CrowdStrike Report Shows How AI Drives Fintech Cyber Attacks

Holding high-value assets, financial institutions remain prime targets – especially for big game hunting (BGH) cybercriminals seeking fast, high-impact payouts.

Dissecting the many threats facing this sector, CrowdStrike’s 2026 Financial Services Threat Landscape Report underscores a sharp escalation in sophisticated cyberattacks aimed at banks, fintechs and cryptocurrency platforms worldwide.

The report paints an increasingly concerning picture for the industry, with organisations facing a surge in AI-driven deception, digital asset theft and identity-based attacks – threats that are becoming progressively harder to detect.

According to the findings, hands-on-keyboard intrusions targeting financial institutions have risen by 43% globally over the past two years, climbing to 48% across North America.
CrowdStrike attributes much of this increase to threat actors exploiting trusted identities and software-as-a-service applications to circumvent traditional security controls.

“Financial services organisations face threats from every direction and AI is making each of them harder to stop,” says Adam Meyers, Head of Counter Adversary Operations at CrowdStrike.

“The cost to create convincing identities, automate reconnaissance and accelerate credential theft is near zero.” 

Billions stolen by North Korea-nexus threat actors 

Among the most striking findings was the scale of cryptocurrency theft linked to North Korea-aligned threat actors.

CrowdStrike found that DPRK-linked groups were responsible for an estimated US$2.02bn in stolen assets across the sector – a 51% year-on-year increase in digital asset theft compared to 2025.

“This figure represents the largest collective theft of digital assets among all tracked adversaries in 2025,” the report says.

“Stolen proceeds are almost certainly laundered to fund the regime’s military programmes.”

What CrowdStrike identifies as the “most acute threat” within the DPRK ecosystem is Pressure Chollima.

The group is notorious for the Bybit hack – the largest recorded financial theft in history – which saw US$1.46bn in cryptocurrency siphoned off using trojanised software distributed via a supply chain compromise.

Another actor, Golden Chollima, deploys recruitment-themed lures to redirect cryptocurrency funds and infiltrate cloud environments at fintech firms across Southeast Asia and Canada.

As expected, the report points to the rapid adoption of AI by threat actors, who are leveraging it to scale operations and enhance deception techniques.

AI-generated personas, fake recruiters and synthetic video conferencing environments are now common tactics used to penetrate financial institutions.

CrowdStrike also finds that the most active North Korean adversary, Famous Chollima, has doubled its operational output through the use of AI-generated identities to access cryptocurrency exchanges, fintech platforms and consumer banks.

Meanwhile, Stardust Chollima tripled its activity in the final quarter of 2025, targeting fintech companies across North America, Europe and Asia.

AI is also compressing the time between initial access and active compromise – accelerating the path to financial impact and intensifying pressure on already stretched security teams.

“Adversaries are using AI to compress the time from initial access to impact, moving through trusted paths faster than legacy defences can respond," Adam says.

“To close that gap, defenders have to meet AI with AI – pairing intelligence with hunting to outpace the adversary.”

China-linked espionage and eCrime 

Moving beyond North Korean cyber activity, the report identifies China-linked adversaries as a significant threat, particularly in the context of intelligence gathering across the financial services sector.

Hollow Panda carried out intrusions against institutions in countries including the Philippines, Indonesia and Brazil by “exploiting Check Point VPN appliances and deploying ShadowPad malware”. 

Meanwhile, Murky Panda deployed a large operational relay box network spanning more than 150 endpoints across 36 countries.

According to CrowdStrike, the network targeted 340 organisations across more than 30 industries, with financial services emerging as the most frequently targeted sector.

Financially motivated cybercrime groups are also intensifying pressure on the industry, with 423 financial services organisations appearing on dedicated leak sites in 2025 – a 27% year-on-year increase.

Mutant Spider was highlighted as a key driver of intrusion activity, leveraging large-scale vishing campaigns before selling access on to ransomware operators.

CrowdStrike also notes that Scattered Spider resumed its aggressive ransomware campaigns against insurance firms in the first half of 2025, following a four-month pause in operations.