Financial Services Sector Sees 43% Surge in Hands-on-Keyboard Intrusions
Financial services organizations are facing a sharp increase in cyberattacks, with hands-on-keyboard intrusions rising by 43% globally as eCrime and nation-state actors intensify their campaigns.
The financial services sector is facing an unprecedented surge in cyber threats, with hands-on-keyboard intrusions rising 43% globally and 48% in North America over the past two years, according to the CrowdStrike 2026 Financial Services Threat Landscape Report. The industry remains the fourth most-targeted sector worldwide, accounting for 12% of all observed malicious activity between April 1, 2025, and March 31, 2026.
eCrime actors have significantly escalated their "big game hunting" operations. During the reporting period, threat actors named 423 financial services entities on dedicated leak sites, representing a 27% increase from the previous year. The adversary group MUTANT SPIDER emerged as the most active threat, driving the highest volume of intrusions and frequently selling access to ransomware operators. Other notable groups include SCATTERED SPIDER, which resumed aggressive ransomware campaigns against insurance firms, and CHATTY SPIDER, which targeted 10 financial services entities as part of a broader data theft and extortion spree.
Geographically focused eCrime also remains a persistent risk. SOLAR SPIDER continues to target financial institutions across Europe, the Middle East, and Asia using transaction-themed lures to deploy remote access tools. Meanwhile, PLUMP SPIDER has maintained a consistent focus on Brazilian financial entities since September 2023, specifically attempting to compromise internal payment systems to facilitate fraudulent transactions CrowdStrike.
Nation-state actors, particularly those linked to the Democratic People’s Republic of Korea (DPRK), have scaled their operations to fund military programs through massive digital asset theft. DPRK-nexus groups stole $2.02 billion in cryptocurrency in 2025, a 51% increase over 2024. Notably, the group PRESSURE CHOLLIMA executed the largest single financial theft ever reported, siphoning $1.46 billion through a supply chain compromise involving trojanized software.
These nation-state groups are also refining their social engineering tradecraft. STARDUST CHOLLIMA tripled its operational tempo, utilizing sophisticated tactics such as recruiter impersonation, malicious coding challenges, and synthetic video conferencing environments to deceive employees at fintech firms. Simultaneously, China-nexus adversaries continue to pose a significant intelligence collection threat, frequently targeting edge devices to gain access to regional financial systems and economic data, particularly in South and Southeast Asia CrowdStrike.
The report underscores a shift toward more complex, persistent threats that leverage both advanced technical exploits and high-fidelity social engineering. As these adversaries continue to evolve their tactics—potentially incorporating AI to make deception campaigns more convincing—financial institutions are urged to prioritize defensive measures that can anticipate and mitigate these accelerating threats.