CrowdStrike 2026 Financial Services Threat Landscape Report: North Korean Adversaries Steal Billions in Digital Assets

While the financial sector is exploring the business potential of generative AI, cyber adversaries have already industrialized it.

The newly released CrowdStrike 2026 Financial Services Threat Landscape Report uncovers a stark reality: hands-on-keyboard intrusions have spiked by over 40%, and digital asset thefts now total billions of dollars.

Attackers are weaponizing advanced AI to bypass legacy security systems and compress the timeline from initial access to full impact.

As the official value-added distributor of CrowdStrike across the Caucasus and Central Asia (including Kazakhstan, Uzbekistan, Georgia, Azerbaijan, and other regional markets), Softprom highlights the critical insights from this global study to help our partners and clients navigate these evolving multi-vector threats.

AUSTIN, Texas – May 14, 2026 – CrowdStrike (NASDAQ: CRWD) today released the CrowdStrike 2026 Financial Services Threat Landscape Report, revealing that DPRK-nexus adversaries stole billions in digital assets in 2025 while industrializing cybercrime with AI-powered deception.

Hands-on-keyboard intrusions against financial institutions spiked 43% globally and 48% in North America over the past two years, as adversaries exploited trusted identities and SaaS applications to evade legacy defenses.

CrowdStrike Financial Services Threat Landscape Report Highlights:

Based on frontline intelligence from CrowdStrike Counter Adversary Operations tracking more than 280 named adversaries, the report reveals:

• Digital Asset Theft Hits Record Levels: DPRK-nexus actors drove a 51% year-over-year increase in digital asset theft in 2025, stealing a reported $2.02 billion across the sector. PRESSURE CHOLLIMA conducted the largest financial theft ever reported: $1.46 billion in cryptocurrency through trojanized software distributed via a supply chain compromise. GOLDEN CHOLLIMA used recruitment-themed lures to divert cryptocurrency funds and access cloud environments at fintechs in Southeast Asia and Canada.
• DPRK Scales Deception with AI: DPRK-nexus actors used AI to scale operations against the sector. FAMOUS CHOLLIMA doubled its operations using AI-generated identities to infiltrate cryptocurrency exchanges, fintech platforms, and consumer banks. STARDUST CHOLLIMA tripled its operational tempo, deploying AI-generated recruiter personas and synthetic video conferencing environments to target fintechs across North America, Europe, and Asia.
• China-Nexus Espionage Scales Globally: China-nexus adversaries posed the most significant intelligence collection threat. HOLLOW PANDA conducted intrusions at financial institutions in the Philippines, Indonesia, and Brazil. MURKY PANDA deployed an operational relay box network across more than 150 endpoints in 36 countries, targeting 340 organizations across more than 30 sectors, with financial services among the most frequently targeted.
• eCrime Pressure on the Sector Intensifies: 423 financial services organizations appeared on dedicated leak sites marking a 27% increase year-over-year. MUTANT SPIDER drove the highest intrusion volume through vishing campaigns, then sold access to ransomware groups, enabling faster and more scalable attacks. In the first half of 2025, SCATTERED SPIDER resumed aggressive ransomware operations against insurance entities after a four-month pause.

Financial services organizations face threats from every direction and AI is making each of them harder to stop. The cost to create convincing identities, automate reconnaissance, and accelerate credential theft is near zero. Adversaries are using AI to compress the time from initial access to impact, moving through trusted paths faster than legacy defenses can respond. To close that gap, defenders have to meet AI with AI – pairing intelligence with hunting to outpace the adversary.

The findings of the 2026 Threat Landscape Report clearly indicate that financial organizations can no longer rely on legacy, reactive security architectures. The compression of time between initial access and impact requires an immediate shift toward AI-driven, proactive defense mechanisms. As the leading value-added distributor of CrowdStrike in Central Asia and the Caucasus, Softprom delivers advanced cloud-native protection via the CrowdStrike Falcon® platform to enterprises and financial institutions across the region.

Our certified technical experts provide deployment guidance, local support, and tailored architecture design to help organizations meet AI threats with autonomous intelligence.