Now Live: CrowdStrike 2026 Financial Services Threat Landscape Report BLOG Featured Now Live: The CrowdStrike 2026 Financial Services Threat Landscape Report May 14, 2026 Falcon AIDR Detects Threats at the Prompt Layer in Kubernetes AI Applications May 13, 2026 May 2026 Patch Tuesday: 30 Critical Vulnerabilities Among 130 CVEs May 12, 2026 Inside CrowdStrike Automated Leads: A Transformative Approach to Threat Detections May 11, 2026 Recent Video Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019 Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VIDEO] Feb 21, 2019 Analyzing Targeted Intrusions Through the ATT&CK Framework Lens [VIDEO] Jan 22, 2019 Qatar’s Commercial Bank Chooses CrowdStrike Falcon®: A Partnership Based on Trust [VIDEO] Aug 20, 2018 Category Agentic SOC How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem 03/25/26 CrowdStrike Services and Agentic MDR Put the Agentic SOC in Reach 03/24/26 4 Ways Businesses Use CrowdStrike Charlotte AI to Transform Security Operations 03/12/26 Inside the Human-AI Feedback Loop Powering CrowdStrike’s Agentic Security 02/10/26 Cloud & Application Security 05/13/26 CrowdStrike Named a Leader in Frost & Sullivan 2026 Radar for Cloud-Native Application Protection Platforms 04/27/26 CrowdStrike Expands Real-Time Cloud Detection and Response to Google Cloud 04/22/26 CrowdStrike Falcon Cloud Security Delivered 264% ROI Through Unified Cloud Protection Threat Hunting & Intel 05/14/26 CrowdStrike Named a Leader in the First-Ever Gartner® Magic Quadrant™ for Cyberthreat Intelligence Technologies 05/06/26 CrowdStrike Launches Falcon OverWatch for Defender 05/05/26 Tune In: The Future of AI-Powered Vulnerability Discovery 05/01/26 Endpoint Security & XDR 05/11/26 CrowdStrike Falcon Platform Achieves 441% ROI in Three Years 04/21/26 Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management 04/01/26 Enhanced Network Visibility: A Dive into the Falcon macOS Sensor's New Capabilities 03/11/26 Engineering & Tech EMBER2024: Advancing the Training of Cybersecurity ML Models Against Evasive Malware 09/03/25 Falcon Platform Prevents COOKIE SPIDER’s SHAMOS Delivery on macOS 08/20/25 CrowdStrike’s Approach to Better Machine Learning Evaluation Using Strategic Data Splitting 08/11/25 CrowdStrike Researchers Develop Custom XGBoost Objective to Improve ML Model Release Stability 03/20/25 Executive Viewpoint Frontier AI Is Collapsing the Exploit Window.
Here’s How Defenders Must Respond. 04/20/26 Frontier AI for Defenders: CrowdStrike and OpenAI TAC 04/16/26 Anthropic Claude Mythos Preview: The More Capable AI Becomes, the More Security It Needs 04/06/26 The Architecture of Agentic Defense: Inside the Falcon Platform 01/16/26 From The Front Lines CrowdStrike Technical Risk Assessments Reveal Common Exposure Patterns 05/04/26 Introducing the CrowdStrike Shadow AI Visibility Service CrowdStrike Flex for Services Expands Access to Elite Security Expertise From Scanner to Stealer: Inside the trivy-action Supply Chain Compromise 03/20/26 Next-Gen Identity Security Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse 03/31/26 CrowdStrike FalconID Brings Phishing-Resistant MFA to Falcon Next-Gen Identity Security 02/26/26 CrowdStrike Named a Customers’ Choice in 2026 Gartner® Peer Insights™ Voice of the Customer for User Authentication 02/12/26 CrowdStrike to Acquire Seraphic to Secure Work in Any Browser 01/13/26 Next-Gen SIEM & Log Management Falcon Next-Gen SIEM Supports Third-Party EDR Tools, Starting with Microsoft Defender 03/23/26 Falcon Next-Gen SIEM Simplifies Onboarding with Sensor-Native Log Collection 03/06/26 Exposing Insider Threats through Data Protection, Identity, and HR Context 02/18/26 How to Scale SOC Automation with Falcon Fusion SOAR 02/11/26 Public Sector CrowdStrike Innovates to Modernize National Security and Protect Critical Systems 03/18/26 Falcon Platform for Government Now Offers Falcon for XIoT to Secure Connected Assets CrowdStrike Achieves FedRAMP® High Authorization 03/19/25 NHS Matures Healthcare Cybersecurity with NCSC’s CAF Assurance Model 03/13/25 Exposure Management 05/12/26 April 2026 Patch Tuesday: Two Zero-Days and Eight Critical Vulnerabilities Among 164 CVEs 04/14/26 How CrowdStrike Is Accelerating Exposure Evaluation as Adversaries Gain Speed 04/05/26 March 2026 Patch Tuesday: Eight Critical Vulnerabilities and Two Publicly Disclosed Among 82 CVEs Patched 03/10/26 Securing AI CrowdStrike Expands ChatGPT Enterprise Integration with Enhanced Audit Logging and Activity Monitoring 04/28/26 New CrowdStrike Innovations Secure AI Agents and Govern Shadow AI Across Endpoints, SaaS, and Cloud Secure Homegrown AI Agents with CrowdStrike Falcon AIDR and NVIDIA NeMo Guardrails 03/19/26 Introducing "AI Unlocked: Decoding Prompt Injection," a New Interactive Challenge Data Security Falcon Data Security Secures Data Wherever It Lives and Moves Falcon Data Protection for Cloud Extends DSPM into Runtime 11/20/25 CrowdStrike Stops GenAI Data Leaks with Unified Data Protection 09/18/25 Q&A: How Mastronardi Produce Secures Innovation with CrowdStrike 02/14/25 Start Free Trial Financial services organizations face a threat landscape defined by stealthy access, exploitation of vulnerable devices, and intrusions targeting theft, extortion, and intelligence collection.
