CrowdStrike has warned that financial services companies are facing faster and more complex cyber threats, with North Korean-linked hackers stealing billions of dollars in digital assets while criminal and state-backed groups increasingly use artificial intelligence to speed up attacks.
The cybersecurity company said in its 2026 Financial Services Threat Landscape Report that DPRK-linked actors stole a reported $2.02 billion in digital assets in 2025, a 51% increase from the previous year, as hackers shifted toward higher-value targets across cryptocurrency, fintech and digital asset platforms.
More groups, more methods, bigger losses
CrowdStrike said North Korean-linked groups remained one of the most aggressive threats to financial services, with their activity concentrated heavily around cryptocurrency exchanges, blockchain firms, fintech platforms and digital asset managers.
The report said Pressure Chollima carried out the largest financial theft ever reported, stealing $1.46 billion in cryptocurrency through trojanized software distributed through a supply chain compromise. The group also deployed PipeWarped, described by CrowdStrike as the most technically advanced DPRK-linked malware it has observed so far.
Other North Korean-linked groups expanded their operations through social engineering and cloud-focused attacks. Golden Chollima used recruitment-themed lures to divert cryptocurrency funds and gain access to cloud environments at fintech companies in Southeast Asia and Canada.
Stardust Chollima tripled its operational tempo, targeting fintech and cryptocurrency workers across North America, Europe and Asia with fake recruiter profiles, malicious coding tests and staged video conferencing environments.
CrowdStrike said Famous Chollima also doubled its operations using AI-generated identities to infiltrate cryptocurrency exchanges, fintech platforms and consumer banks. The activity reflects a broader shift in which North Korean actors are using fewer campaigns to pursue larger payouts, while relying on deception, trusted access paths and software supply chain compromise to increase the impact of each operation.
AI lowers the cost of deception
The report said artificial intelligence is making social engineering harder to detect by helping threat actors produce more convincing identities, automate reconnaissance and accelerate credential theft.
Adam Meyers, CrowdStrike’s head of counter adversary operations, said attackers are using AI to reduce the time between initial access and impact. He said the cost of creating convincing identities, automating reconnaissance and speeding up credential theft is now close to zero, forcing defenders to respond with AI-driven intelligence and threat hunting.
CrowdStrike said AI-enabled tactics are particularly dangerous for the financial sector because attackers often exploit trusted workflows rather than relying only on malware. Help desk impersonation, voice phishing, fake recruitment campaigns and MFA reset abuse can give threat actors access to systems that appear legitimate to traditional defenses.
That risk is rising as financial institutions also expand their own use of AI across customer support, fraud operations, software development and internal workflows. CrowdStrike warned that these deployments can widen the attack surface if identity controls, data access and model-related systems are not properly secured.
Nearly $600M in crypto hacks heightens AI concerns
The CrowdStrike findings come as separate reports said AI-powered crypto hacks stole nearly $600 million in just two attacks last month, with investigators linking the exploits to North Korean hacking groups.
The attacks targeted Drift Protocol and Kelp DAO, allegedly draining more than $280 million from Drift Protocol and almost $300 million from Kelp DAO.
Investigators said they suspect the attackers used artificial intelligence to help select targets and design the exploits, raising concerns that AI could make crypto attacks faster, more targeted and harder for traditional defenses to stop.
Interactive intrusions surge across financial firms
Financial institutions saw a sharp rise in hands-on-keyboard attacks, with global interactive intrusions increasing 43% over the past two years. In North America, the increase reached 48%, and the region accounted for more than half of all observed intrusions targeting the sector in the first quarter of 2026.
CrowdStrike said financial services ranked as the fourth most targeted sector by the first quarter of 2026, making up 12% of total observed activity. The sector remains attractive because it holds valuable financial assets, payment data, cryptocurrency holdings, business intelligence and personally identifiable customer information.
The report said eCrime actors accounted for 75% of interactive intrusions against financial services between April 2025 and March 2026, while state-sponsored attackers accounted for 25%. The most heavily targeted countries included Australia, Brazil, Canada, India, Indonesia, Israel, Ukraine, the United Kingdom and the United States.
Ransomware pressure mounts
CrowdStrike said ransomware and extortion pressure also increased, with 423 financial services organizations appearing on dedicated leak sites during the reporting period, up 27% from the previous year.
Mutant Spider was identified as the most active threat to the financial services sector, driving the highest volume of intrusions and likely selling access to ransomware operators. The group relied heavily on voice phishing campaigns over Microsoft Teams, often impersonating internal IT support to trick users into resetting credentials and multifactor authentication controls.
Scattered Spider also resumed aggressive ransomware operations against insurance companies in the second quarter of 2025 after a four-month pause. CrowdStrike said the group continued to use help desk social engineering, impersonating legitimate employees to gain access before pivoting into SaaS applications to search for credentials, documents and data that could support lateral movement or extortion.
Initial access brokers remained part of the threat ecosystem, though public advertisements for access to financial services companies fell 40%. CrowdStrike said that decline may not mean reduced risk, as access sales may be shifting into private partnerships between brokers and ransomware operators.
China-linked espionage expands globally
CrowdStrike said China-linked groups posed the most significant intelligence collection threat to financial services firms, particularly in South and Southeast Asia.
Hollow Panda conducted confirmed intrusions at financial institutions in the Philippines, Indonesia and Brazil, targeting organizations with access to economic data, investment strategies and financial intelligence. The group likely exploited Check Point VPN appliances and deployed ShadowPad malware to maintain covert access.
Murky Panda used an operational relay box network across more than 150 IP addresses in 36 countries to access Microsoft 365 email accounts. The campaign targeted 340 organizations across more than 30 sectors, with financial services among the most frequently targeted.
Other China-linked groups, including Vault Panda and Genesis Panda, targeted financial institutions and fintech organizations using malware, compromised infrastructure and cloud-native evasion techniques. CrowdStrike said the activity reflects China’s interest in economic intelligence, personal data and information that can support downstream espionage.
Financial sector faces multidimensional threat
CrowdStrike said the 2026 threat environment for financial services is defined by the convergence of criminal, state-backed and ideological activity.
Hacktivist groups conducted distributed denial-of-service attacks, defacements and data breach operations tied to geopolitical conflicts, including the Russia-Ukraine war, Middle East conflicts and India-Pakistan tensions.
Pro-Russia group Bounty Jackal was among the most active DDoS operators, targeting European entities, including financial services companies, with near-daily campaigns.
CrowdStrike says reactive defenses are no longer enough
The report said financial institutions should strengthen identity verification around password resets, MFA changes, remote support and privileged accounts. It also urged firms to prioritize edge device patching, secure cloud and SaaS identities, harden developer environments and monitor high-value systems such as payment platforms, digital asset workflows and sensitive data stores.
CrowdStrike said the sector can no longer rely on reactive defenses as threat actors move faster through trusted systems and use AI to scale deception. The company said financial firms need continuous, intelligence-led defense and proactive hunting to detect intrusions before initial access turns into theft, extortion or disruption.