CrowdStrike‘s 2026 Financial Services Threat Landscape Report has found that North Korean state-linked adversaries stole US$2.02 billion in digital assets in 2025, a 51% year-on-year increase, as the threat actor group weaponised artificial intelligence to industrialise financial cybercrime at scale.
The report, based on intelligence tracking more than 280 named adversaries, also found that hands-on intrusions against financial institutions spiked 43% globally over the past two years, while the number of financial services organisations listed on ransomware leak sites hit a record 423 — a 27% increase year-on-year.
DPRK actors scale fraud with AI
The group designated PRESSURE CHOLLIMA carried out what CrowdStrike describes as the largest financial theft ever recorded — US$1.46 billion in cryptocurrency extracted through trojanised software delivered via a supply chain compromise. A separate group, GOLDEN CHOLLIMA, used recruitment-themed lures to divert cryptocurrency funds and access cloud environments at fintechs in Southeast Asia and Canada.
DPRK-nexus actors also used AI to expand their operational reach. FAMOUS CHOLLIMA doubled its activity volume by deploying AI-generated identities to infiltrate cryptocurrency exchanges, fintech platforms, and consumer banks. STARDUST CHOLLIMA tripled its operational tempo using AI-generated recruiter personas and synthetic video conferencing environments to target fintechs across North America, Europe, and Asia.
China-nexus actors targeting Southeast Asia
The report identifies China-nexus adversaries as the most significant intelligence threat to financial organisations in Southeast Asia. The group HOLLOW PANDA has been conducting multi-year infiltration campaigns in Indonesia and the Philippines, with the goal of mapping regional investment strategies, economic management, and resource allocation. MURKY PANDA deployed a relay network across more than 150 endpoints in 36 countries, targeting 340 organisations across more than 30 sectors.
Ransomware and eCrime pressure intensifies
On the eCrime front, MUTANT SPIDER drove the highest intrusion volume through vishing campaigns before selling access to ransomware groups, enabling faster and more scalable attacks. SCATTERED SPIDER resumed aggressive ransomware operations against insurance entities in the first half of 2025, following a four-month operational pause.
“Financial services organisations face threats from every direction and AI is making each of them harder to stop. Adversaries are using AI to compress the time from initial access to impact, moving through trusted paths faster than legacy defences can respond. To close that gap, defenders have to meet AI with AI — pairing intelligence with hunting to outpace the adversary.” — Adam Meyers, Head of Counter Adversary Operations, CrowdStrike
The full report is available on the CrowdStrike website.
