Cyber Threats in Finance: 2025’s Rising Risks and Evolving Attack Tactics
In 2025, financially motivated cyberattacks dominated the financial sector, driving 90% of breaches targeting banks, insurers, and payment processors. Data breaches accounted for 64% of incidents, with ransomware making up the remaining 36%. The average cost of a breach in finance reached $5.56 million per incident, the second-highest across all industries.
Personal data was the most frequently compromised asset (54% of cases), followed by internal organizational data (35%) and credentials (22%). Attackers leveraged stolen information for fraud, credential resale, and persistent network access. Initial access methods remained consistent, with hacking (45%), malware (37%), and social engineering (25%) as the primary vectors.
AI Accelerates Attack Timelines and Fraud
AI integration reshaped cyber threats in 2025, compressing the window between vulnerability disclosure and exploitation. Machine learning-powered scanning tools enabled faster reconnaissance, while adaptive malware evaded signature-based detection by dynamically altering behavior in response to security controls. Generative AI amplified social engineering, producing contextually accurate phishing emails, deepfake impersonations, and fraudulent invoices that bypassed traditional filters. Fraud-as-a-service offerings on underground markets further lowered the barrier to entry for less skilled attackers.
Unmanaged AI adoption within organizations termed shadow AI contributed to 20% of AI-related breaches. Among affected institutions, 97% lacked adequate access controls for AI systems.
Third-Party Risks Escalate
Supply chain compromises played a role in 30% of financial sector breaches, a significant increase from prior years. Vulnerable file transfer solutions, managed service platforms, and APIs served as common entry points. A breach at a shared third-party provider exposed customer data at major U.S. banks, including JPMorgan Chase, Citigroup, and Morgan Stanley, prompting regulatory scrutiny. Cryptocurrency exchange Bybit suffered a $1.5 billion theft after attackers exploited weaknesses in third-party wallet infrastructure.
Ransomware Shifts to Data Exfiltration
Ransomware impacted 12.8% of B2B financial organizations, with attackers prioritizing data exfiltration over encryption. Variants like Akira, Datacarry, and BlackLock targeted European institutions, while U.S. attacks increasingly focused on stealing sensitive data to trigger regulatory disclosures and investigations even when systems remained operational.
Hacktivists and State Actors Intensify Pressure
Hacktivist groups, including NoName057(16) and DarkStorm Team, launched DDoS campaigns against banks, particularly during elections and periods of geopolitical tension. State-aligned advanced persistent threat (APT) actors continued targeting financial institutions for intelligence gathering, exploiting zero-day vulnerabilities and maintaining long-term access. Geopolitical instability sustained elevated levels of disruptive activity throughout the year.
Source: https://www.helpnetsecurity.com/2026/04/22/financial-sector-cyber-threats-report/
Citi cybersecurity rating report: https://www.rankiteo.com/company/citi
JPMorganChase cybersecurity rating report: https://www.rankiteo.com/company/jpmorganchase
"id": "CITJPM1776832106",
"linkid": "citi, jpmorganchase",
"type": "Breach",
"date": "1/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'financial_services',
'location': 'U.S.',
'name': 'JPMorgan Chase',
'type': 'bank'},
{'industry': 'financial_services',
'location': 'U.S.',
'name': 'Citigroup',
'type': 'bank'},
{'industry': 'financial_services',
'location': 'U.S.',
'name': 'Morgan Stanley',
'type': 'bank'},
{'industry': 'financial_services',
'name': 'Bybit',
'type': 'cryptocurrency_exchange'}],
'attack_vector': ['hacking',
'malware',
'social_engineering',
'third-party_vulnerabilities',
'API_exploits'],
'data_breach': {'data_exfiltration': 'yes',
'personally_identifiable_information': 'yes',
'sensitivity_of_data': 'high',
'type_of_data_compromised': ['personal_data',
'internal_organizational_data',
'credentials']},
'date_publicly_disclosed': '2025',
'description': 'In 2025, financially motivated cyberattacks dominated the '
'financial sector, driving 90% of breaches targeting banks, '
'insurers, and payment processors. Data breaches accounted for '
'64% of incidents, with ransomware making up the remaining '
'36%. The average cost of a breach in finance reached $5.56 '
'million per incident. Personal data was the most frequently '
'compromised asset (54% of cases), followed by internal '
'organizational data (35%) and credentials (22%). Attackers '
'leveraged stolen information for fraud, credential resale, '
'and persistent network access. AI integration reshaped cyber '
'threats, compressing attack timelines and enabling adaptive '
'malware and generative AI-driven social engineering. '
'Third-party risks escalated, with supply chain compromises in '
'30% of breaches. Ransomware shifted to data exfiltration, and '
'hacktivist/state actors intensified pressure.',
'impact': {'data_compromised': ['personal_data (54%)',
'internal_organizational_data (35%)',
'credentials (22%)'],
'financial_loss': '$5.56 million (average per incident)',
'identity_theft_risk': 'high',
'operational_impact': ['fraud',
'regulatory_disclosures',
'persistent_network_access'],
'payment_information_risk': 'high',
'systems_affected': ['banks',
'insurers',
'payment_processors',
'cryptocurrency_exchanges',
'third-party_providers']},
'initial_access_broker': {'data_sold_on_dark_web': 'yes',
'entry_point': ['third-party_vulnerabilities',
'API_exploits',
'file_transfer_solutions']},
'motivation': ['financial_gain',
'fraud',
'intelligence_gathering',
'disruption',
'geopolitical'],
'post_incident_analysis': {'root_causes': ['shadow_AI',
'third-party_risks',
'unpatched_systems',
'AI-driven_attack_tools']},
'ransomware': {'data_encryption': 'sometimes',
'data_exfiltration': 'yes',
'ransomware_strain': ['Akira', 'Datacarry', 'BlackLock']},
'references': [{'source': 'Cyber Threats in Finance: 2025’s Rising Risks and '
'Evolving Attack Tactics'}],
'regulatory_compliance': {'regulatory_notifications': 'yes'},
'threat_actor': ['financially_motivated_attackers',
'hacktivists (NoName057(16), DarkStorm Team)',
'state-aligned_APT_actors'],
'title': 'Cyber Threats in Finance: 2025’s Rising Risks and Evolving Attack '
'Tactics',
'type': ['data_breach', 'ransomware', 'DDoS', 'supply_chain_compromise'],
'vulnerability_exploited': ['unpatched_systems',
'shadow_AI',
'third-party_file_transfer_solutions',
'zero-day_vulnerabilities']}