North Korea-linked hackers stole USD $2.02 billion

CrowdStrike has published its 2026 Financial Services Threat Landscape Report, which found that North Korea-linked attackers stole USD $2.02 billion in digital assets in 2025.

The report said hands-on-keyboard intrusions against financial institutions rose 43% globally over the past two years, as attackers increasingly used trusted identities and software-as-a-service applications to access sensitive data while evading traditional security tools.

Drawing on intelligence tracking of more than 280 named adversaries, the report highlighted rising theft, espionage and ransomware activity across banks, fintech groups, cryptocurrency exchanges and insurers.

North Korea-linked groups were identified as a major source of digital asset theft, driving a 51% year-on-year increase in 2025.

One incident linked to PRESSURE CHOLLIMA accounted for USD $1.46 billion in cryptocurrency losses. CrowdStrike described it as the largest financial theft yet reported. The theft was carried out through trojanised software distributed in a supply chain compromise.

Another North Korean group, GOLDEN CHOLLIMA, used recruitment-themed lures to divert cryptocurrency funds and gain access to cloud environments at fintech companies in Southeast Asia and Canada, the report found.

The report also described a broader shift towards the use of artificial intelligence in intrusion campaigns. North Korea-linked operators used AI-generated identities, recruiter personas and synthetic video conferencing settings to target cryptocurrency exchanges, fintech platforms and consumer banks.

FAMOUS CHOLLIMA was said to have doubled its operations using AI-generated identities, while STARDUST CHOLLIMA tripled its operational tempo with AI-generated recruiter personas and synthetic video meeting environments across North America, Europe and Asia.

Espionage threat

Chinese state-linked activity was described as the most significant intelligence-gathering threat facing the financial services sector. China-linked groups expanded operations against financial organisations in several regions.

HOLLOW PANDA was linked to intrusions at financial institutions in the Philippines, Indonesia and Brazil. MURKY PANDA deployed an operational relay box network across more than 150 endpoints in 36 countries, targeting 340 organisations in more than 30 sectors, with financial services among the most frequently targeted.

The findings also pointed to growing pressure from criminal groups using ransomware and extortion tactics. In 2025, 423 financial services organisations appeared on dedicated leak sites, up 27% from a year earlier.

MUTANT SPIDER drove the highest intrusion volume through voice phishing campaigns before selling access to ransomware groups. The report said that model allowed follow-on attacks to move more quickly.

In the first half of 2025, SCATTERED SPIDER resumed ransomware activity against insurance entities after a four-month pause, adding pressure to one of the sector's most targeted segments.

Identity focus

A central theme of the report was the growing use of valid identities and legitimate access routes. Rather than relying only on malware or software exploits, attackers were moving through trusted user accounts and cloud services to reduce the chance of detection.

That trend matters for financial institutions, which rely heavily on cloud platforms, external software services and large networks of employees, contractors and partners. The use of stolen or fabricated identities can make hostile activity resemble ordinary business traffic.

Adam Meyers, Head of Counter Adversary Operations at CrowdStrike, said the spread of AI tools was lowering the cost of deception and speeding up attacks.

"Financial services organizations face threats from every direction and AI is making each of them harder to stop. The cost to create convincing identities, automate reconnaissance, and accelerate credential theft is near zero," Meyers said.

He said attackers were moving faster once they had initial access.

"Adversaries are using AI to compress the time from initial access to impact, moving through trusted paths faster than legacy defenses can respond. To close that gap, defenders have to meet AI with AI - pairing intelligence with hunting to outpace the adversary," he said.