming aggressive ransomware operations against insurance entities in 2025 following a significant pause. This marked a return to one of its historically common targeting patterns. Below are a few examples of additional observed eCrime activity during the reporting period: CHATTY SPIDER conducted high-tempo data theft and extortion campaigns, mostly targeting legal and financial services firms. The adversary named and leaked data belonging to 41 victims, among them 14 law firms and 10 financial services entities. SOLAR SPIDER continued to target financial institutions in Europe, the Middle East, South Asia, and Southeast Asia using financial transaction-themed lures to entice targets into downloading various remote access tools. PLUMP SPIDER has consistently targeted Brazilian financial entities since at least September 2023 by attempting to gain access to internal payment systems and conduct fraudulent transactions. Nation-State Adversaries Scale Theft and Deception Democratic People’s Republic of Korea (DPRK)-nexus groups sustained operations targeting cryptocurrency and fintech entities. DPRK-nexus groups stole $2.02 billion in digital assets in 2025, a 51% increase from 20241; stolen funds directly support the regime’s military programs. PRESSURE CHOLLIMA stole $1.46 billion in cryptocurrency through trojanized software distributed via supply chain compromise — the largest single financial theft ever reported. DPRK-nexus threat actors increased operational tempo and advanced their social engineering tradecraft against financial entities. FAMOUS CHOLLIMA doubled their operations while continuing to target cryptocurrency exchanges, fintech platforms, and traditional banks. STARDUST CHOLLIMA tripled their operational tempo, using recruiter impersonation, malicious coding challenges, and synthetic video conferencing environments to target fintechs across North America, Europe, and Asia. AI tools could make these tactics more efficient, convincing, and harder to detect. China-nexus adversaries posed the most significant intelligence collection threat to financial services organizations, especially those in South and Southeast Asia. This focus likely indicates an interest in accessing regional financial systems and economic intelligence across multiple developing markets. The below operations used consistent China-nexus tactics, techniques, and procedures (TTPs) such as exploiting edge devices, conducting DLL search-order hijacking, using compromised infrastructure for command-and-control communications, and targeting cloud environments.  HOLLOW PANDA targeted financial institutions in South America and Southeast Asia VAULT PANDA operated across multiple regions, deploying KEYPLUG malware via DLL search-order hijacking and targeting financial institutions and supporting entities. GENESIS PANDA targeted a Southeast Asia-based financial entity and North American fintech organization, deploying VShell implants and FScan utilities and using infrastructure linked to prior China-nexus operations. MURKY PANDA deployed a unique Chinese operational relay box (ORB) network to access Microsoft 365 email accounts from more than 150 IP addresses in 36 countries. Their activity targeted 340 organizations across more than 30 sectors; financial services was among their most frequently targeted sectors. The trends outlined in this report create operational risk for financial services businesses. Ransomware pressure on high-availability operations, sustained intelligence collection, and continued digital asset theft often unfold quickly across trusted access paths. As AI models advance, adversaries are likely to increase the sophistication, scale, and speed of their operations.  Defenders need intelligence-led visibility and continuous hunting, as well as the ability to act quickly with context. CrowdStrike Counter Adversary Operations combines threat intelligence, managed threat hunting, and trillions of telemetry events from the AI-powered CrowdStrike Falcon® platform to detect, disrupt, and stop evasive adversaries.  Additional Resources Download the CrowdStrike 2026 Financial Services Threat Landscape Report. Dive deeper into topics like this at Fal.Con 2026 with expert-led sessions, hands-on training, and real-world insights. Tune in to the Adversary Universe podcast, where CrowdStrike experts reveal the threat actors behind the latest cyberattacks. 1 https://www.chainalysis.com/blog/crypto-hacking-stolen-funds-2026/ Tweet Share CrowdStrike 2026 Global Threat Report AI threats have reached a critical turning point. Access the definitive look at the cyber threat landscape. Download Related Content CrowdStrike Named a Leader in the First-Ever Gartner® Magic Quadrant™ for Cyberthreat Intelligence Technologies CrowdStrike Launches Falcon OverWatch for Defender Tune In: The Future of AI-Powered Vulnerability Discovery CATEGORIES Agentic SOC 51 Cloud & Application Security 144 Data Security 22 Endpoint Security & XDR 354 Engineering & Tech 87 Executive Viewpoint 180 Exposure Management 119 From The Front Lines 204 Next-Gen Identity Security 68 Next-Gen SIEM & Log Management 113 Public Sector 42 Securing AI 30 Threat Hunting & Intel 217 CONNECT WITH US FEATURED ARTICLES May 14, 2026 May 13, 2026 May 06, 2026 May 05, 2026 SUBSCRIBE Sign up now to receive the latest notifications and updates from CrowdStrike. Sign Up CrowdStrike Named a Leader in the First-Ever Gartner® Magic Quadrant™ for Cyberthreat Intelligence Technologies Copyright © 2026 CrowdStrike Privacy Request Info Blog Contact Us 1.888.512.8906 Accessibility Privacy Preference Center Privacy Preference Center Your Privacy Strictly Necessary Cookies Performance Cookies Functional Cookies Targeting Cookies Your Privacy When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences, or your device, and is mostly used to make the site work as you expect. The information does not usually identify you directly, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to learn more and change our default settings. Blocking some types of cookies may impact your experience of the site and the services we are able to offer. More information Strictly Necessary Cookies Always Active These cookies are necessary for the website to function and cannot be switched off in our systems. They may be set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies may process limited personal information, such as technical or device identifiers, where necessary to ensure the security, functionality, and integrity of the website or web portal. Such processing is strictly limited to what is required for these purposes and is not used for advertising or marketing. Cookies Details Performance Cookies Performance Cookies These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore does not identify you. If you do not allow these cookies, your visit to our website will not be included in our analytics, and our ability to monitor website performance and make improvements will be reduced. Cookies Details Functional Cookies Functional Cookies These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly. Cookies Details Targeting Cookies Targeting Cookies These cookies may be set on our site by our advertising partners. They assign a unique identifier to your browser or device and may track your activity across sites to build a profile of your interests and show you relevant adverts on other sites. If you do not allow these cookies, you will still see ads, but they may be less relevant to you. Cookies Details Cookie List Consent Leg.Interest checkbox label label checkbox label label checkbox label label Clear checkbox label label Apply Cancel Confirm My Choices Allow All