Financially motivated attacks continued to drive the bulk of cyber incidents against banks, insurers, and payment processors in 2025. Approximately 90% of breaches affecting financial institutions carried a financial motive, with data breaches accounting for roughly 64% of incidents and ransomware making up the remaining 36%. The average cost of a data breach in the sector reached $5.56 million per incident, placing finance second among all industries by breach cost.
Personal data was the most frequently compromised category, appearing in 54% of cases. Internal organizational data accounted for 35% of compromised data, and credentials for 22%. Attackers used that access to enable downstream fraud, credential resale, and persistent network presence.
The methods used to gain initial access remained consistent with prior years. Hacking techniques accounted for 45% of breaches, malware for 37%, and social engineering for 25%.
AI accelerated attacker timelines
Threat actors integrated AI into multiple stages of the attack lifecycle in 2025, including reconnaissance, vulnerability discovery, and post-compromise activity. Automated vulnerability scanning powered by machine learning compressed the time between vulnerability disclosure and active exploitation, creating pressure on institutions running large, heterogeneous IT environments.
Advanced malware observed during the year showed an ability to alter behavior dynamically during execution, responding to detected security controls. This category of adaptive malware complicated signature-based detection and increased dwell time across compromised networks.
Generative AI had a pronounced effect on fraud and social engineering operations. Phishing campaigns, business email compromise, and invoice fraud schemes leveraged AI-generated content that was contextually accurate and linguistically fluent, eliminating many of the indicators that traditional email filtering relied upon. Deepfake voice and video impersonation of executives and relationship managers appeared in documented cases, with attackers pressuring employees into authorizing transactions or disclosing sensitive information.
Fraud-as-a-service offerings on underground markets lowered the barrier to entry for less technically skilled actors, sustaining high success rates across campaigns targeting financial institutions.
A separate but related risk emerged from unmanaged AI adoption within organizations. Shadow AI, defined as AI models or applications deployed without formal security assessment or governance, accounted for approximately 20% of AI-related breaches in 2025. Among organizations that experienced AI-related security incidents, 97% lacked adequate AI access controls.
Third-party exposure became systemic
Supply chain compromise was identified as a contributing factor in approximately 30% of breaches affecting financial institutions in 2025, a marked increase over prior years. File transfer solutions, managed service platforms, and API-based services were frequent entry points due to their privileged access to sensitive data.
Several large U.S. banks, including JPMorgan Chase, Citigroup, and Morgan Stanley, assessed customer data exposure following a breach at a shared third-party service provider during the year. The incident triggered regulatory response and customer impact analysis across multiple institutions that had no direct intrusion of their own systems.
The cryptocurrency exchange Bybit suffered a $1.5 billion theft after attackers exploited weaknesses in third-party wallet infrastructure involved in transaction signing.
Ransomware shifted toward data exfiltration
Ransomware affected approximately 12.8% of B2B financial organizations in 2025. Attackers increasingly combined encryption with data exfiltration, threatening public disclosure to apply additional pressure. Variants including Akira, Datacarry, and BlackLock were among the most frequently observed targeting European financial institutions.
Throughout the year, ransomware activity against U.S. financial institutions increasingly prioritized data exfiltration over system encryption. Even when banking services remained operational, stolen data triggered mandatory disclosure obligations, regulator engagement, and extended investigations.
Hacktivists and state actors added operational pressure
Banks accounted for approximately 69% of hacktivist attacks targeting the financial sector in 2025. Groups including NoName057(16), Keymous+, and DarkStorm Team ran DDoS campaigns against European financial institutions, with attack peaks correlating with elections and periods of heightened political tension.
State-aligned advanced persistent threat actors continued targeting financial institutions for intelligence collection and strategic positioning, using zero-day vulnerabilities and long-term access strategies. Geopolitical instability sustained elevated levels of disruptive activity across the sector throughout the year.
Click Here For The Original Source.