Counter Adversary Operations The financial services industry is the fourth most-targeted sector globally, accounting for 12% of all observed activity. eCrime and nation-state adversaries spanning all motivations target these organizations due to their unique convergence of valuable assets, strategic intelligence, and geopolitical significance. The CrowdStrike 2026 Financial Services Threat Landscape Report presents analysis from the CrowdStrike Intelligence team detailing key themes, trends, and events shaping the financial services threat landscape from April 1, 2025 through March 31, 2026.
It delivers information organizations need to anticipate threats and strengthen their defenses as attacks continue to evolve. As these threats continue to accelerate — hands-on-keyboard intrusions against financial institutions jumped 43% globally and 48% in North America in the past two years — businesses must understand them in order to stop them. Here, we share an overview of the report’s key findings.
Learn more: Download the CrowdStrike 2026 Financial Services Threat Landscape Report eCrime Pressure on Financial Services Intensifies eCrime activity targeting the sector shifted in 2025. Big game hunting (BGH) threat actors named 423 financial services entities on dedicated leak sites, a 27% jump from the year prior. MUTANT SPIDER was the most active eCrime threat to the industry; the adversary drove the highest volume of intrusions during the reporting period and likely sold access to ransomware operators.
CrowdStrike also observed SCATTERED SPIDER resuming aggressive ransomware operations against insurance entities in 2025 following a significant pause. This marked a return to one of its historically common targeting patterns. Below are a few examples of additional observed eCrime activity during the reporting period: CHATTY SPIDER conducted high-tempo data theft and extortion campaigns, mostly targeting legal and financial services firms.
The adversary named and leaked data belonging to 41 victims, among them 14 law firms and 10 financial services entities. SOLAR SPIDER continued to target financial institutions in Europe, the Middle East, South Asia, and Southeast Asia using financial transaction-themed lures to entice targets into downloading various remote access tools. PLUMP SPIDER has consistently targeted Brazilian financial entities since at least September 2023 by attempting to gain access to internal payment systems and conduct fraudulent transactions.
Nation-State Adversaries Scale Theft and Deception Democratic People’s Republic of Korea (DPRK)-nexus groups sustained operations targeting cryptocurrency and fintech entities. DPRK-nexus groups stole $2.02 billion in digital assets in 2025, a 51% increase from 2024 1 ; stolen funds directly support the regime’s military programs. PRESSURE CHOLLIMA stole $1.46 billion in cryptocurrency through trojanized software distributed via supply chain compromise — the largest single financial theft ever reported.
DPRK-nexus threat actors increased operational tempo and advanced their social engineering tradecraft against financial entities. FAMOUS CHOLLIMA doubled their operations while continuing to target cryptocurrency exchanges, fintech platforms, and traditional banks. STARDUST CHOLLIMA tripled their operational tempo, using recruiter impersonation, malicious coding challenges, and synthetic video conferencing environments to target fintechs across North America, Europe, and Asia.
AI tools could make these tactics more efficient, convincing, and harder to detect. China-nexus adversaries posed the most significant intelligence collection threat to financial services organizations, especially those in South and Southeast Asia. This focus likely indicates an interest in accessing regional financial systems and economic intelligence across multiple developing markets. The below operations used consistent China-nexus tactics, techniques, and procedures (TTPs) such as exploiting edge devices, conducting DLL search-order hijacking, using compromised infrastructure for command-and-control communications, and targeting cloud environments.
HOLLOW PANDA targeted financial institutions in South America and Southeast Asia VAULT PANDA operated across multiple regions, deploying KEYPLUG malware via DLL search-order hijacking and targeting financial institutions and supporting entities. GENESIS PANDA targeted a Southeast Asia-based financial entity and North American fintech organization, deploying VShell implants and FScan utilities and using infrastructure linked to prior China-nexus operations.
MURKY PANDA deployed a unique Chinese operational relay box (ORB) network to access Microsoft 365 email accounts from more than 150 IP addresses in 36 countries. Their activity targeted 340 organizations across more than 30 sectors; financial services was among their most frequently targeted sectors. The trends outlined in this report create operational risk for financial services businesses. Ransomware pressure on high-availability operations, sustained intelligence collection, and continued digital asset theft often unfold quickly across trusted access paths.
As AI models advance, adversaries are likely to increase the sophistication, scale, and speed of their operations. Defenders need intelligence-led visibility and continuous hunting, as well as the ability to act quickly with context. CrowdStrike Counter Adversary Operations combines threat intelligence, managed threat hunting, and trillions of telemetry events from the AI-powered CrowdStrike Falcon® platform to detect, disrupt, and stop evasive adversaries.
Additional Resources Download the CrowdStrike 2026 Financial Services Threat Landscape Report . Dive deeper into topics like this at Fal.Con 2026 with expert-led sessions, hands-on training, and real-world insights. Tune in to the Adversary Universe podcast , where CrowdStrike experts reveal the threat actors behind the latest cyberattacks. 1
https://www.chainalysis.com/blog/crypto-hacking-stolen-funds-2026/ Related Content Categories CONNECT WITH US FEATURED ARTICLES May 06, 2026 May 05, 2026 SUBSCRIBE Sign up now to receive the latest notifications and updates from CrowdStrike. Sign Up See CrowdStrike Falcon ® in Action Detect, prevent, and respond to attacks— even malware-free intrusions—at any stage, with next-generation endpoint protection. See Demo Privacy Request Info Contact Us 1.888.512.8906 Accessibility