More than one million online banking accounts were compromised by infostealer malware in 2025, with stolen credentials freely circulated on dark web marketplaces, according to a new report by Kaspersky.

The findings, published in Kaspersky’s Financial Threat Report 2025, point to a structural shift in financial cybercrime: attackers are moving away from traditional PC banking malware and increasingly relying on infostealers, social engineering, and dark web data ecosystems to commit banking fraud.

Infostealer Detections Surge 59%

Kaspersky recorded a 59% increase in infostealer detections on PCs globally between 2024 and 2025. These tools harvest login credentials, browser cookies, bank card numbers, and cryptocurrency wallet data, which are then aggregated and sold — or freely shared — on dark web forums.

Of the payment cards compromised by infostealer malware and identified by Kaspersky’s Digital Footprint Intelligence (DFI) team in 2025, 74% remained valid as of March 2026, indicating that stolen financial data retains value for months or years after the initial breach. The countries with the highest median number of compromised banking accounts per bank were India, Spain, and Brazil.

Financial Phishing Shifts Toward E-Commerce Lures

Traditional phishing has not disappeared but is evolving in form. Pages impersonating e-commerce platforms accounted for 48.5% of financial phishing detections in 2025, up 10.3 percentage points from 2024. Bank-impersonation pages fell to 26.1% — a decline Kaspersky attributes to financial institutions becoming harder to convincingly spoof — while payment system impersonation rose to 25.5%.

Regional patterns vary. In the Middle East, 85.8% of financial phishing was concentrated on e-commerce lures. Africa saw bank-related phishing lead at 53.75%, which Kaspersky suggests may reflect weaker account security protections in the region. The Asia Pacific region showed a more even spread across all three categories.

Mobile Threats on the Rise

While PC banking malware continued its multi-year decline, mobile financial malware grew 1.5 times in 2025 compared to 2024, consistent with the broader shift toward mobile-first banking among consumers.

Polina Tretyak, a Digital Footprint Intelligence analyst at Kaspersky, described the dark web as a self-reinforcing engine for financial fraud.

“The dark web has become a central hub for financial cybercrime. Stolen credentials and bank cards that have been harvested by infostealers are aggregated, repackaged, and sold there, while phishing kits targeted at users of financial products are offered as ready-to-use services. This creates a self-sustaining ecosystem where data theft and fraud operations reinforce each other, making attacks scalable and easy to carry out by fraudsters with minimal experience.”

The full report is available on Securelist.