CrowdStrike: AI Puts Financial Sector in the Crosshairs

Financial institutions remain lucrative targets for big-game-hunting (BGH) cybercriminals seeking quick payouts because they hold assets of immense value.

CrowdStrike’s 2026 Financial Services Threat Landscape Report finds that hands-on-keyboard intrusions have surged 43% globally over the past two years, rising to 48% for North American firms.

The report attributes much of this growth to adversaries exploiting trusted identities and software-as-a-service applications to bypass traditional defences.

Adam Meyers, Head of Counter Adversary Operations at CrowdStrike, says: “Financial services organisations face threats from every direction and AI is making each of them harder to stop.

“The cost to create convincing identities, automate reconnaissance and accelerate credential theft is near zero.”

North Korea-linked crypto theft reaches record levels

One of the report’s most alarming findings is the scale of cryptocurrency theft linked to Democratic People’s Republic of Korea (DPRK) adversaries.

In 2025, DPRK-linked groups are estimated to have stolen US$2.02bn across the sector, a 51% year-on-year increase which CrowdStrike assesses represents the largest collective theft of digital assets among all tracked adversaries that year.

CrowdStrike states that these proceeds are almost certainly laundered to fund the regime’s military programmes, underscoring the geopolitical impact of financial cybercrime.

Pressure Chollima is identified as the most acute DPRK threat and is tied to the Bybit hack, the largest known financial theft on record, which drained US$1.46bn in cryptocurrency using trojanised software delivered via a supply chain compromise.

Golden Chollima uses recruitment-themed lures to reroute cryptocurrency funds and to infiltrate cloud environments at fintechs in Southeast Asia and Canada.

Famous Chollima, described as the most active North Korean adversary, doubles its operational tempo by using AI-generated identities to gain access to cryptocurrency exchanges, fintech platforms and consumer banks.

Stardust Chollima tripled its activity in the fourth quarter of 2025, targeting fintech companies across North America, Europe and Asia.

AI tools compress the path from access to impact

Threat actors are rapidly adopting AI to scale operations and sharpen deception, making intrusions faster and harder to detect.

AI-generated personas, fake recruiters and synthetic video conferencing environments are now common tools to gain trust and initial access.

According to the report, AI significantly reduces the time attackers take to move from initial access to active compromise and then financial impact, increasing pressure on already stretched security teams.

Adam says: “Adversaries are using AI to compress the time from initial access to impact, moving through trusted paths faster than legacy defences can respond. 

“To close that gap, defenders have to meet AI with AI, pairing intelligence with hunting to outpace the adversary.”

China-linked espionage and eCrime intensify

Beyond DPRK-led theft, the report spotlights China-linked adversaries which pursue intelligence on the financial sector.

Hollow Panda conducts intrusions against institutions in the Philippines, Indonesia and Brazil by exploiting Check Point VPN appliances and deploying ShadowPad malware.

Murky Panda operates a large operational relay box network spanning more than 150 endpoints across 36 countries, targeting 340 organisations in more than 30 industries, with financial services the most frequently hit.

Financially motivated groups continue to escalate attacks. In 2025, 423 financial services organisations appear on dedicated leak sites, a 27% year-on-year increase.

Mutant Spider drives intrusion activity through large-scale vishing campaigns, selling access to ransomware operators and raising the risk of follow-on extortion.

CrowdStrike also notes that Scattered Spider resumes aggressive ransomware attacks against insurance firms during the first half of 2025 after pausing operations for four months.

The takeaway for defenders

The sector sits at the nexus of fast-moving, AI-enabled threats which blend identity abuse, supply chain compromise, cloud intrusion and high-stakes crypto theft.

As adversaries industrialise operations and compress timelines, financial institutions need AI-driven detection, proactive threat hunting and identity-first controls to keep pace.

CrowdStrike’s assessment underlines the importance of reducing attacker dwell time, hardening access to software-as-a-service and cloud environments, and strengthening supply-chain risk management.

With AI lowering costs for convincing social engineering, security leaders should prioritise controls which verify identity continuously and monitor for anomalous behaviour in real time.