CrowdStrike Report Shows North Korea & China Linked Threats

Holding assets of great value, financial institutions are lucrative targets, particularly for big game hunting (BGH) cybercriminals trying to make a quick buck. 

Dissecting the many threats facing this sector, CrowdStrike published its 2026 Financial Services Threat Landscape Report, which highlights a steep rise in sophisticated cyberattacks targeting banks, fintechs and cryptocurrency platforms around the globe. 

Emerging from the report is a concerning picture for the sector, threatened by AI-powered deception, digital asset theft and identity-based attacks, each of which are becoming increasingly difficult to detect.

The findings reveal that hands-on-keyboard intrusions against financial institutions have surged 43% globally, compared to the past two years, with this number rising up to 48% for institutions in North America. 

CrowdStrike's report attributes much of this growth to adversaries exploiting trusted identities and software-as-a-service applications to bypass traditional security systems.

“Financial services organisations face threats from every direction and AI is making each of them harder to stop,” says Adam Meyers, Head of Counter Adversary Operations at CrowdStrike.

“The cost to create convincing identities, automate reconnaissance and accelerate credential theft is near zero.” 

Billions stolen by North Korea-nexus threat actors 

One of the most astonishing findings was the scale of cryptocurrency theft linked to North Korea-aligned threat actors. 

CrowdStrike revealed that DPRK-linked groups stole a whopping US$2.02bn (estimated) across the sector – a 51% year-on-year increase in digital asset theft compared to 2025.

“This figure represents the largest collective theft of digital assets among all tracked adversaries in 2025,” the report notes. “Stolen proceeds are almost certainly laundered to fund the regime’s military programs.”

What CrowdStrike names the “most acute threat” within DPRK is Pressure Chollima. 

The group is infamous for the Bybit hack – the largest known financial theft ever recorded in history – which saw US$1.46bn in cryptocurrency cleaned out using trojanised software which was distributed via a supply chain compromise. 

Another actor, Golden Chollima, uses recruitment-themed lures to redirect cryptocurrency funds and infiltrate cloud environments at fintech firms in Southeast Asia and Canada. 

As expected, the report supports the rapid adoption of AI by threat actors, who are deploying it to scale operations and improve deception tactics. AI-generated personas, fake recruiters and synthetic video conferencing environments are common exploitation tactics used by these gangs to infiltrate financial institutions.

The most active North Korean adversary Famous Chollima, CrowdStrike finds, has doubled the volume of its operations thanks to AI-generated identities it uses to gain access to cryptocurrency exchanges, fintech platforms and consumer banks. 

Stardust Chollima tripled its operational activity in the last quarter of 2025, targeting fintech companies across North America, Europe and Asia.

AI has significantly reduced the time it takes attackers to move from initial access to active compromise and ultimately financial impact – increasing pressure on security teams already struggling with evolving threats.

“Adversaries are using AI to compress the time from initial access to impact, moving through trusted paths faster than legacy defences can respond. To close that gap, defenders have to meet AI with AI – pairing intelligence with hunting to outpace the adversary,” Adam says.

China-linked espionage and eCrime 

Skipping over North Korean cybercrime, the report identifies China-linked adversaries as a major threat, from the perspective of intelligence gathering about the financial services industry. 

Hollow Panda conducted intrusions against institutions in countries including the Philippines, Indonesia and Brazil by “exploiting Check Point VPN appliances and deploying ShadowPad malware”. 

While Murky Panda deployed a large operational relay box network spanning more than 150 endpoints across 36 countries. CrowdStrike says that the network targeted 340 organisations across more than 30 industries, with financial services ranking the most frequently targeted.

Financially motivated cybercrime groups continue to increase pressure on the industry, with the report finding that 423 financial services organisations appeared on dedicated leak sites in 2025, marking a 27% year-on-year increase.

Mutant Spider was identified as a key driver of intrusion activity through large-scale vishing campaigns before selling access to ransomware operators. 

CrowdStrike also noted that Scattered Spider resumed its aggressive ransomware attacks against insurance firms during the first half of 2025 after pausing operations for four months.