Crowdstrike's 2026 Financial Services Threat Landscape Report warns that DPRK-nexus adversaries increased digital asset theft in 2025 while using AI to accelerate attacks against the financial sector. The company also said China-nexus espionage activity remains a major intelligence-collection risk, and that ransomware-related intrusions are continuing to intensify.
Theft rises sharply in 2025
CrowdStrike’s report says DPRK-nexus groups drove a 51% year-over-year increase in digital asset theft across the financial sector during 2025, with $2.02 billion in reported thefts.
It identifies PRESSURE CHOLLIMA as responsible for the largest reported financial theft—$1.46 billion in cryptocurrency—linked to trojanized software delivered through a supply-chain compromise.
CrowdStrike also describes GOLDEN CHOLLIMA as using “recruitment-themed” lures to divert funds and obtain access to cloud environments at fintechs, citing activity across Southeast Asia and Canada.
AI deception lowers the “time-to-impact”
Beyond theft volume, CrowdStrike argues AI is changing attackers’ operational tempo by reducing the time between initial access and impact. The company alleges FAMOUS CHOLLIMA used AI-generated identities to double its operations, infiltrating cryptocurrency exchanges, fintech platforms, and consumer banks.
It further claims STARDUST CHOLLIMA tripled its operational pace by deploying AI-generated recruiter personas and synthetic video-conferencing environments to target fintechs across North America, Europe, and Asia.
China-nexus espionage threat remains prominent
CrowdStrike said China-nexus adversaries pose the most significant intelligence collection threat. It cites HOLLOW PANDA intrusions against financial institutions in the Philippines, Indonesia, and Brazil.
The report also highlights MURKY PANDA, describing an “operational relay box network” spanning more than 150 endpoints in 36 countries, targeting 340 organizations across more than 30 sectors, with financial services among the most frequently targeted.
Ransomware/eCrime pressure rises via leak sites and vishing
The report also points to heightened downstream consequences for financial firms. CrowdStrike states 423 financial services organizations appeared on dedicated leak sites, a 27% year-over-year increase.
It attributes the highest intrusion volume to MUTANT SPIDER, saying it used vishing to drive access before selling it to ransomware groups. CrowdStrike also claims SCATTERED SPIDER resumed aggressive ransomware activity against insurance entities in the first half of 2025 after a four-month pause.
